Version 1.0
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2017-11078, CVE-2018-5861 | derrek (https://twitter.com/derrekr6) |
| CVE-2018-11823, CVE-2018-11918, CVE-2018-5904, CVE-2018-5908, CVE-2018-5909, CVE-2018-5910 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
| CVE-2018-11919 | Jianqiang Zhao (jianqiangzhao) |
| CVE-2018-11943 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements for individual credit information. |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2017-11078 | Medium | Boot | 7/17/2017 |
| CVE-2018-11823 | Medium | Power | 2/7/2018 |
| CVE-2018-11906 | High | Yocto | Internal |
| CVE-2018-11907 | High | Yocto | Internal |
| CVE-2018-11908 | High | Yocto | Internal |
| CVE-2018-11909 | High | Yocto | Internal |
| CVE-2018-11910 | High | Yocto | Internal |
| CVE-2018-11911 | High | Yocto | Internal |
| CVE-2018-11912 | High | Yocto | Internal |
| CVE-2018-11913 | High | Yocto | Internal |
| CVE-2018-11914 | High | Yocto | Internal |
| CVE-2018-11918 | Medium | Display | 3/1/2018 |
| CVE-2018-11919 | Medium | SoC Infrastructure | 2/7/2018 |
| CVE-2018-11943 | Medium | Boot | 1/18/2018 |
| CVE-2018-11946 | High | WIN OPENWRT | Internal |
| CVE-2018-11956 | High | Yocto | Internal |
| CVE-2018-11995 | High | Boot | Internal |
| CVE-2018-5856 | Medium | Audio | Internal |
| CVE-2018-5861 | Medium | Trusted Execution Environment | 1/4/2018 |
| CVE-2018-5904 | Medium | Power | 1/24/2018 |
| CVE-2018-5908 | Medium | Display | 12/25/2017 |
| CVE-2018-5909 | Medium | Display | 12/25/2017 |
| CVE-2018-5910 | Medium | Display | 12/25/2017 |
CVE-2017-11078
| CVE ID | CVE-2017-11078 |
| Title | Buffer Over-read in Boot |
| Description | While processing the boot image header, an out of bounds read can occur. |
| Technology Area | Boot |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 7/17/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2018-11823
| CVE ID | CVE-2018-11823 |
| Title | Double Free in Power |
| Description | Freeing device memory in driver probe failure will result in double free issue |
| Technology Area | Power |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/7/2018 |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11906
| CVE ID | CVE-2018-11906 |
| Title | Improper Access Control in Yocto |
| Description | Security concern with default privileged access to ADB and debug-fs. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
|
CVE-2018-11907
| CVE ID | CVE-2018-11907 |
| Title | Permission, Privileges and Access Controls in Yocto |
| Description | Improper access control can lead to device node and executable to be run from /firmware/ which presents a potential issue. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11908
| CVE ID | CVE-2018-11908 |
| Title | Permission, Privileges and Access Controls in Yocto |
| Description | Improper access control can lead to device node and executable to be run from /data/ which presents a potential issue. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11909
| CVE ID | CVE-2018-11909 |
| Title | Permission, Privileges and Access Controls in Yocto |
| Description | Improper access control can lead to device node and executable to be run from /cache/ which presents a potential issue. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11910
| CVE ID | CVE-2018-11910 |
| Title | Permissions, Privileges and Access control in Yocto |
| Description | Improper access control can lead to device node and executable to be run from /persist/ which presents a potential issue. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11911
| CVE ID | CVE-2018-11911 |
| Title | Permission, privileges and Access Controls in Yocto |
| Description | Improper configuration of script may lead to unprivileged acess. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11912
| CVE ID | CVE-2018-11912 |
| Title | Permissions, Privileges and Access Controls in Yocto |
| Description | Improper configuration of daemons may lead to unprivileged acess. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11913
| CVE ID | CVE-2018-11913 |
| Title | Permissions, Privileges and Access Controls in Yocto |
| Description | Improper configuration of dev nodes may lead to potential security issue. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11914
| CVE ID | CVE-2018-11914 |
| Title | Permission, Privileges and Access Controls in Yocto |
| Description | Improper access control can lead to device node and executable to be run from /systemrw/ which presents a potential security issue. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11918
| CVE ID | CVE-2018-11918 |
| Title | Double free in Display |
| Description | Memory allocated is automatically released by the kernel if the “probe” function fails with an error code. |
| Technology Area | Display |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/1/2018 |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11919
| CVE ID | CVE-2018-11919 |
| Title | Buffer Copy Without Checking Size of Input in Soc Infrastructure |
| Description | Potential heap overflow and memory corruption due to improper error handling in SOC infrastructure. |
| Technology Area | SoC Infrastructure |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/7/2018 |
| Customer Notified Date | 8/6/2018 |
| Patch |
|
CVE-2018-11943
| CVE ID | CVE-2018-11943 |
| Title | Information Exposure in Fastboot. |
| Description | While processing fastboot flash command, memory leak or unexpected behavior may occur due to processing of unintialized data buffers. |
| Technology Area | Boot |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/18/2018 |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11946
| CVE ID | CVE-2018-11946 |
| Title | Improper Authorization in WIN OPENWRT |
| Description | The UPnP daemon should not be running out of box because it enables port forwarding without authentication. |
| Technology Area | WIN OPENWRT |
| Vulnerability Type | CWE-285 Improper Authorization |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11956
| CVE ID | CVE-2018-11956 |
| Title | Permission, Privileges and Access Controls in Yocto |
| Description | Improper mounting lead to device node and executable to be run from /dsp/ which presents a potential security issue. |
| Technology Area | Yocto |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11995
| CVE ID | CVE-2018-11995 |
| Title | Buffer Copy without Checking Size of Input in Boot |
| Description | A partition name-check variable is not reset for every iteration which may cause improper termination in the META image. |
| Technology Area | Boot |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/1/2018 |
| Patch |
CVE-2018-5856
| CVE ID | CVE-2018-5856 |
| Title | Use After Free in Audio |
| Description | Due to a race condition, a Use After Free condition can occur in Audio. |
| Technology Area | Audio |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 4/2/2018 |
| Patch |
CVE-2018-5861
| CVE ID | CVE-2018-5861 |
| Title | Incorrect Type Conversion or Cast in LK |
| Description | Existing checks in place on partition size are incomplete and can lead to heap overwrite vulnerabilities while loading a secure application from the boot loader. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-704 Incorrect Type Conversion or Cast |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/4/2018 |
| Customer Notified Date | 4/2/2018 |
| Patch |
CVE-2018-5904
| CVE ID | CVE-2018-5904 |
| Title | Use After Free in Power |
| Description | While list traversal in LPM status driver for clean up,Use after free vulnerability may occur. |
| Technology Area | Power |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 1/24/2018 |
| Customer Notified Date | 5/7/2018 |
| Patch |
CVE-2018-5908
| CVE ID | CVE-2018-5908 |
| Title | Possible Buffer Overflow in Display |
| Description | Possible buffer overflow in display function due to lack of buffer length validation before copying. |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/25/2017 |
| Customer Notified Date | 5/7/2018 |
| Patch |
CVE-2018-5909
| CVE ID | CVE-2018-5909 |
| Title | Possible Buffer Overflow in Display |
| Description | Buffer overflow occur may occur in display handlers due to lack of checking in buffer size before copying into it and will lead to memory corruption |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/25/2017 |
| Customer Notified Date | 5/7/2018 |
| Patch |
CVE-2018-5910
| CVE ID | CVE-2018-5910 |
| Title | Buffer Copy Without Checking Size of Input in Display |
| Description | A memory corruption can occur in kernel due to improper check in callers count parameter in display handlers |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/25/2017 |
| Customer Notified Date | 5/7/2018 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific
scenarios that involves local denial of service or privilege escalation
vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | November 1, 2018 | Bulletin Published |