Version 1.0
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2018-11905 | Gengjia Chen (chengjia4574) |
| CVE-2018-11937 | C0RE Team (c0reteam) |
| CVE-2018-11940 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/Â for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin. |
| CVE-2018-11953 | haochen (flank3rsky) |
| CVE-2019-2247 | Joe0x20 (digforfree) |
| CVE-2019-2248 | heidada (heiheidada) |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2018-11905 | High | DSP Service, WLAN HOST | 11/8/2017 |
| CVE-2018-11923 | High | WLAN HOST | Internal |
| CVE-2018-11924 | Medium | WLAN HOST | Internal |
| CVE-2018-11925 | High | WLAN HOST | Internal |
| CVE-2018-11927 | High | WLAN HOST | Internal |
| CVE-2018-11930 | High | WLAN HOST | Internal |
| CVE-2018-11937 | High | WLAN HOST | 4/23/2018 |
| CVE-2018-11940 | Critical | WLAN HOST | 5/9/2018 |
| CVE-2018-11949 | High | WLAN HOST | Internal |
| CVE-2018-11953 | High | WLAN HOST | 4/24/2018 |
| CVE-2018-11967 | High | DSP Service | Internal |
| CVE-2018-13899 | High | Video | Internal |
| CVE-2018-13920 | High | Kernel | Internal |
| CVE-2019-2247 | Medium | Qualcomm IPC | 9/27/2018 |
| CVE-2019-2248 | Medium | Display | 9/20/2018 |
CVE-2018-11905
| CVE ID | CVE-2018-11905 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Possible buffer overflow in WLAN function due to lack of input validation in values received from firmware |
| Technology Area | DSP Service, WLAN HOST |
| Vulnerability Type | CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer, CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/8/2017 |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11923
| CVE ID | CVE-2018-11923 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Improper buffer length check before copying can lead to integer overflow and then a buffer overflow in WMA event handler |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11924
| CVE ID | CVE-2018-11924 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | Improper buffer length validation in WLAN function can lead to a potential integer oveflow issue |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11925
| CVE ID | CVE-2018-11925 |
| Title | Integer Overflow or Wraparound in WLAN |
| Description | Data length received from firmware is not validated against the max allowed size which can result in buffer overflow. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11927
| CVE ID | CVE-2018-11927 |
| Title | Improper Validation of Array Index in WLAN |
| Description | Improper input validation on input which is used as an array index will lead to an out of bounds issue while processing AP find event from firmware |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11930
| CVE ID | CVE-2018-11930 |
| Title | Integer Underflow Issue in WLAN |
| Description | Improper input validation on input data which is used to locate and copy the additional IEs in WLAN function can lead to potential integer truncation issue. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-191 Integer Underflow (Wrap or Wraparound) |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11937
| CVE ID | CVE-2018-11937 |
| Title | Buffer Over-read Issue in WLAN |
| Description | Lack of input validation before copying can lead to a buffer over read in WLAN function |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 4/23/2018 |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11940
| CVE ID | CVE-2018-11940 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Lack of check in length before using memcpy in WLAN function can lead to OOB access |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | 5/9/2018 |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11949
| CVE ID | CVE-2018-11949 |
| Title | Use of Uninitialized Variable in WLAN |
| Description | Failure to initialize the extra buffer can lead to an out of buffer access in WLAN function |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-457 Use of Uninitialized Variable |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11953
| CVE ID | CVE-2018-11953 |
| Title | Buffer Over-read Issue in WLAN |
| Description | While processing ssid IE length from remote AP, possible out-of-bounds access may occur due to crafted ssid IE length. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 4/24/2018 |
| Customer Notified Date | 8/6/2018 |
| Patch |
CVE-2018-11967
| CVE ID | CVE-2018-11967 |
| Title | Permissions, Privileges and Access Controls Issues in DSP Services |
| Description | Signature verification of the skel library could potentially be disabled as the memory region on the remote subsystem in which the library is loaded is allocated from userspace currently |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/5/2018 |
| Patch |
CVE-2018-13899
| CVE ID | CVE-2018-13899 |
| Title | Use After Free in Video Driver |
| Description | Processing messages after error may result in user after free memory fault |
| Technology Area | Video |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/5/2018 |
| Patch |
CVE-2018-13920
| CVE ID | CVE-2018-13920 |
| Title | Use-After-Free Issue in Kernel |
| Description | Use-after-free condition due to Improper handling of hrtimers when the PMU driver tries to access its events |
| Technology Area | Kernel |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 12/3/2018 |
| Patch |
CVE-2019-2247
| CVE ID | CVE-2019-2247 |
| Title | Double Free Issue in Kernel |
| Description | Possibility of double free issue while running multiple instances of smp2p test because of proper protection is missing while using global variable. |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/27/2018 |
| Customer Notified Date | 1/7/2019 |
| Patch |
CVE-2019-2248
| CVE ID | CVE-2019-2248 |
| Title | Stack Based Buffer Overflow Issues in Display |
| Description | Buffer overflow can occur if invalid header tries to overwrite the existing buffer which fix size allocation. |
| Technology Area | Display |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 9/20/2018 |
| Customer Notified Date | 1/7/2019 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | April 1, 2019 | Bulletin Published |