Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0225 Multiple security vulnerabilities have been identified in the Android OS 2 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Android devices Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Root Compromise -- Existing Account Access Confidential Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-9515 CVE-2018-9514 CVE-2018-9513 CVE-2018-9511 CVE-2018-9510 CVE-2018-9509 CVE-2018-9508 CVE-2018-9507 CVE-2018-9506 CVE-2018-9505 CVE-2018-9504 CVE-2018-9503 CVE-2018-9502 CVE-2018-9501 CVE-2018-9499 CVE-2018-9498 CVE-2018-9497 CVE-2018-9496 CVE-2018-9493 CVE-2018-9492 CVE-2018-9491 CVE-2018-9490 CVE-2018-9476 CVE-2018-9473 CVE-2018-9452 CVE-2017-13283 Member content until: Thursday, November 1 2018 OVERVIEW Multiple security vulnerabilities have been identified in the Android operating system prior to the 2018-10-05 patch level. [1] IMPACT Google has provided the following information about these vulnerabilities: "Framework The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2018-9490 A-111274046 EoP Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9491 A-111603051 RCE High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9492 A-111934948 EoP High 8.0, 8.1, 9 CVE-2018-9493 A-111085900 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9452 A-78464361 DoS Moderate 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 Media framework The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2018-9473 A-65484460 RCE Critical 8.0 CVE-2018-9496 A-110769924 RCE Critical 9 CVE-2018-9497 A-74078669 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9498 A-78354855 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1 CVE-2018-9499 A-79218474 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 System The most severe vulnerability in this section could enable a proximate attacker to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2017-13283 A-78526423 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9476 A-109699112 EoP Critical 8.0, 8.1 CVE-2018-9504 A-110216176 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9501 A-110034419 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9502 A-111936792 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9503 A-80432928 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9505 A-110791536 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9506 A-111803925 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9507 A-111893951 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9508 A-111936834 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1 CVE-2018-9509 A-111937027 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9510 A-111937065 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9511 A-111650288 DoS High 9 Kernel components The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process. CVE References Type Severity Component CVE-2018-9513 A-111081202 EoP High Fork CVE-2018-9514 A-111642636 EoP High sdcardfs CVE-2018-9515 A-111641492 EoP High sdcardfs " [1] MITIGATION Android users are advised to update to the latest applicable version to address these vulnerabilities. [1] Google advises that they have had no reports of active customer exploitation or abuse of these newly-reported issues. [1] REFERENCES [1] Android Security Bulletin—October 2018 https://source.android.com/security/bulletin/2018-10-01.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW7Lm62aOgq3Tt24GAQj7JA//RJpekhFFD18Dz6x+mGZSVKrLEyIpyxud 24SWMBVIfPmnNloJ63UEfL+Pwqdu//mgi1A3ECSQSS+nS65yGv7xHHtvTO2vC8f2 xVhtvyFOmQ/ouQLhZd/CYpNhvWe7pLYSmyqTkJFTTNkcu+LJnl7FPKCQlRCA6J6r kgYNYCPcyMFix5VhyPF9wJUAhe6CaRU3WiFikKrGDe2rhlZ0vxOPZaIH0xAD3VOv fVRYICSMc8EnDrpPpwkK+lRIljMLTZSN523WG0qbvzQsamcxbCflG/OxMVIPWAV3 RyNtJ92njsLrcSjEruSqYv9lSMbGRM10IydzV+yH2RD4YDNsXMGeCuCJYWgJs6jR vIPBt40nUF7Ol72iq2Am2MboS1X/n2xv6iPK/eBC52AsYlxEuX28SWjd+lPCQhYH 6TojU8pvH+pKl/IcAoExqiniBhATeZl4Fn5KoWdqbAPzmFjbxkYrsVAuT32HfF4s 3refQtBBtxItD/4ztkj19FX5UBuvG6M9Y9e8m90ud3PUAIFKzapfSbbm9Bhqd1S5 0d8K3FThcJpA5eSZtPZ6XuVvJOcUbXgV14hceQ/uAw/jvENSlyQHfaxGydQeJKtO cK5N1sqX9bPNlr3o0ALlXG/U7NKs0JbUcVAYAqT5coUEdKjipw/N8sMp5xuy3h2R HzXSRe+WbAw= =sDe0 -----END PGP SIGNATURE-----