Android Security Bulletin August 2019: Critical vulnerabilities in Broadcom and Qualcomm components

Another month is here, and Android finds itself with a mixture of critical and high vulnerabilities.

android-security-1.jpg

Image: Jack Wallen

Were it not for third-party components, the August Android Security Bulletin would have been the first report to be released with only a single critical vulnerability found. However, with the inclusion of Broadcom and Qualcomm components, there are seven in total. 

Let's take a look at the critical and high issues discovered in the most recent report. 

Before we dive into what's included with this month's Android Security Bulletin, it's always good to know what security release is installed on your device. As I've been testing the waters of the Android Q Beta 6, it should come as no surprise that my daily driver, a Pixel 3, is running a current security patch (August 1, 2019). 

SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)

To find out what patch level you are running, open Settings and go to Security. Under Security update you'll find your security patch level (Figure A). 

patch.jpg

Figure A: The latest security patch has been applied.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE—Remote code execution        
  • EoP—Elevation of privilege
  • ID—Information disclosure
  • DoS—Denial of service

08/01/2019 patch level

Critical flaws

This patch level included the only non-third-party critical issue. This particular vulnerability was found in the system and was marked as such because it could enable a remote attacker, using a malicious PAC (Proxy Auto-Config) file, to execute arbitrary code within the context of a privileged process. The related bug (listed by CVE, Reference, and Type) is:

High issues

The first issue marked high, affects the Android runtime and is marked as such because it could enable a local attacker to bypass user interaction requirements to gain access to additional permissions on a device. The related bug (listed by CVE, Reference, and Type) is:

There are two issues, marked high, that affect the framework. These vulnerabilities are marked as such because they could enable locally installed malicious applications to execute arbitrary code within the context of a privileged process on a device. The related bugs (listed by CVE, Reference, and Type) are:

Next we find three vulnerabilities, marked high, in the media framework. These issues are marked as such because they could enable a remote attacker, using a specifically crafted malicious file to execute arbitrary code within the context of an unprivileged process on a device. The related bugs (listed by CVE, Reference, and Type) are:

There were a number of issues, marked high, found in the system. These issues were marked as such because they could enable a remote attacker, using a specifically crafted PAC file, to execute arbitrary code within the context of a privileged process on a device. The related bugs (listed by CVE, Reference, and Type) are:

08/05/2019 Patch Level

Critical issues

The only vulnerabilities marked critical were found in both Broadcom and Qualcomm components. The first of these issues was found in the Broadcom bluetooth component and was marked as such because it could enable a remote attacker, using a malicious transmission, to execute arbitrary code within the context of a privileged process on a device. The related bug (listed by CVE, Reference, and Type) is:

  • CVE-2019-11516 A-132966035 RCE

The next issue, marked critical, was found in a open-source Qualcomm component. The details of this issue can be found in the appropriate Qualcomm security alert. The related bug (listed by CVE, Reference, Qualcomm Reference, and Component) is:

There were two vulnerabilities marked high, found in closed-source Qualcomm components. The details surrounding these issues can be found in the appropriate Qualcomm security alert. The related bugs (listed by CVE and Reference) are:

  • CVE-2019-10539 A-135126805
  • CVE-2019-10540 A-135126805

High issues

The first issue marked high was found in the media framework and was listed as such because it could enable a local attacker to execute arbitrary code within the context of a privileged process on a device. The related bug (listed by CVE, Reference, and Type) is:

The next high issue was found in the system and was marked as such because it could enable a proximate attack to access device data. The related bug (listed by CVE, Reference, and Type) is:

There were four issues, marked high, found in Qualcomm open-source components. The details of these issues can be found in the appropriate Qualcomm Security Alert. Related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:

The final issues, marked high, were found in Qualcomm closed-source components. The details of these issues can be found in the appropriate Qualcomm Security Alert. Related bugs (listed by CVE and Reference) are:

  • CVE-2019-10489 A-132108754
  • CVE-2019-2294 A-132108952

Upgrade and update

The developers will work diligently to patch vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but you apply them as soon as they become available.

Also see