Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0135
Android Security Bulletin - May 2019
7 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Android
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-2259 CVE-2019-2257 CVE-2019-2256
CVE-2019-2255 CVE-2019-2054 CVE-2019-2053
CVE-2019-2052 CVE-2019-2051 CVE-2019-2050
CVE-2019-2049 CVE-2019-2047 CVE-2019-2046
CVE-2019-2045 CVE-2019-2044 CVE-2019-2043
CVE-2018-19860 CVE-2018-13919 CVE-2018-13911
CVE-2018-13910 CVE-2018-13909 CVE-2018-13908
CVE-2018-13907 CVE-2018-13906 CVE-2018-13902
CVE-2018-13901 CVE-2018-13898 CVE-2018-11955
CVE-2018-6243 CVE-2018-5913 CVE-2018-5912
Member content until: Thursday, June 6 2019
Reference: ASB-2018.0295
ASB-2018.0277
OVERVIEW
Multiple security vulnerabilities have been identified in the
Android operating system prior to the 2019-05-05 patch level. [1]
IMPACT
Google has provided the following information about these
vulnerabilities:
"The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Security patch levels of 2019-05-05 or later address
all of these issues. To learn how to check a device's security patch level, see
Check and update your Android version .
Android partners are notified of all issues at least a month before
publication. Source code patches for these issues will be released to the
Android Open Source Project (AOSP) repository in the next 48 hours. We will
revise this bulletin with the AOSP links when they are available.
The most severe of these issues is a critical security vulnerability in Media
framework that could enable a remote attacker using a specially crafted file to
execute arbitrary code within the context of a privileged process. The severity
assessment is based on the effect that exploiting the vulnerability would
possibly have on an affected device, assuming the platform and service
mitigations are turned off for development purposes or if successfully
bypassed.
We have had no reports of active customer exploitation or abuse of these newly
reported issues. Refer to the Android and Google Play Protect mitigations
section for details on the Android security platform protections and Google
Play Protect, which improve the security of the Android platform.
Note: Information on the latest over-the-air update (OTA) and firmware images
for Google devices is available in the May 2019 Pixel Update Bulletin .
Android and Google service mitigations
This is a summary of the mitigations provided by the Android security platform
and service protections such as Google Play Protect . These capabilities reduce
the likelihood that security vulnerabilities could be successfully exploited on
Android.
o Exploitation for many issues on Android is made more difficult by
enhancements in newer versions of the Android platform. We encourage all
users to update to the latest version of Android where possible.
o The Android security team actively monitors for abuse through Google Play
Protect and warns users about Potentially Harmful Applications . Google
Play Protect is enabled by default on devices with Google Mobile Services ,
and is especially important for users who install apps from outside of
Google Play.
2019-05-01 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2019-05-01 patch level. Vulnerabilities are
grouped under the component they affect. There is a description of the issue
and a table with the CVE, associated references, type of vulnerability ,
severity , and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, such as the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID.
Framework
The vulnerability in this section could enable a local malicious application to
bypass user interaction requirements in order to gain access to additional
permissions.
CVE References Type Severity Updated AOSP versions
CVE-2019-2043 A-120484087 EoP Moderate 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
Media framework
The vulnerability in this section could enable a remote attacker using a
specially crafted file to execute arbitrary code within the context of a
privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2019-2044 A-123701862 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
System
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted PAC file to execute arbitrary code within the context
of a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2019-2045 A-117554758 RCE Critical 7.0, 7.1.1, 7.1.2, 8.1, 9
CVE-2019-2046 A-117556220 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2019-2047 A-117607414 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2019-2049 A-120445479 EoP High 9
CVE-2019-2050 A-121327323 EoP High 8.0, 8.1, 9
CVE-2019-2051 A-117555811 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2019-2052 A-117556606 ID High 7.0, 7.1.1, 7.1.2, 8.1, 9
CVE-2019-2053 A-122074159 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
2019-05-05 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2019-05-05 patch level. Vulnerabilities are
grouped under the component they affect and include details such as the CVE,
associated references, type of vulnerability , severity , component (where
applicable), and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, such as the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID.
Kernel components
The vulnerability in this section could enable a local attacker to escalate
privileges with no additional execution privileges needed within the context of
a privileged process.
CVE References Type Severity Component
CVE-2019-2054 A-119769499 * EoP Moderate seccomp
NVIDIA components
The vulnerability in this section could enable a local attacker to escalate
privileges (with additional execution privileges needed) and execute arbitrary
code within the context of a privileged process.
CVE References Type Severity Component
CVE-2018-6243 A-72315075 * EoP High Pixel C TrustZone
Broadcom components
The vulnerability in this section could enable a remote attacker using a
specially crafted transmission to execute code within the context of a
privileged process.
CVE References Type Severity Component
CVE-2018-19860 A-122249979 * RCE High Bluetooth firmware
Qualcomm components
These vulnerabilities affect Qualcomm components and are described in further
detail in the appropriate Qualcomm security bulletin or security alert. The
severity assessment of these issues is provided directly by Qualcomm.
CVE References Type Severity Component
CVE-2018-11955 A-78528839 N/A High WLAN driver
QC-CR#2249768
CVE-2018-13919 A-120486022 N/A High Data HLOS - LNX
QC-CR#2289598
Qualcomm closed-source components
These vulnerabilities affect Qualcomm closed-source components and are
described in further detail in the appropriate Qualcomm security bulletin or
security alert. The severity assessment of these issues is provided directly by
Qualcomm.
CVE References Type Severity Component
CVE-2018-5912 A-114074547 * N/A Critical Closed-source component
CVE-2018-13898 A-119050181 * N/A Critical Closed-source component
CVE-2019-2255 A-122474428 * N/A Critical Closed-source component
CVE-2019-2256 A-114067283 * N/A Critical Closed-source component
CVE-2018-13901 A-119049466 * N/A High Closed-source component
CVE-2018-13902 A-119050073 * N/A High Closed-source component
CVE-2018-13906 A-119049388 * N/A High Closed-source component
CVE-2018-13907 A-119050001 * N/A High Closed-source component
CVE-2018-13908 A-119049623 * N/A High Closed-source component
CVE-2018-13909 A-119051002 * N/A High Closed-source component
CVE-2018-13910 A-119050182 * N/A High Closed-source component
CVE-2018-13911 A-119052037 * N/A High Closed-source component
CVE-2018-5913 A-122472140 * N/A High Closed-source component
CVE-2019-2257 A-112303441 * N/A High Closed-source component
CVE-2019-2259 A-123997497 * N/A High Closed-source component
Common questions and answers
This section answers common questions that may occur after reading this
bulletin.
1. How do I determine if my device is updated to address these issues
To learn how to check a device's security patch level, see Check and update
your Android version .
o Security patch levels of 2019-05-01 or later address all issues associated
with the 2019-05-01 security patch level.
o Security patch levels of 2019-05-05 or later address all issues associated
with the 2019-05-05 security patch level and all previous patch levels.
Device manufacturers that include these updates should set the patch string
level to:
o [ro.build.version.security_patch]:[2019-05-01]
o [ro.build.version.security_patch]:[2019-05-05]
2. Why does this bulletin have two security patch levels
This bulletin has two security patch levels so that Android partners have the
flexibility to fix a subset of vulnerabilities that are similar across all
Android devices more quickly. Android partners are encouraged to fix all issues
in this bulletin and use the latest security patch level.
o Devices that use the 2019-05-01 security patch level must include all
issues associated with that security patch level, as well as fixes for all
issues reported in previous security bulletins.
o Devices that use the security patch level of 2019-05-05 or newer must
include all applicable patches in this (and previous) security bulletins.
Partners are encouraged to bundle the fixes for all issues they are addressing
in a single update.
3. What do the entries in the Type column mean
Entries in the Type column of the vulnerability details table reference the
classification of the security vulnerability.
Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available
4. What do the entries in the References column mean
Entries under the References column of the vulnerability details table may
contain a prefix identifying the organization to which the reference value
belongs.
Prefix Reference
A- Android bug ID
QC- Qualcomm reference number
M- MediaTek reference number
N- NVIDIA reference number
B- Broadcom reference number
5. What does a * next to the Android bug ID in the References column mean
Issues that are not publicly available have a * next to the Android bug ID in
the References column. The update for that issue is generally contained in the
latest binary drivers for Pixel devices available from the Google Developer
site .
6. Why are security vulnerabilities split between this bulletin and device&
hairsp;/ partner security bulletins, such as the Pixel bulletin
Security vulnerabilities that are documented in this security bulletin are
required to declare the latest security patch level on Android devices.
Additional security vulnerabilities that are documented in the device and
partner security bulletins are not required for declaring a security
patch level. Android device and chipset manufacturers are encouraged to
document the presence of other fixes on their devices through their own
security websites, such as the Samsung , LGE , or Pixel security bulletins."
MITIGATION
Android users are advised to update to the latest release available
to address these vulnerabilities. [1]
REFERENCES
[1] Android Security Bulletin - May 2019
https://source.android.com/security/bulletin/2019-05-01.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXNEZ+WaOgq3Tt24GAQiPgRAAqXFfYCAf5B8kYks0B0m1auvPJzEcJRsc
dJkgXXxFsIB7BDzjFnUKMig6V64du8TAKpFxwXqRsC+4kLF5529MA2KDQmQeX0G0
SjcB+iF/MwIeJJSyrcxFwdH1k+EJJGJpXS54Qi9yBfZCC9+UTCkPuO55/gbcqmwl
5IgxnQZL9rsZVCzqIqouwrVfqCxUHA1B4XJc/7pPiLtf96jVBH4PXDSqXijU+JFK
vlWUD6q/rlHYp7pYESoAwWVyVXGcjWCfO7en9v6koYroWBf/nKSYeGGYJZI7YcwG
7zfv0ckTN8S2MYadVET8xbM3RekGnwUxkNFpo8VVme4O8P73rqbG5RxwbbnuL/4L
qfJYbAm4tsYS1RyhMrt/FgiRHIQUNGndTloQS/QLTOrg20g83wbXNeh+E2MKErFe
ULeehXxkwXWhn6Z1OIHH1D7T6JUtnB/HK+joe2dXYsXSTKn6Gx7PqQ2AmOGwBMcm
y04joc3abNxVHo+eVB2sQ3innzItE2wwgq+e8pD/3yGrKcCb9iZMUtaibm+g7LL5
RVLnhcssa4Th+Xv7PulnQuxEZ0n/mxg2aFrL3he/rUUgQaSjLslPiYtye89ympMa
Kjga1ZtAcH0Yb2iOowBHJDZxjXq43exNDpfGIrBmWW2r4RGzF45uObv4FjzaWoBE
Xf+rwEuim4A=
=C9/U
-----END PGP SIGNATURE-----