Version 1.2
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
CVE-2017-0782, CVE-2018-11260, CVE-2018-11261, CVE-2018-11262, CVE-2018-5898, CVE-2018-5919 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information. CVE-2017-14872, CVE-2017-14893, CVE-2017-15824 derrek (https://twitter.com/derrekr6) CVE-2018-5906 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 CVE-2018-5383 Eli Biham and Lior Neumann, Department of Computer Science, Technion – Israel Institute of Technology Table of vulnerabilities
Public ID Security Rating Technology Area Date Reported CVE-2017-0782 Critical Bluetooth HOST 9/12/2017 CVE-2017-14872 Medium Boot 6/27/2017 CVE-2017-14893 Medium Boot 6/27/2017 CVE-2017-15824 Medium Boot 8/30/2017 CVE-2017-18158 High Boot Internal CVE-2017-18159 High Boot Internal CVE-2018-11260 Medium WLAN HOST 2/6/2018 CVE-2018-11261 High Video 9/19/2017 CVE-2018-11262 Critical Boot 3/26/2018 CVE-2018-11263 High WLAN HOST Internal CVE-2018-11266 Medium Core Services 3/6/2018 CVE-2018-5383 Critical Bluetooth HOST 1/18/2018 CVE-2018-5887 High Boot Internal CVE-2018-5888 High Boot Internal CVE-2018-5890 High Boot Internal CVE-2018-5898 Medium Audio 1/4/2018 CVE-2018-5906 Medium SoC Infrastructure 12/22/2017 CVE-2018-5919 Medium WLAN HOST 11/28/2017 CVE-2017-0782
CVE ID CVE-2017-0782 Title Buffer Copy without Checking Size of Input in Bluetooth Description A remote code execution vulnerability in the Android system (bluetooth) Technology Area Bluetooth HOST Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) Access Vector Local Security Rating Critical Date Reported 9/12/2017 Customer Notified Date 1/1/2018 Patch CVE-2017-14872
CVE ID CVE-2017-14872 Title Information Exposure in Boot Description While flashing a meta image, a buffer over-read can potentially occur when the number of images are out of the maximum range of 32. Technology Area Boot Vulnerability Type CWE-200 Information Exposure Access Vector Local Security Rating Medium Date Reported 6/27/2017 Customer Notified Date 11/6/2017 Patch CVE-2017-14893
CVE ID CVE-2017-14893 Title Information Exposure in Linux Description While flashing meta image, a buffer over-read may potentially occur when the image size is smaller than the image header size or is smaller than the image header size + total image header entry. Technology Area Boot Vulnerability Type CWE-200 Information Exposure Access Vector Local Security Rating Medium Date Reported 6/27/2017 Customer Notified Date 11/6/2017 Patch CVE-2017-15824
CVE ID CVE-2017-15824 Title Information Exposure Vulnerability in Boot Description The function UpdateDeviceStatus() writes a local stack buffer without initialization to flash memory using WriteToPartition() which may potentially leak memory. Technology Area Boot Vulnerability Type CWE-200 Information Exposure Access Vector Local Security Rating Medium Date Reported 8/30/2017 Customer Notified Date 11/6/2017 Patch CVE-2017-18158
CVE ID CVE-2017-18158 Title Buffer Copy Without Checking Size of Input in Boot Description 1) A memory leak may potentially occur in ReadAllowUnlockValue(). (2) While processing Image Flash Data, an integer overflow may potentially occur. (3) An array out of bounds access may potentially occur in FastbootUpdateAttr(). (4) When processing arguments from the fastboot commands Flash/Erase/SetActive, a buffer overflow can potentially occur.
(5) A buffer check is not correct in CmdFlash(). (6) A null pointer dereference may potentially occur in FastbootUnInit(). (7) An invalid string comparison is performed in CmdSetActive().Technology Area Boot Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) Access Vector Local Security Rating High Date Reported Internal Customer Notified Date 11/6/2017 Patch CVE-2017-18159
CVE-2018-11260
CVE ID CVE-2018-11260 Title Integer Overflow to Buffer Overflow in WLAN Description While processing a fast Initial link setup (FILS) connection request, integer overflow may lead to a buffer overflow when the key length is zero. Technology Area WLAN HOST Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow Access Vector Local Security Rating Medium Date Reported 2/6/2018 Customer Notified Date 6/4/2018 Patch CVE-2018-11261
CVE ID CVE-2018-11261 Title Use After Free in Video Decoder Description Possible Use-after-free issue in Media Codec process. Any application using codec service will be affected. Technology Area Video Vulnerability Type CWE-416 Use After Free Access Vector Local Security Rating High Date Reported 9/19/2017 Customer Notified Date 6/4/2018 Patch CVE-2018-11262
CVE ID CVE-2018-11262 Title Incorrect Calculation of Buffer Size in Boot Description While trying to find out total number of partition via a non zero check, there could be possibility
where the ‘TotalPart’ could cross ‘GptHeader->MaxPtCnt’ and which could result in OOB write in patching GPT.Technology Area Boot Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size Access Vector Local Security Rating Critical Date Reported 3/26/2018 Customer Notified Date 6/4/2018 Patch CVE-2018-11263
CVE ID CVE-2018-11263 Title Improper Validation of Array Index in WLAN Description In function wma_unified_radio_tx_power_level_stats_event_handler, radio_id is received from the FW in the fixed_param structure and is used to access the buffer wma_handle->link_stats_results to copy the radio stats received for each radio from FW. If the radio_id received from the FW is greater than or equal to link_stats_results->num_radio, an OOB write will occur Technology Area WLAN HOST Vulnerability Type CWE-129 Improper Validation of Array Index Access Vector AdjacentNetwork Security Rating High Date Reported Internal Customer Notified Date 6/4/2018 Patch CVE-2018-11266
CVE ID CVE-2018-11266 Title Improper Input Validation in DIAG Description Improper Input validation can lead to an improper access to already freed up dci client entries while closing dci client. Technology Area Core Services Vulnerability Type CWE-20 Improper Input Validation Access Vector Local Security Rating Medium Date Reported 3/6/2018 Customer Notified Date 6/4/2018 Patch CVE-2018-5383
CVE ID CVE-2018-5383 Title Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange (from cert.org ) Description Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device. (from cert.org ) Technology Area Bluetooth HOST Vulnerability Type CWE-310 Cryptographic Issues Access Vector AdjacentNetwork Security Rating Critical Date Reported 1/18/2018 Customer Notified Date 5/7/2018 Patch
- Even if you are porting the patches yourself, please engage your customer engineering contact. The order of patches matters.
CVE-2018-5887
CVE ID CVE-2018-5887 Title Improper Validation of Array Index in Boot Description While processing the USB StrSerialDescriptor array, an array index out of bounds can occur. Technology Area Boot Vulnerability Type CWE-129 Improper Validation of Array Index Access Vector Local Security Rating High Date Reported Internal Customer Notified Date 1/1/2018 Patch CVE-2018-5888
CVE ID CVE-2018-5888 Title Incorrect Calculation of Buffer Size in Boot Description While processing the system path, an out of bounds access can occur. Technology Area Boot Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size Access Vector Local Security Rating High Date Reported Internal Customer Notified Date 1/1/2018 Patch CVE-2018-5890
CVE ID CVE-2018-5890 Title Integer Underflow in Boot Description If the fdt_totalsize is reported as 0 for the current device tree, it bypasses an error check for a valid device tree. Technology Area Boot Vulnerability Type CWE-191 Integer Underflow (Wrap or Wraparound) Access Vector Local Security Rating High Date Reported Internal Customer Notified Date 1/1/2018 Patch CVE-2018-5898
CVE ID CVE-2018-5898 Title Integer Overflow to Buffer Overflow in Audio Description Buffer overflow can occur in sound driver if the user supplied parameter length goes beyond a certain limit. Technology Area Audio Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow Access Vector Local Security Rating Medium Date Reported 1/4/2018 Customer Notified Date 6/4/2018 Patch CVE-2018-5906
CVE ID CVE-2018-5906 Title Buffer Copy Without Checking Size of Input in CORE Description Possible buffer overflow in debugfs module due to lack of check in size of input before copying into buffer. Technology Area SoC Infrastructure Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) Access Vector Local Security Rating Medium Date Reported 12/22/2017 Customer Notified Date 5/7/2018 Patch CVE-2018-5919
CVE ID CVE-2018-5919 Title Use After Free in WLAN Description Use after free issue in WLAN host driver can lead to device reboot. Technology Area WLAN HOST Vulnerability Type CWE-416 Use After Free Access Vector Local Security Rating Medium Date Reported 11/28/2017 Customer Notified Date 6/4/2018 Patch Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
Version Date Comments 1.0 August 6, 2018 Bulletin Published 1.1 August 10, 2018 Added CVE-2018-5383 1.2 November 13, 2018 updated the title and/or description on six CVEs