August 2018 Code Aurora Security Bulletin

Version 1.2

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-0782, CVE-2018-11260, CVE-2018-11261, CVE-2018-11262, CVE-2018-5898, CVE-2018-5919 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.
CVE-2017-14872, CVE-2017-14893, CVE-2017-15824 derrek (https://twitter.com/derrekr6)
CVE-2018-5906 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2018-5383 Eli Biham and Lior Neumann, Department of Computer Science, Technion – Israel Institute of Technology

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-0782 Critical Bluetooth HOST 9/12/2017
CVE-2017-14872 Medium Boot 6/27/2017
CVE-2017-14893 Medium Boot 6/27/2017
CVE-2017-15824 Medium Boot 8/30/2017
CVE-2017-18158 High Boot Internal
CVE-2017-18159 High Boot Internal
CVE-2018-11260 Medium WLAN HOST 2/6/2018
CVE-2018-11261 High Video 9/19/2017
CVE-2018-11262 Critical Boot 3/26/2018
CVE-2018-11263 High WLAN HOST Internal
CVE-2018-11266 Medium Core Services 3/6/2018
CVE-2018-5383 Critical Bluetooth HOST 1/18/2018
CVE-2018-5887 High Boot Internal
CVE-2018-5888 High Boot Internal
CVE-2018-5890 High Boot Internal
CVE-2018-5898 Medium Audio 1/4/2018
CVE-2018-5906 Medium SoC Infrastructure 12/22/2017
CVE-2018-5919 Medium WLAN HOST 11/28/2017

CVE-2017-0782

CVE ID CVE-2017-0782
Title Buffer Copy without Checking Size of Input in Bluetooth
Description A remote code execution vulnerability in the Android system (bluetooth)
Technology Area Bluetooth HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Critical
Date Reported 9/12/2017
Customer Notified Date 1/1/2018
Patch

CVE-2017-14872

CVE ID CVE-2017-14872
Title Information Exposure in Boot
Description While flashing a meta image, a buffer over-read can potentially occur when the number of images are out of the maximum range of 32.
Technology Area Boot
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 6/27/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-14893

CVE ID CVE-2017-14893
Title Information Exposure in Linux
Description While flashing meta image, a buffer over-read may potentially occur when the image size is smaller than the image header size or is smaller than the image header size + total image header entry.
Technology Area Boot
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 6/27/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-15824

CVE ID CVE-2017-15824
Title Information Exposure Vulnerability in Boot
Description The function UpdateDeviceStatus() writes a local stack buffer without initialization to flash memory using WriteToPartition() which may potentially leak memory.
Technology Area Boot
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 8/30/2017
Customer Notified Date 11/6/2017
Patch

CVE-2017-18158

CVE ID CVE-2017-18158
Title Buffer Copy Without Checking Size of Input in Boot
Description 1) A memory leak may potentially occur in ReadAllowUnlockValue(). (2) While processing Image Flash Data, an integer overflow may potentially occur. (3) An array out of bounds access may potentially occur in FastbootUpdateAttr(). (4) When processing arguments from the fastboot commands Flash/Erase/SetActive, a buffer overflow can potentially occur.
(5) A buffer check is not correct in CmdFlash(). (6) A null pointer dereference may potentially occur in FastbootUnInit(). (7) An invalid string comparison is performed in CmdSetActive().
Technology Area Boot
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Patch

CVE-2017-18159

CVE ID CVE-2017-18159
Title Improper Restriction of Operation Within the Bounds of a Memory Buffer
Description While processing a StrHwPlatform with length smaller than EFICHIPINFO_MAX_ID_LENGTH, an array out of bounds access may occur.
Technology Area Boot
Vulnerability Type CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Patch

CVE-2018-11260

CVE ID CVE-2018-11260
Title Integer Overflow to Buffer Overflow in WLAN
Description While processing a fast Initial link setup (FILS) connection request, integer overflow may lead to a buffer overflow when the key length is zero.
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 2/6/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-11261

CVE ID CVE-2018-11261
Title Use After Free in Video Decoder
Description Possible Use-after-free issue in Media Codec process.  Any application using codec service will be affected.
Technology Area Video
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 9/19/2017
Customer Notified Date 6/4/2018
Patch

CVE-2018-11262

CVE ID CVE-2018-11262
Title Incorrect Calculation of Buffer Size in Boot
Description While trying to find out total number of partition via a non zero check, there could be possibility
where the ‘TotalPart’ could cross ‘GptHeader->MaxPtCnt’ and which could result in OOB write in patching GPT.
Technology Area Boot
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating Critical
Date Reported 3/26/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-11263

CVE ID CVE-2018-11263
Title Improper Validation of Array Index in WLAN
Description In function wma_unified_radio_tx_power_level_stats_event_handler, radio_id is received from the FW in the fixed_param structure and is used to access the buffer wma_handle->link_stats_results to copy the radio stats received for each radio from FW. If the radio_id received from the FW is greater than or equal to link_stats_results->num_radio, an OOB write will occur
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Patch

CVE-2018-11266

CVE ID CVE-2018-11266
Title Improper Input Validation in DIAG
Description Improper Input validation can lead to an improper access to already freed up dci client entries while closing dci client.
Technology Area Core Services
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 3/6/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-5383

CVE ID CVE-2018-5383
Title Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange (from cert.org )
Description Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device. (from cert.org )
Technology Area Bluetooth HOST
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 1/18/2018
Customer Notified Date 5/7/2018
Patch
  • Even if you are porting the patches yourself, please engage your customer engineering contact. The order of patches matters.

CVE-2018-5887

CVE ID CVE-2018-5887
Title Improper Validation of Array Index in Boot
Description While processing the USB StrSerialDescriptor array, an array index out of bounds can occur.
Technology Area Boot
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5888

CVE ID CVE-2018-5888
Title Incorrect Calculation of Buffer Size in Boot
Description While processing the system path, an out of bounds access can occur.
Technology Area Boot
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5890

CVE ID CVE-2018-5890
Title Integer Underflow in Boot
Description If the fdt_totalsize is reported as 0 for the current device tree, it bypasses an error check for a valid device tree.
Technology Area Boot
Vulnerability Type CWE-191 Integer Underflow (Wrap or Wraparound)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5898

CVE ID CVE-2018-5898
Title Integer Overflow to Buffer Overflow in Audio
Description Buffer overflow can occur in sound driver if the user supplied parameter length goes beyond a certain limit.
Technology Area Audio
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 1/4/2018
Customer Notified Date 6/4/2018
Patch

CVE-2018-5906

CVE ID CVE-2018-5906
Title Buffer Copy Without Checking Size of Input in CORE
Description Possible buffer overflow in debugfs module due to lack of check in size of input before copying into buffer.
Technology Area SoC Infrastructure
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/22/2017
Customer Notified Date 5/7/2018
Patch

CVE-2018-5919

CVE ID CVE-2018-5919
Title Use After Free in WLAN
Description Use after free issue in WLAN host driver can lead to device reboot.
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 11/28/2017
Customer Notified Date 6/4/2018
Patch

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 August 6, 2018 Bulletin Published
1.1 August 10, 2018 Added CVE-2018-5383
1.2 November 13, 2018 updated the title and/or description on six CVEs