Android Security Bulletin August 2019: Critical vulnerabilities in Broadcom and Qualcomm components

Another month is here, and Android finds itself with a mixture of critical and high vulnerabilities.

Were it not for third-party components, the August Android Security Bulletin would have been the first report to be released with only a single critical vulnerability found. However, with the inclusion of Broadcom and Qualcomm components, there are seven in total.

More about cybersecurity

Let's take a look at the critical and high issues discovered in the most recent report.

Before we dive into what's included with this month's Android Security Bulletin, it's always good to know what security release is installed on your device. As I've been testing the waters of the Android Q Beta 6, it should come as no surprise that my daily driver, a Pixel 3, is running a current security patch (August 1, 2019).

SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)

To find out what patch level you are running, open Settings and go to Security. Under Security update you'll find your security patch level (Figure A).

Figure A: The latest security patch has been applied.

Terminology

You will find different types of vulnerabilities listed. Possible types include:

RCE—Remote code execution
EoP—Elevation of privilege
ID—Information disclosure
DoS—Denial of service

08/01/2019 patch level

Critical flaws

This patch level included the only non-third-party critical issue. This particular vulnerability was found in the system and was marked as such because it could enable a remote attacker, using a malicious PAC (Proxy Auto-Config) file, to execute arbitrary code within the context of a privileged process. The related bug (listed by CVE, Reference, and Type) is:

CVE-2019-2130 A-132073833 RCE

High issues

The first issue marked high, affects the Android runtime and is marked as such because it could enable a local attacker to bypass user interaction requirements to gain access to additional permissions on a device. The related bug (listed by CVE, Reference, and Type) is:

CVE-2019-2120 A-130821293 EoP

There are two issues, marked high, that affect the framework. These vulnerabilities are marked as such because they could enable locally installed malicious applications to execute arbitrary code within the context of a privileged process on a device. The related bugs (listed by CVE, Reference, and Type) are:

CVE-2019-2121 A-131105245 EoP
CVE-2019-2122 A-127605586 EoP

Next we find three vulnerabilities, marked high, in the media framework. These issues are marked as such because they could enable a remote attacker, using a specifically crafted malicious file to execute arbitrary code within the context of an unprivileged process on a device. The related bugs (listed by CVE, Reference, and Type) are:

CVE-2019-2126 A-127702368 RCE
CVE-2019-2128 A-132647222 EoP
CVE-2019-2129 A-124781927 ID

There were a number of issues, marked high, found in the system. These issues were marked as such because they could enable a remote attacker, using a specifically crafted PAC file, to execute arbitrary code within the context of a privileged process on a device. The related bugs (listed by CVE, Reference, and Type) are:

CVE-2019-2131 A-119115683 EoP
CVE-2019-2132 A-130568701 EoP
CVE-2019-2133 A-132082342 EoP
CVE-2019-2134 A-132083376 EoP
CVE-2019-2135 A-125900276 ID
CVE-2019-2136 A-132650049 ID
CVE-2019-2137 A-132438333 DoS

08/05/2019 Patch Level

Critical issues

The only vulnerabilities marked critical were found in both Broadcom and Qualcomm components. The first of these issues was found in the Broadcom bluetooth component and was marked as such because it could enable a remote attacker, using a malicious transmission, to execute arbitrary code within the context of a privileged process on a device. The related bug (listed by CVE, Reference, and Type) is:

CVE-2019-11516 A-132966035 RCE

The next issue, marked critical, was found in a open-source Qualcomm component. The details of this issue can be found in the appropriate Qualcomm security alert. The related bug (listed by CVE, Reference, Qualcomm Reference, and Component) is:

CVE-2019-10492 A-132170519 QC-CR#2389432 HLOS

There were two vulnerabilities marked high, found in closed-source Qualcomm components. The details surrounding these issues can be found in the appropriate Qualcomm security alert. The related bugs (listed by CVE and Reference) are:

CVE-2019-10539 A-135126805
CVE-2019-10540 A-135126805

High issues

The first issue marked high was found in the media framework and was listed as such because it could enable a local attacker to execute arbitrary code within the context of a privileged process on a device. The related bug (listed by CVE, Reference, and Type) is:

CVE-2019-2127 A-124899895 EoP

The next high issue was found in the system and was marked as such because it could enable a proximate attack to access device data. The related bug (listed by CVE, Reference, and Type) is:

CVE-2019-9506 A-124301137 ID

There were four issues, marked high, found in Qualcomm open-source components. The details of these issues can be found in the appropriate Qualcomm Security Alert. Related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:

CVE-2019-10509 A-132171185 QC-CR#2359039 BTHOST
CVE-2019-10510 A-132173563 QC-CR#2305025 BTHOST
CVE-2019-10499 A-134440231 QC-CR#2398099 MProc
CVE-2019-10538 A-132193791 QC-CR#2448763 WLAN

The final issues, marked high, were found in Qualcomm closed-source components. The details of these issues can be found in the appropriate Qualcomm Security Alert. Related bugs (listed by CVE and Reference) are:

CVE-2019-10489 A-132108754
CVE-2019-2294 A-132108952

Upgrade and update

The developers will work diligently to patch vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but you apply them as soon as they become available.