Security Bulletin

May 2019 Code Aurora Security Bulletin

By May 6, 2019 August 9th, 2019 No Comments

Version 1.1

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2018-11819, CVE-2018-3583 haochen (flank3rsky)
CVE-2018-11929 C0RE Team (c0reteam)
CVE-2018-11934, CVE-2018-11939 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2018-11942 xbq (xbq)
CVE-2018-11947 dokyungs@uci.edu
CVE-2018-5883, CVE-2018-5911 Gengjia Chen (chengjia4574)
CVE-2018-5903 %i%s%n\nAAA (derrek)

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2018-11819 Medium WLAN HOST 12/13/2017
CVE-2018-11929 Medium WLAN HOST 4/11/2018
CVE-2018-11934 Medium WLAN HOST 4/9/2018
CVE-2018-11939 Medium WLAN HOST 5/4/2018
CVE-2018-11942 Medium WLAN HOST 1/26/2018
CVE-2018-11947 Medium WLAN HOST 4/26/2018
CVE-2018-13919 High Data Network Stack & Connectivity Internal
CVE-2018-3583 High WLAN HOST 6/20/2017
CVE-2018-5883 High WLAN HOST 9/13/2017
CVE-2018-5903 High WLAN HOST 12/8/2017
CVE-2018-5911 Medium WLAN HOST 2/24/2018

CVE-2018-11819

CVE ID CVE-2018-11819
Title Use After Free in WLAN
Description Use after issue in WLAN function due to multiple ACS scan requests at a time
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 12/13/2017
Customer Notified Date 8/6/2018
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 675, SD 730, SD 820A, SD 835, SD 855, SDA660, SDX20, SDX24
Patch

CVE-2018-11929

CVE ID CVE-2018-11929
Title Buffer Copy Without Checking Size of Input in WLAN
Description Lack of input validation in WLAN function can lead to potential heap overflow.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 4/11/2018
Customer Notified Date 8/6/2018
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2018-11934

CVE ID CVE-2018-11934
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible out of bounds write due to improper input validation while processing DO_ACS vendor command.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 4/9/2018
Customer Notified Date 8/6/2018
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2018-11939

CVE ID CVE-2018-11939
Title Use After Free in WLAN
Description While processing multiple EVENT_CONNECT_RESULT events, a single BSSID value may be referenced multiple times resulting in use-after-free issue
Technology Area WLAN HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 5/4/2018
Customer Notified Date 8/6/2018
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, QCA6574AU, SD 210/SD 212/SD 205, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SDX20
Patch

CVE-2018-11942

CVE ID CVE-2018-11942
Title Information Exposure in WLAN
Description Failure to initialize the reserved memory which is sent to the firmware might lead to exposure of 1 byte of uninitialized kernel SKB memory to FW.
Technology Area WLAN HOST
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 1/26/2018
Customer Notified Date 8/6/2018
Affected Chipsets IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2018-11947

CVE ID CVE-2018-11947
Title Information Exposure in WLAN
Description The txrx stats req might be double freed in the pdev detach when the host driver is unloading.
Technology Area WLAN HOST
Vulnerability Type CWE-200 Information Exposure, CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 4/26/2018
Customer Notified Date 8/6/2018
Affected Chipsets IPQ8064, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCA9558, QCA9880, QCA9886, QCA9980, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2018-13919

CVE ID CVE-2018-13919
Title Use-After-Free issue in IPA Driver
Description Use-after-free vulnerability will occur if reset of the routing table encounters an invalid rule id while processing command to reset.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/3/2018
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, QCS405, QCS605, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2018-3583

CVE ID CVE-2018-3583
Title Buffer Copy without Checking Size of Input in WLAN
Description A buffer overflow can occur while processing an extscan hotlist event
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating High
Date Reported 6/20/2017
Customer Notified Date 2/5/2018
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA9379, QCS605, SD 625, SD 636, SD 820, SD 820A, SD 835, SD 855, SDA660, SDM630, SDM660, SDX20
Patch

CVE-2018-5883

CVE ID CVE-2018-5883
Title Improper Validation of Array Index in WLAN
Description Buffer overflow in WLAN driver event handlers due to improper validation of array index
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 9/13/2017
Customer Notified Date 5/7/2018
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS405, QCS605, SD 636, SD 675, SD 730, SD 820A, SD 835, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2018-5903

CVE ID CVE-2018-5903
Title Improper Validation of Array Index in WLAN
Description Out of bounds read occurs due to improper validation of array while processing VDEV stop response from WLAN firmware.
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 12/8/2017
Customer Notified Date 5/7/2018
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS405, QCS605, SD 210/SD 212/SD 205, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2018-5911

CVE ID CVE-2018-5911
Title Possible Buffer Overflow in WLAN
Description Buffer overflow in WLAN function due to improper check of buffer size before copying.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 2/24/2018
Customer Notified Date 5/7/2018
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS605, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 855, SDM630, SDM660, SDX20, SDX24
Patch

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 May 6, 2019 Bulletin Published
1.1 August 9, 2019 Added link to CVE-2018-11934