Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0002 Android Security Bulletin - January 2019 8 January 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Android devices Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-18281 CVE-2018-17182 CVE-2018-13889 CVE-2018-13888 CVE-2018-13405 CVE-2018-12014 CVE-2018-11962 CVE-2018-11888 CVE-2018-11847 CVE-2018-10882 CVE-2018-10880 CVE-2018-10877 CVE-2018-10876 CVE-2018-9594 CVE-2018-9593 CVE-2018-9592 CVE-2018-9591 CVE-2018-9590 CVE-2018-9589 CVE-2018-9588 CVE-2018-9587 CVE-2018-9586 CVE-2018-9585 CVE-2018-9584 CVE-2018-9583 CVE-2018-9582 CVE-2018-6241 Member content until: Thursday, February 7 2019 OVERVIEW Multiple security vulnerabilities have been identified in the Android operating system prior to the 2019-01-05 patch level. [1] IMPACT Google has provided the following information about these vulnerabilities: "Framework The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions. CVE References Type Severity Updated AOSP versions CVE-2018-9582 A-112031362 EoP High 8.0, 8.1, 9 System The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2018-9583 A-112860487 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9584 A-114047681 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9585 A-117554809 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9586 A-116754444 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9587 A-113597344 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9588 A-111450156 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9589 A-111893132 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9590 A-115900043 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9591 A-116108738 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9592 A-116319076 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9593 A-116722267 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9594 A-116791157 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process. CVE References Type Severity Component CVE-2018-10876 A-116406122 Upstream kernel EoP High ext4 filesystem CVE-2018-10880 A-116406509 Upstream kernel EoP High ext4 filesystem CVE-2018-10882 A-116406626 Upstream kernel EoP High ext4 filesystem CVE-2018-13405 A-113452403 Upstream kernel EoP High Filesystem CVE-2018-18281 A-118836219 Upstream kernel EoP High TLB CVE-2018-17182 A-117280327 Upstream kernel EoP High Memory Manager CVE-2018-10877 A-116406625 Upstream kernel ID High ext4 filesystem NVIDIA components The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process. CVE References Type Severity Component CVE-2018-6241 A-62540032 EoP High Dragon BSP Qualcomm components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2018-11962 A-117118292 QC-CR#2267916 N/A High Audio CVE-2018-12014 A-117118062 QC-CR#2278688 N/A High Data HLOS - LNX CVE-2018-13889 A-117118677 QC-CR#2288358 N/A High GPS Qualcomm closed-source components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2018-11847 A-111092812* N/A Critical Closed-source component CVE-2018-11888 A-111093241* N/A High Closed-source component CVE-2018-13888 A-117119136* N/A High Closed-source component " [1] MITIGATION Android users are advised to update to the latest release available to address these vulnerabilities. [1] REFERENCES [1] Android Security Bulletin - January 2019 https://source.android.com/security/bulletin/2019-01-01.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXDQdiGaOgq3Tt24GAQgRuQ/+Mm1deOaXGzQqLCkADpYTh3Uy1X8hBIby 5wyNQO2OlMeqhSk2VEtYBPJ60AcbjPRwf6vyBmMG+VHBzRV8XHcOrlUZNEUMZ0n5 M8WJff3s9vQc974Fsc7E3fseY9LnwcmPBHLMSd9aA8ZZZl5B/jCG8jQXswZSg2pI c5NrIMnZnV+bjaXOhlCKzHUE71v10O6iLjwdV7lJXJ8UIJWRlP6lzy01mAqx6n9J 303qt5ovRVmSlTpMnAFCA/KEcrT5v3C35rXecHxV8CGj9FiDhY//LknuDQ63+Ovs LCTfptxN4JkS1PAGcyJsVR/hVN9rjTgORtSsdvj59k9uFy/77WBXaxhGL7NOrtBm /1Le1M7mok7oO9wYq3+2epRXfQttRz/gvRYLBfJf1+3AYLC8+e+epkstZpQGBWXK U5Y3gLkVL3eGBvlUxuKgeKBGr2yHyz2xibnuCbK+wmrbezz3UnNvooP1tU4Dlrlk m2wRMUUYh40/p9X/Urd4IS4gebCop+0q9dAuQE5MhM1qAvNYvqh2Fjyl1HJmnI6t AjtOgZJ0ONsJF1EU7rkWrOQXcAEYFIudgB+AZ3UcUCxZOBBNkjozpCg9/HAuih3J UkPZhUtq2xx8N2Dz8iMcO0iEe3S81FcAmbLVzutxuaBvaBUeF6GPC+wdZtLaWVtz ZLcNoUhCzyQ= =sJxs -----END PGP SIGNATURE-----