November 2018 Code Aurora Security Bulletin

By November 5, 2018Security Bulletin

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-11078, CVE-2018-5861 derrek (https://twitter.com/derrekr6)
CVE-2018-11823, CVE-2018-11918, CVE-2018-5904, CVE-2018-5908, CVE-2018-5909, CVE-2018-5910 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2018-11919 Jianqiang Zhao (jianqiangzhao)
CVE-2018-11943 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements for individual credit information.

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-11078 Medium Boot 7/17/2017
CVE-2018-11823 Medium Power 2/7/2018
CVE-2018-11906 High Yocto Internal
CVE-2018-11907 High Yocto Internal
CVE-2018-11908 High Yocto Internal
CVE-2018-11909 High Yocto Internal
CVE-2018-11910 High Yocto Internal
CVE-2018-11911 High Yocto Internal
CVE-2018-11912 High Yocto Internal
CVE-2018-11913 High Yocto Internal
CVE-2018-11914 High Yocto Internal
CVE-2018-11918 Medium Display 3/1/2018
CVE-2018-11919 Medium SoC Infrastructure 2/7/2018
CVE-2018-11943 Medium Boot 1/18/2018
CVE-2018-11946 High WIN OPENWRT Internal
CVE-2018-11956 High Yocto Internal
CVE-2018-11995 High Boot Internal
CVE-2018-5856 Medium Audio Internal
CVE-2018-5861 Medium Trusted Execution Environment 1/4/2018
CVE-2018-5904 Medium Power 1/24/2018
CVE-2018-5908 Medium Display 12/25/2017
CVE-2018-5909 Medium Display 12/25/2017
CVE-2018-5910 Medium Display 12/25/2017

CVE-2017-11078

CVE ID CVE-2017-11078
Title Buffer Over-read in Boot
Description While processing the boot image header, an out of bounds read can occur.
Technology Area Boot
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 7/17/2017
Customer Notified Date 10/2/2017
Patch

CVE-2018-11823

CVE ID CVE-2018-11823
Title Double Free in Power
Description Freeing device memory in driver probe failure will result in double free issue
Technology Area Power
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 2/7/2018
Customer Notified Date 8/6/2018
Patch

CVE-2018-11906

CVE ID CVE-2018-11906
Title Improper Access Control in Yocto
Description Security concern with default privileged access to ADB and debug-fs.
Technology Area Yocto
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11907

CVE ID CVE-2018-11907
Title Permission, Privileges and Access Controls in Yocto
Description Improper access control can lead to device node and executable to be run from /firmware/ which presents a potential issue.
Technology Area Yocto
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11908

CVE ID CVE-2018-11908
Title Permission, Privileges and Access Controls in Yocto
Description Improper access control can lead to device node and executable to be run from /data/ which presents a potential issue.
Technology Area Yocto
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11909

CVE ID CVE-2018-11909
Title Permission, Privileges and Access Controls in Yocto
Description Improper access control can lead to device node and executable to be run from /cache/ which presents a potential issue.
Technology Area Yocto
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11910

CVE ID CVE-2018-11910
Title Permissions, Privileges and Access control in Yocto
Description Improper access control can lead to device node and executable to be run from /persist/ which presents a potential issue.
Technology Area Yocto
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11911

CVE ID CVE-2018-11911
Title Permission, privileges and Access Controls in Yocto
Description Improper configuration of script may lead to unprivileged acess.
Technology Area Yocto
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11912

CVE ID CVE-2018-11912
Title Permissions, Privileges and Access Controls in Yocto
Description Improper configuration of daemons may lead to unprivileged acess.
Technology Area Yocto
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11913

CVE ID CVE-2018-11913
Title Permissions, Privileges and Access Controls in Yocto
Description Improper configuration of dev nodes may lead to potential security issue.
Technology Area Yocto
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11914

CVE ID CVE-2018-11914
Title Permission, Privileges and Access Controls in Yocto
Description Improper access control can lead to device node and executable to be run from /systemrw/ which presents a potential security issue.
Technology Area Yocto
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11918

CVE ID CVE-2018-11918
Title Double free in Display
Description Memory allocated is automatically released by the kernel if the “probe” function fails with an error code.
Technology Area Display
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 3/1/2018
Customer Notified Date 8/6/2018
Patch

CVE-2018-11919

CVE ID CVE-2018-11919
Title Buffer Copy Without Checking Size of Input in Soc Infrastructure
Description Potential heap overflow and memory corruption due to improper error handling in SOC infrastructure.
Technology Area SoC Infrastructure
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 2/7/2018
Customer Notified Date 8/6/2018
Patch

CVE-2018-11943

CVE ID CVE-2018-11943
Title Information Exposure in Fastboot.
Description While processing fastboot flash command, memory leak or unexpected behavior may occur due to processing of unintialized data buffers.
Technology Area Boot
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 1/18/2018
Customer Notified Date 8/6/2018
Patch

CVE-2018-11946

CVE ID CVE-2018-11946
Title Improper Authorization in WIN OPENWRT
Description The UPnP daemon should not be running out of box because it enables port forwarding without authentication.
Technology Area WIN OPENWRT
Vulnerability Type CWE-285 Improper Authorization
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11956

CVE ID CVE-2018-11956
Title Permission, Privileges and Access Controls in Yocto
Description Improper mounting lead to device node and executable to be run from /dsp/ which presents a potential security issue.
Technology Area Yocto
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/6/2018
Patch

CVE-2018-11995

CVE ID CVE-2018-11995
Title Buffer Copy without Checking Size of Input in Boot
Description A partition name-check variable is not reset for every iteration which may cause improper termination in the META image.
Technology Area Boot
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Patch

CVE-2018-5856

CVE ID CVE-2018-5856
Title Use After Free in Audio
Description Due to a race condition, a Use After Free condition can occur in Audio.
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 4/2/2018
Patch

CVE-2018-5861

CVE ID CVE-2018-5861
Title Incorrect Type Conversion or Cast in LK
Description Existing checks in place on partition size are incomplete and can lead to heap overwrite vulnerabilities while loading a secure application from the boot loader.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-704 Incorrect Type Conversion or Cast
Access Vector Local
Security Rating Medium
Date Reported 1/4/2018
Customer Notified Date 4/2/2018
Patch

CVE-2018-5904

CVE ID CVE-2018-5904
Title Use After Free in Power
Description While list traversal in LPM status driver for clean up,Use after free vulnerability may occur.
Technology Area Power
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 1/24/2018
Customer Notified Date 5/7/2018
Patch

CVE-2018-5908

CVE ID CVE-2018-5908
Title Possible Buffer Overflow in Display
Description Possible buffer overflow in display function due to lack of buffer length validation before copying.
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/25/2017
Customer Notified Date 5/7/2018
Patch

CVE-2018-5909

CVE ID CVE-2018-5909
Title Possible Buffer Overflow in Display
Description Buffer overflow occur may occur in display handlers due to lack of checking in buffer size before copying into it and will lead to memory corruption
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/25/2017
Customer Notified Date 5/7/2018
Patch

CVE-2018-5910

CVE ID CVE-2018-5910
Title Buffer Copy Without Checking Size of Input in Display
Description A memory corruption can occur in kernel due to improper check in callers count parameter in display handlers
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/25/2017
Customer Notified Date 5/7/2018
Patch

Industry Coordination

Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific
    scenarios that involves local denial of service or privilege escalation
    vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 November 1, 2018 Bulletin Published