Android Security Bulletin April 2019: What you need to know

in Security on April 30, 2019, 8:48 AM PST

Another month is here and Android finds itself with a mixture of critical and high vulnerabilities.

It's a Qualcomm kinda month for the Android Security Bulletin, with the majority of issues falling into the hands of the chip maker. Qualcomm components alone hold more than fifty vulnerabilities marked "high" in this month's security bulletin. If you like to keep watch on the security of the Android platform you will certainly want to know what's happening in the April Security Bulletin.

More about cybersecurity

Before we dive into what's included with this month's Android Security Bulletin, it's always good to know what security release is installed on your device. As I've been testing the waters of the Android Q Beta 2 (not recommended to be used by the general public), it should come as no surprise that my daily driver, a Pixel 3, is running a current security patch (April 5, 2018).

SEE: Windows 10 security: A guide for business leaders (Tech Pro Research)

To find out what patch level you are running, open Settings and go to About Phone. If you use Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.

Figure A: The most recent security patch found on Android Q Beta 2.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

RCE—Remote code execution
EoP—Elevation of privilege
ID—Information disclosure
DoS—Denial of service

And now, onto the issues.

04/01/2019 Security Patch Level

Critical issues

There are only two issues marked critical in the 04/01/2019 patch level. Both of these issues were found in the media framework and are marked as such due to the ability of a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE, Reference, and Type):

CVE-2019-2027A-119120561 RCE
CVE-2019-2028A-120644655 RCE

High issues

The first issue marked high was found with the framework and was marked as such due to the ability of a local attacker to gain additional permissions, which would bypass user interaction. The related bug is (listed by CVE, Reference, and Type):

CVE-2019-2026 A-120866126 EoP

Next, we find eight issues marked high in the system. These bugs were marked high because it could enable a locally installed, malicious application to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

CVE-2019-2030A-119496789 EoP
CVE-2019-2031 A-120502559 EoP
CVE-2019-2033A-121327565 EoP
CVE-2019-2034A-122035770 EoP
CVE-2019-2035A-122320256 EoP
CVE-2019-2038A-121259048 ID
CVE-2019-2039A-121260197 ID
CVE-2019-2040A-122316913 ID

And that's it for the 04/01/2019 security patch level.

04/05/2019 Security Patch Level

Critical issues

There are eight critical issues found in the 04/05/2019 security patch. The first issue is found in the system and is marked high as it could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bug is (listed by CVE, Reference, and Type):

CVE-2019-2029A-120612744 RCE

Our next critical issue in one of the Qualcomm open source components. The details for this issue can be found in the April Qualcomm Security Bulletin. The related bug is (listed by CVE, Reference, Qualcomm Reference, and Component):

CVE-2018-11940 A-79377832 QC-CR#2254946 WLAN HOST

There were six issues marked critical found in Qualcomm closed-source components. Again, the details for these issues can be found in the April Qualcomm Security Bulletin. Related bugs are (listed by CVE and Reference):

CVE-2018-11271 A-120487384
CVE-2018-11976 A-117119000
CVE-2018-12004 A-117118976
CVE-2018-13886 A-117118295
CVE-2018-13887 A-117119172
CVE-2019-2250 A-122473270

High issues

With more than fifty vulnerabilities between both open- and closed-source components, Qualcomm chips found themselves in a most undesirable spotlight.

But Qualcomm wasn't the only victim. The Android system is listed with three issues marked high. These bugs were marked as such because it could enable a remote attacker using a malicious file to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

CVE-2019-2032A-121145627 EoP
CVE-2019-2041A-122034690 EoP
CVE-2019-2037A-119870451 ID

And now, the first batch of Qualcomm issues. Here is the list of issues that affect open-source components. The details of these vulnerabilities can be found in the April Qualcomm Security Bulletin. Related bugs are (listed by CVE, Reference, Qualcomm Reference, and Component):

CVE-2017-17772 A-72957385 QC-CR#2153003 WLAN HOST
CVE-2018-11294 A-109741680 QC-CR#2197481 WLAN HOST
CVE-2018-5855 A-77527719 QC-CR#2193421 WLAN HOST
CVE-2018-11299 A-109741946 QC-CR#2186953 WLAN HOST
CVE-2018-11826 A-111127853 QC-CR#2205957 WLAN HOST
CVE-2018-11827 A-111128575 QC-CR#2206569 WLAN HOST
CVE-2018-11840 A-111126050 QC-CR#2215443 WLAN HOST
CVE-2018-11851 A-111125792 QC-CR#2221902 WLAN HOST
CVE-2018-11860 A-111128301 QC-CR#2225113 WLAN HOST
CVE-2018-11868 A-111128420 QC-CR#2227248 WLAN HOST
CVE-2018-11869 A-111128838 QC-CR#2227263 WLAN HOST
CVE-2018-11878 A-111128797 QC-CR#2228608 WLAN HOST
CVE-2018-11889 A-111128421 QC-CR#2230998 WLAN HOST
CVE-2018-11891 A-111128578 QC-CR#2231767 WLAN HOST
CVE-2018-11894 A-111127989 QC-CR#2232358 WLAN HOST
CVE-2018-11895 A-111128877 QC-CR#2232542 WLAN HOST
CVE-2018-11897 A-111128841 QC-CR#2233033 WLAN HOST
CVE-2018-11902 A-111126532 QC-CR#2225604 WLAN HOST
CVE-2018-11904 A-111125111 QC-CR#2215446 WLAN HOST
CVE-2018-11905 A-112277221 QC-CR#2146878 WLAN HOST
CVE-2018-11923 A-112276863 QC-CR#2224443 WLAN HOST
CVE-2018-11924 A-112278150 QC-CR#2224451 WLAN HOST
CVE-2018-11925 A-112277910 QC-CR#2226375 WLAN HOST
CVE-2018-11927 A-112277186 QC-CR#2227076 WLAN HOST
CVE-2018-11930 A-112278861 QC-CR#2231770 WLAN HOST
CVE-2018-11937 A-112277891 QC-CR#2245944 WLAN HOST
CVE-2018-11949 A-112278405 QC-CR#2249815 WLAN HOST
CVE-2018-11953 A-112277852 QC-CR#2235576 WLAN HOST
CVE-2018-13920 A-120487136 QC-CR#2293841 Kernel

Next comes the close-source Qualcomm components. Here is the list of issues that affect open-source components. The details of these vulnerabilities can be found in the April Qualcomm Security Bulletin. Related bugs are (listed by CVE and Reference):

CVE-2018-11291 A-109678120
CVE-2018-11821 A-111093019
CVE-2018-11822 A-111092813
CVE-2018-11828 A-111089816
CVE-2018-11849 A-111092945
CVE-2018-11850 A-111092919
CVE-2018-11853 A-111091938
CVE-2018-11854 A-111093762
CVE-2018-11856 A-111093242
CVE-2018-11859 A-111090373
CVE-2018-11861 A-111092814
CVE-2018-11862 A-111093763
CVE-2018-11867 A-111093243
CVE-2018-11870 A-111089817
CVE-2018-11871 A-111092400
CVE-2018-11872 A-111090534
CVE-2018-11873 A-111091378
CVE-2018-11874 A-111092946
CVE-2018-11875 A-111093022
CVE-2018-11876 A-111093244
CVE-2018-11877 A-111092888
CVE-2018-11879 A-111093280
CVE-2018-11880 A-111092401
CVE-2018-11882 A-111093259
CVE-2018-11884 A-111090535
CVE-2018-11928 A-112279580
CVE-2018-11936 A-112279127
CVE-2018-11967 A-119049704
CVE-2018-11967 A-119052960
CVE-2018-11968 A-114042276
CVE-2018-12005 A-117118499
CVE-2018-12012 A-117119174
CVE-2018-12013 A-117119152
CVE-2018-13885 A-117118789
CVE-2018-13895 A-122472377
CVE-2018-13925 A-120483842
CVE-2019-2244 A-122472139
CVE-2019-2245 A-122473145

Upgrade and update

The developers will work diligently to patch vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but you apply them as soon as they become available.