-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0225
 Multiple security vulnerabilities have been identified in the Android OS
                              2 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Android devices
Operating System:     Android
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Root Compromise                 -- Existing Account            
                      Access Confidential Data        -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-9515 CVE-2018-9514 CVE-2018-9513
                      CVE-2018-9511 CVE-2018-9510 CVE-2018-9509
                      CVE-2018-9508 CVE-2018-9507 CVE-2018-9506
                      CVE-2018-9505 CVE-2018-9504 CVE-2018-9503
                      CVE-2018-9502 CVE-2018-9501 CVE-2018-9499
                      CVE-2018-9498 CVE-2018-9497 CVE-2018-9496
                      CVE-2018-9493 CVE-2018-9492 CVE-2018-9491
                      CVE-2018-9490 CVE-2018-9476 CVE-2018-9473
                      CVE-2018-9452 CVE-2017-13283 
Member content until: Thursday, November  1 2018

OVERVIEW

        Multiple security vulnerabilities have been identified in the 
        Android operating system prior to the 2018-10-05 patch level. [1]


IMPACT

        Google has provided the following information about these 
        vulnerabilities:
        
        "Framework
        
        The most severe vulnerability in this section could enable a remote attacker
        using a specially crafted file to execute arbitrary code within the context of
        a privileged process.
        
             CVE          References      Type Severity     Updated AOSP versions
        CVE-2018-9490 A-111274046         EoP  Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9491 A-111603051         RCE  High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9492 A-111934948         EoP  High     8.0, 8.1, 9
        CVE-2018-9493 A-111085900         ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9452 A-78464361          DoS  Moderate 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        
        Media framework
        
        The most severe vulnerability in this section could enable a remote attacker
        using a specially crafted file to execute arbitrary code within the context of
        a privileged process.
        
             CVE      References  Type Severity     Updated AOSP versions
        CVE-2018-9473 A-65484460  RCE  Critical 8.0
        CVE-2018-9496 A-110769924 RCE  Critical 9
        CVE-2018-9497 A-74078669  RCE  Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9498 A-78354855  RCE  Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1
        CVE-2018-9499 A-79218474  ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        
        System
        
        The most severe vulnerability in this section could enable a proximate attacker
        to execute arbitrary code within the context of a privileged process.
        
             CVE           References      Type Severity     Updated AOSP versions
        CVE-2017-13283 A-78526423          RCE  Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9476  A-109699112         EoP  Critical 8.0, 8.1
        CVE-2018-9504  A-110216176         RCE  Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9501  A-110034419         EoP  High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9502  A-111936792         ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9503  A-80432928 	   ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9505  A-110791536         ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9506  A-111803925         ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9507  A-111893951         ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9508  A-111936834         ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1
        CVE-2018-9509  A-111937027         ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9510  A-111937065         ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9511  A-111650288         DoS  High     9
        
        Kernel components
        
        The most severe vulnerability in this section could enable a local malicious
        application to execute arbitrary code within the context of a privileged
        process.
        
             CVE       References  Type Severity Component
        CVE-2018-9513 A-111081202  EoP  High     Fork
        CVE-2018-9514 A-111642636  EoP  High     sdcardfs
        CVE-2018-9515 A-111641492  EoP  High     sdcardfs
        " [1]


MITIGATION

        Android users are advised to update to the latest applicable
        version to address these vulnerabilities. [1]
        
        Google advises that they have had no reports of active customer 
        exploitation or abuse of these newly-reported issues. [1]


REFERENCES

        [1] Android Security Bulletin—October 2018
            https://source.android.com/security/bulletin/2018-10-01.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7Lm62aOgq3Tt24GAQj7JA//RJpekhFFD18Dz6x+mGZSVKrLEyIpyxud
24SWMBVIfPmnNloJ63UEfL+Pwqdu//mgi1A3ECSQSS+nS65yGv7xHHtvTO2vC8f2
xVhtvyFOmQ/ouQLhZd/CYpNhvWe7pLYSmyqTkJFTTNkcu+LJnl7FPKCQlRCA6J6r
kgYNYCPcyMFix5VhyPF9wJUAhe6CaRU3WiFikKrGDe2rhlZ0vxOPZaIH0xAD3VOv
fVRYICSMc8EnDrpPpwkK+lRIljMLTZSN523WG0qbvzQsamcxbCflG/OxMVIPWAV3
RyNtJ92njsLrcSjEruSqYv9lSMbGRM10IydzV+yH2RD4YDNsXMGeCuCJYWgJs6jR
vIPBt40nUF7Ol72iq2Am2MboS1X/n2xv6iPK/eBC52AsYlxEuX28SWjd+lPCQhYH
6TojU8pvH+pKl/IcAoExqiniBhATeZl4Fn5KoWdqbAPzmFjbxkYrsVAuT32HfF4s
3refQtBBtxItD/4ztkj19FX5UBuvG6M9Y9e8m90ud3PUAIFKzapfSbbm9Bhqd1S5
0d8K3FThcJpA5eSZtPZ6XuVvJOcUbXgV14hceQ/uAw/jvENSlyQHfaxGydQeJKtO
cK5N1sqX9bPNlr3o0ALlXG/U7NKs0JbUcVAYAqT5coUEdKjipw/N8sMp5xuy3h2R
HzXSRe+WbAw=
=sDe0
-----END PGP SIGNATURE-----