Android Security Bulletin August 2018: What you need to know

As the Summer draws near its end, Android vulnerabilities continue to be a part of the platform. Although August did see a few less Critical bugs, there were plenty of flaws marked High to balance out the sheet. Let’s dive into those vulnerabilities and see what’s what.

Before we take that dive into what’s included with this month’s bulletin, it’s always good to know what security release is installed on your device. To no surprise, my daily driver, an Essential PH-1, is running the a security patch that is now one month behind (July 5, 2018).

To find out what patch level you are running, open Settings and go to About Phone. If you’re using Android Pie, that location has changed to Settings | Security & Location | Security updated. Scroll down until you see Android security patch level (Figure A).

Figure A

Terminology

You will find different types of vulnerabilities listed. Possible types include:

• RCE–Remote code execution
• EoP–Elevation of privilege
• ID–Information disclosure
• DoS–Denial of service

And now, onto the issues.

2018-08-01 security patch level

Critical issues

There are only three issues marked Critical for the 08-01 patch level. The first affects the Media Framework and could, via a malicious file, enable a remote attacker to execute arbitrary code within the context of a privileged process. The related bug is (listed by CVE, Reference, and Type):

CVE-2018-9427A-77486542 RCE

The last two Critical flaws are found in the System and, via a malicious file, could enable a remote attacker to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

• CVE-2018-9446 A-80145946 RCE
• CVE-2018-9450A-79541338 RCE

High issues

Vulnerabilities marked High comprise the vast majority of bugs for August. The first four are associated with the Framework and could, via a malicious application, bypass user interaction requirements to gain additional permissions. Related bugs are (listed by CVE, Reference, and Type):

• CVE-2018-9445A-80436257 EoP
• CVE-2018-9438A-78644887 DoS
• CVE-2018-9458A-71786287 EoP
• CVE-2018-9451A-79488511 ID

The next two vulnerabilities marked High affect the Media framework and could, via a malicious file, enable a remote attacker to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

• CVE-2018-9444 A-63521984 DoS
• CVE-2018-9437A-78656554 DoS

The final vulnerabilities, marked High, affect the System and could, via a malicious file, enable a remote attacker to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, and Type):

• CVE-2018-9459A-66230183 EoP
• CVE-2018-9455A-78136677 DoS
• CVE-2018-9436A-79164722 ID High
• CVE-2018-9454A-78286118 ID High
• CVE-2018-9448A-79944113 ID High
• CVE-2018-9453A-78288378 ID High

2018-08-05 security patch level

Critical vulnerabilities

There are only three Critical vulnerabilities in the 08-05 patch level, each of which affect closed source Qualcomm components. These issues are (listed by CVE and Reference):

• CVE-2017-18296 A-78240731
• CVE-2017-18305 A-78239838
• CVE-2017-18310 A-62211308

Information on Qualcomm closed source issues must come directly from the manufacturer.

High vulnerabilities

The first set of vulnerabilities marked high affect Kernel components. This issues could enable a locally-installed malicious application to execute arbitrary code within the context of a privileged process. Related bugs are (listed by CVE, Reference, Type, and Component):

• CVE-2017-18249 A-78283212 Upstream kernel EoP F2FS
• CVE-2018-9465 A-69164715 Upstream kernel EoP binder

The next group of High vulnerabilities affect open source Qualcomm components and could lead to remote information disclosure. Related bugs are (listed by CVE, Reference, Qualcomm Reference, Type, and Component):

• CVE-2018-5383 A-79421580 QC-CR#2209635 ID Bluetooth
• CVE-2017-13077 A-78284758 QC-CR#2133033 ID WLAN
• CVE-2017-18281 A-78242172 QC-CR#856388 ID Video
• CVE-2018-11260 A-72997254 QC-CR#2204872 EoP WLAN

Finally, there are a number of vulnerabilities, marked High, that affect Qualcomm closed source components. To find out more about these issues, consult official Qualcomm channels. Related bugs are (listed by CVE and Reference:

• CVE-2017-18295 A-78240386
• CVE-2017-18283 A-78240411
• CVE-2017-18294 A-78240247
• CVE-2017-18293 A-78240316
• CVE-2017-18292 A-78241027
• CVE-2017-18298 A-78239976
• CVE-2017-18299 A-78240418
• CVE-2017-18304 A-78239975
• CVE-2017-18303 A-78240396
• CVE-2017-18301 A-78238455
• CVE-2017-18302 A-78239233
• CVE-2017-18300 A-78239508
• CVE-2017-18297 A-78240275
• CVE-2017-18280 A-78285512
• CVE-2017-18282 A-78241591
• CVE-2017-18309 A-73539064
• CVE-2017-18308 A-73539310
• CVE-2018-11305 A-72951032
• CVE-2018-11258 A-72951054

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but that you apply them as soon as they are available.