June is busting out all over the place. Flowers are blooming, trees are leafing, bees are pollinating, and bugs are creeping. Of course, Android isn’t immune to that explosion of bugs. With the June Security Bulletin comes a solid balance of critical and high vulnerabilities that may or may not surprise you. Let’s dive right into this bulletin to see what’s what.

Before we dive into what’s included with this month’s bulletin, it’s always good to know what security release is installed on your device. To no surprise, my daily driver, an Essential PH-1, is running the latest security patch (June 5, 2018). To find out what patch level you are running, open Settings and go to About Phone. Scroll down until you see Android security patch level (Figure A).

Figure A

Terminology

You will find different types of vulnerabilities listed. Possible types include:

  • RCE–Remote code execution
  • EoP–Elevation of privilege
  • ID–Information disclosure
  • DoS–Denial of service

SEE: Information security incident reporting policy (Tech Pro Research)

And now, onto the issues.

2018-06-01 security patch level

Critical issues

There are only 6 vulnerabilities marked Critical for Jun 01. It should come as no surprise that half of them are found in the Media Framework. These RCE vulnerabilities are marked as Critical, because they can enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs are (listed by CVE and Reference number):

The remaining 3 Critical vulnerabilities are all associated with the System and are the same type as the issues that affect the Media Framework (RCE). This means those vulnerabilities are marked as Critical, because they can enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE and Reference number):

High Issues

Next comes the vulnerabilities marked as High for June 01. There are 14 such issues, associated with three different systems. The first affect the Android Framework. These issues are labeled High, because they could enable a locally installed malicious application to bypass user interaction, in order to gain additional permissions. Related bugs are (listed by CVE, Reference, and Type):

Next we’re back to our dear old friend, the Media Framework. There are 5 vulnerabilities, marked High, that affect this system. Each of these is marked as such, because the most severe could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

The Android System wasn’t free and clear of issues marked High. In fact, there are five vulnerabilities in this category, the most severe of which could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

SEE: IT pro’s guide to effective patch management (free PDF) (TechRepublic

2018-06-05 security patch level

Critical Issues

There are 6 vulnerabilities marked Critical for the June 5 security patch. The first of which is associated with LG Components and could enable a local attacker to bypass user interaction requirements to gain access to additional permissions. The related bug is listed by CVE, Reference, and Type):

  • CVE-2018-9364 A-69163111* EoP

There is also a single Critical vulnerability associated with a MediaTek component. This issue could allow a remote attacker to execute arbitrary code within the context of the Trusted Computing Base (which includes hardware, firmware, and/or software). The related bug is (listed by CVE, Reference, Type, and Component):

  • CVE-2018-9373 A-71867247* M-ALPS03740330 EoP Mediatek WLAN TDLS

The remaining Critical issues are all found within various Qualcomm components and could enable a local attacker to bypass user interaction to gain access to additional permissions. The related bugs are (listed by CVE, Reference, Qualcomm Reference, Type, and Component):

  • CVE-2017-18158 A-68992400 QC-CR#2104056 EoP Bootloader
  • CVE-2018-3569 A-74237215 QC-CR#2161920 EoP WLAN Host
  • CVE-2017-18155 A-66734153*QC-CR#1050893 RCE Hardware codec
  • CVE-2018-5854 A-71800779 QC-CR#2183877 EoP Bootloader

High Issues

And now we focus on the vulnerabilities marked High. The first four are associated with various kernel components and could enable a local malicious application to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, Type, and Component):

The Media Framework was discovered to have a single High issue, which could enable a locally installed malicious application to bypass user interaction to gain access to additional permissions. The related bug is (listed by CVE, Reference, and Type):

  • CVE-2018-9409 A-63144992* EoP High

MediaTek components were hit by eight vulnerabilities marked High, the most severe of which could enable a remote attacker to execute arbitrary code within the context of the Trusted Computing Base. Related bugs are (listed by CVE, Reference, Type, and Component):

  • CVE-2018-9366 A-72314499* M-ALPS03762526 EoP IMSA
  • CVE-2018-9367 A-72314219* M-ALPS03762692 EoP Cameratool CCAP
  • CVE-2018-9368 A-70727446* M-ALPS03730693 EoP mtksocaudio
  • CVE-2018-9369 A-70514573* M-ALPS03666161 EoP bootloader
  • CVE-2018-9370 A-70515281* M-ALPS03693488 EoP bootloader
  • CVE-2018-9371 A-70515752* M-ALPS03683903 EoP Bootloader
  • CVE-2018-9372 A-70730215* M-ALPS03676237 EoP bootloader

Next we see NVIDIA with three vulnerabilities marked High, each of which could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, Type, and Component):

  • CVE-2017-6290 A-69559414* N-200373895 EoP TLK TrustZone
  • CVE-2017-6294 A-69316825* N-200369095 EoP NVIDIA Tegra X1 TZ
  • CVE-2017-6292 A-69480285* N-200373888 EoP TLZ TrustZone

Finally we’re back to Qualcomm, topping out the chart with nine vulnerabilities marked High. Each of these vulnerabilities could enable a local attacker to bypass user interaction, thereby gaining access to additional permissions. Related bugs are (listed by CVE, Reference, Qualcomm Reference, Type, and Component):

  • CVE-2017-13077 A-63165064* EoP WLAN
  • CVE-2018-5896 A-70399602*QC-CR#2163793 ID Diag driver
  • CVE-2018-5829 A-74237546 QC-CR#2151241 ID WLAN
  • CVE-2017-18159 A-68992405 QC-CR#2105697 EoP Bootloader
  • CVE-2017-18158 A-67782849*QC-CR#2104056 EoP Bootloader
  • CVE-2018-5835 A-74237148 QC-CR#2153553 EoP WLAN Host
  • CVE-2018-5834 A-74237804 QC-CR#2153326 EoP WLAN
  • CVE-2018-5831 A-74237606 QC-CR#2161310 EoP GPU driver
  • CVE-2018-5830 A-74237532 QC-CR#2157917 EoP WLAN Host

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.

Also see: