SB2018080810 - Multiple vulnerabilities in Google Android
Published: August 8, 2018 Updated: April 1, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 43 secuirty vulnerabilities.
1) Key management errors (CVE-ID: CVE-2017-13077)
The vulnerability allows an adjacent attacker to force a supplicant to reinstall a previously used pairwise key.The weakness exists in the processing of the 802.11i 4-way handshake messages of the WPA and WPA2 protocols due to ambiguities in the processing of associated protocol messages. An adjacent attacker can use man-in-the-middle techniques to retransmit previously used message exchanges between supplicant and authenticator.
2) Race condition (CVE-ID: CVE-2017-18249)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists in the add_free_nid function due to race condition. A local attacker can trigger memory corruption and cause the service to crash.
3) Privilege escalation (CVE-ID: CVE-2017-18280)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
4) Information disclosure (CVE-ID: CVE-2017-18281)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to flaws in the Qualcomm component. A remote attacker can bypass user interaction requirements and access arbitrary data.
5) Privilege escalation (CVE-ID: CVE-2017-18282)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
6) Privilege escalation (CVE-ID: CVE-2017-18283)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
7) Privilege escalation (CVE-ID: CVE-2017-18292)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
8) Privilege escalation (CVE-ID: CVE-2017-18293)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
9) Privilege escalation (CVE-ID: CVE-2017-18294)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
10) Privilege escalation (CVE-ID: CVE-2017-18295)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
11) Improper input validation (CVE-ID: CVE-2017-18296)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
12) Privilege escalation (CVE-ID: CVE-2017-18297)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
13) Privilege escalation (CVE-ID: CVE-2017-18298)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
14) Privilege escalation (CVE-ID: CVE-2017-18299)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
15) Privilege escalation (CVE-ID: CVE-2017-18300)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
16) Privilege escalation (CVE-ID: CVE-2017-18301)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
17) Privilege escalation (CVE-ID: CVE-2017-18302)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
18) Privilege escalation (CVE-ID: CVE-2017-18303)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
19) Privilege escalation (CVE-ID: CVE-2017-18304)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
20) Improper input validation (CVE-ID: CVE-2017-18305)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
21) Privilege escalation (CVE-ID: CVE-2017-18308)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
22) Privilege escalation (CVE-ID: CVE-2017-18309)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
23) Improper input validation (CVE-ID: CVE-2017-18310)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
24) Privilege escalation (CVE-ID: CVE-2018-11258)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
25) Privilege escalation (CVE-ID: CVE-2018-11260)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to flaws in the Qualcomm component. A remote attacker can bypass user interaction requirements and gain elevated privileges.
26) Privilege escalation (CVE-ID: CVE-2018-11305)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.
27) Man-in-the-middle attack (CVE-ID: CVE-2018-5383)
The vulnerability allows an adjacent attacker to conduct man-in-the-middle attack on the target system.
The weakness exists in the Bluetooth Low Energy (BLE) implementation of Secure Connections mode insufficient validation of elliptic curve parameters that are used to generate public keys during a Diffie-Hellman key exchange when the affected software performs device pairing operations. An adjacent attacker can intercept the public key exchange between the two targeted systems, inject a malicious public key to aid in determining the session key, access sensitive information or forge and modify messages, which could be used to inject malicious software on the targeted system.
28) Improper input validation (CVE-ID: CVE-2018-9427)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a flaw in the Media framework. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
29) Information disclosure (CVE-ID: CVE-2018-9436)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and access arbitrary data.
30) Improper input validation (CVE-ID: CVE-2018-9437)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a flaw in the Media framework. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
31) Improper input validation (CVE-ID: CVE-2018-9438)
The vulnerability allows a local attacker to cause DoS condition on the target system.
The vulnerability exists due to flaws in the Framework component. A local attacker can run a specially crafted application to bypass user interaction requirements and cause the service to crash.
32) Improper input validation (CVE-ID: CVE-2018-9444)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a flaw in the Media framework. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
33) Privilege escalation (CVE-ID: CVE-2018-9445)
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to flaws in the Framework component. A local attacker can run a specially crafted application to bypass user interaction requirements and gain elevated privileges.
34) Privilege escalation (CVE-ID: CVE-2018-9446)
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
35) Information disclosure (CVE-ID: CVE-2018-9448)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and access arbitrary data.
36) Privilege escalation (CVE-ID: CVE-2018-9450)
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
37) Information disclosure (CVE-ID: CVE-2018-9451)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to flaws in the Framework component. A local attacker can run a specially crafted application to bypass user interaction requirements and access arbitrary data.
38) Information disclosure (CVE-ID: CVE-2018-9453)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and access arbitrary data.
39) Information disclosure (CVE-ID: CVE-2018-9454)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and access arbitrary data.
40) Improper input validation (CVE-ID: CVE-2018-9455)
The vulnerability allows a local attacker to cause DoS condition on the target system.
The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and cause the service to crash.
41) Privilege escalation (CVE-ID: CVE-2018-9458)
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to flaws in the Framework component. A local attacker can run a specially crafted application to bypass user interaction requirements and gain elevated privileges.
42) Privilege escalation (CVE-ID: CVE-2018-9459)
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and gain elevated privileges.
43) Privilege escalation (CVE-ID: CVE-2018-9465)
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.
References
- https://www.krackattacks.com/
- https://papers.mathyvanhoef.com/ccs2017.pdf
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30a61ddf8117c26ac5b295...
- https://source.android.com/security/bulletin/2018-08-01
- https://support.apple.com/en-us/HT208937
- https://corp.mediatek.com/product-security-bulletin/April-2024