Security

Android Security Bulletin April 2018: What you need to know

Qualcomm components were inundated with security issues in this month's Android Security bulletin. Here's the highlights.

Image: Jack Wallen

Critical issues come back into the limelight in April. Although still significantly lower than a year ago, the April Android Security bulletin includes a number of such issues. From last month's 11 vulnerabilities marked Critical, we're looking at 16 (many of which fall in the lap of Qualcomm components). But it's a record number of Qualcomm component High issues that will seriously raise your eyebrows. Let's take a look at the highlights from this month's Android Security Bulletin.

Before we dive into what's included with this month's bulletin, it's always good to know what security release is installed on your device. To no surprise, my daily driver, an Essential PH-1, is running the latest security patch (April 5, 2018). To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

Figure A

Essential PH-1 with an up-to-date security patch.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE—Remote code execution
  • EoP—Elevation of privilege
  • ID—Information disclosure
  • DoS—Denial of service

SEE: Information security incident reporting policy (Tech Pro Research)

2018-04-01 security patch level

Critical Issues

There are seven issues marked Critical for 04-01, two of which affect the media framework and five which affect the System. (Are you sensing a pattern in these bulletins?) Let's take a look at the media framework issues.

The two Critical vulnerabilities found in the Media Framework are both of type RCE and could enable a remote attack, using a malicious file, to execute arbitrary code within the context of a privileged process. The related issues are (listed as Common Vulnerability and Exposure) are:

The next Critical issues all affect the System. These issues have been marked Critical because they could enable a remote attack, using a malicious file, to execute arbitrary code within the context of a privileged process. The related issues are (listed as Common Vulnerability, Exposure, and Type):

High Issues

There are a few High issues of note. The first is an EoP issue, affecting the Android runtime, that could enable a remote attack that could bypass user interaction requirements and gain access to additional permissions. The related issue is (listed as Common Vulnerability and Exposure):

The next High issue affects the Framework (not to be mistaken for the Media Framework) and could enable an installed malicious application to bypass system protections which isolate application data from other applications. The related issue is of type ID and is (listed as Common Vulnerability and Exposure):

And we're back to the Media Framework. There are three High issues, each of which could enable a remote attack, using a malicious file, to execute arbitrary code within the context of a privileged process. The related issues are (listed as Common Vulnerability, Exposure, and Type):

Next we have the System, which was hit by numerous issues marked High. Each of these vulnerabilities could enable a remote attack, using a malicious file, with the ability to execute arbitrary code within the context of a privileged process. The related issues are (listed as Common Vulnerability, Exposure, and Type):

2018-04-05 security patch level

Critical Issues

Outside of Qualcomm components, there was only one issue marked Critical. That issue affects the Broadcom bcmdhd driver and could enable a proximate attack, using a malicious file, which would allow the execution of arbitrary code within the context of a privileged process. The related issue is (listed as Common Vulnerability, Exposure, Broadcom reference, and Type):

  • CVE-2017-13292 A-70722061* B-V2018010201 RCE

And now we have the Qualcomm component issues. There are a number of issues, one of which is open sourced and the other are all found in closed source components. The open sourced component was found to have a Critical issue that could enable a proximate attack, using a malicious file, which would allow the execution of arbitrary code within the context of a privileged process. The related issue is (listed as Common Vulnerability, Exposure, Qualcomm reference, Type, and Component):

The closed source Qualcomm components were found to have six Critical issues, details of which can only be found in the Qualcomm AMSS security bulletin. The related issues are:

  • CVE-2017-18071 A-68326813* N/A Critical Closed-source component
  • CVE-2017-8274 A-68141335* N/A Critical Closed-source component
  • CVE-2017-18146 A-70221449* N/A Critical Closed-source component
  • CVE-2017-18128 A-70221448* N/A Critical Closed-source component
  • CVE-2018-3592 A-71501105* N/A Critical Closed-source component
  • CVE-2018-3591 A-71501103* N/A Critical Closed-source component

High Issues

The Kernel was also hit with three issues marked High. These issues could enable a locally installed, malicious application to execute arbitrary code within the context of a privileged process. The related issues are (listed as Common Vulnerability, Exposure, Type, and Component):

  • CVE-2017-13293 A-62679701* EoP NFC driver
  • CVE-2017-5754 A-69856074* ID Memory mapping
  • CVE-2017-16534 A-69052594 ID USB

The Kernel wasn't the only piece of the puzzle hit with vulnerabilities marked High. There are a significant number of issues found in both open and closed source Qualcomm components. In fact, there were over 100 issues marked High, for Qualcomm components. To read the complete list of these issues, make sure to check out the full details of the April Android Security Bulletin.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also See

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox