Before we dive into what’s included with this month’s Android Security Bulletin, it’s always good to know what security release is installed on your device. To no surprise, my daily driver, a Pixel 3, is running a security patch that is up to date (December 5, 2018).
To find out what patch level you are running, open Settings and go to About Phone. If you’re using Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.
SEE: Mobile device computing policy (Tech Pro Research)
Figure A
Terminology
You will find different types of vulnerabilities listed. Possible types include:
- RCE–Remote code execution
EoP–Elevation of privilege
ID–Information disclosure
DoS–Denial of service
And now, onto the issues.
12/01/2018 Security Patch Level
Critical Issues
The Media Framework is the first area listed with Critical vulnerabilities. These flaws are marked as such because they could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2018-9549A-112160868 RCE
- CVE-2018-9550A-112660981 RCE
- CVE-2018-9551A-112891548 RCE
- CVE-2018-9552A-113260892 ID
The only other issues marked Critical are found in the System. These flaws are marked as such because they could enable a remote attacker, using a specially crafted attack, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2018-9555A-112321180 RCE
- CVE-2018-9556A-113118184 RCE
High Issues
We head to the Framework for the first round of issues marked High. These flaws are marked as such because they could enable a locally installed, malicious application to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2018-9547A-114223584 EoP
- CVE-2018-9548A-112555574 ID
We now head back to the Media Framework, to find three issues marked High. These flaws are marked as such because they could enable a remote attacker, using a specially crafted attack, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2018-9553A-116615297 RCE
- CVE-2018-9538 A-112181526 EoP
- CVE-2018-9554A-114770654 ID High
Our last collection of issues marked High are found in the System. These flaws are marked as such because they could enable a remote attacker, using a specially crafted attack, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2018-9557 A-35385357* EoP
- CVE-2018-9558A-112161557 EoP
- CVE-2018-9559A-112731440 EoP
- CVE-2018-9560A-79946737 EoP
- CVE-2018-9562A-113164621 ID
- CVE-2018-9566A-74249842 ID
SEE: Mobile app development policy (Tech Pro Research)
12/05/2018 Security Patch Level
Critical Issues
Surprisingly, only five critical flaws are found in this patch level. Not so surprising is that they all affect Qualcomm closed-source components. The details of these issues can be found in the Qualcomm security bulletin (which is quite lengthy). The related bugs (listed by CVE and Reference) are:
- CVE-2017-8248 A-78135902
- CVE-2017-11004 A-66913713
- CVE-2017-18141 A-67712316
- CVE-2018-5913 A-79419833
- CVE-2018-11279 A-109678200
High Issues
The first issue marked High is found in the System. This flaw is marked as such because it could lead to information disclosure, without requiring additional execution privileges. The related bug (listed by CVE, Reference, Type, and Component) is:
- CVE-2018-9565 A-16680558 ID OMA-DM
Another High issue was found in HTC Components. The flaw is marked as such because it could enable an attacker to bypass user interaction requirements to gain access to higher permissions. The related bug (listed by CVE, Reference, Type, and Component) is:
- CVE-2018-9567 A-65543936 EoP Bootloader
The Kernel was hit with two issues marked High. These are marked as such because they could enable an attacker to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, Type, and Component) are:
- CVE-2018-10840 A-116406508 EoP ext4 filesystem
- CVE-2018-9568 A-113509306 EoP network
Three open source Qualcomm components were found with issues marked High. The details for these flaws can be found in the Qualcomm Security Bulletin. The related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:
- CVE-2018-11960 A-114042002 QC-CR#2264832 HWEngines
- CVE-2018-11961 A-114040881 QC-CR#2261813 GPS_AP_LINUX
- CVE-2018-11963 A-114041685 QC-CR#2220770 Automotive Multimedia
Finally, the last group of issues marked High affect Qualcomm closed-source components. The details for these flaws can be found in the Qualcomm Security Bulletin. The related bugs (listed by CVE and Reference) are:
- CVE-2017-18319 A-78284753
- CVE-2017-18321 A-78283451
- CVE-2017-18322 A-78285196
- CVE-2017-18323 A-78284194
- CVE-2017-18324 A-78284517
- CVE-2017-18327 A-78240177
- CVE-2017-18331 A-78239686
- CVE-2017-18332 A-78284545
- CVE-2017-18160 A-109660689
- CVE-2017-18326 A-78240324
- CVE-2017-8276 A-68141338
- CVE-2017-18328 A-78286046
- CVE-2017-18329 A-73539037
- CVE-2017-18330 A-73539235
- CVE-2018-3595 A-71501115
- CVE-2017-18320 A-33757308
- CVE-2018-11999 A-74236942
- CVE-2018-5867 A-77485184
- CVE-2018-5868 A-77484529
- CVE-2018-5869 A-33385206
- CVE-2017-5754 A-79419639
- CVE-2018-5915 A-79420511
- CVE-2018-11267 A-109678338
- CVE-2018-11922 A-112279564
Upgrade and update
The developers will work diligently to patch the vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates but that you apply them as soon as they are available.
