TTCSIRT-129.061218: TT-CSIRT Advisory – Android Security Updates
Google has released a security update stating that the following vulnerabilities have been discovered in the Android OS:
a) Multiple information disclosure vulnerabilities in Framework – (CVE-2017-13227, CVE-2018-9340).
b) Multiple elevation of privilege vulnerabilities in Framework – (CVE-2018-9338, CVE-2018-9339).
c) Multiple elevation of privilege vulnerabilities in Kernel components – (CVE-2017-17558, CVE-2017-17806, CVE-2017-17807, CVE-2018-9363).
d) An elevation of privilege vulnerability in LG components – (CVE-2018-9364).
e) Multiple arbitrary code vulnerabilities in Media framework – (CVE-2017-13230, CVE-2018-5146, CVE-2018-9341).
f) Multiple elevation of privilege vulnerabilities in Media framework – (CVE-2018-9344, CVE-2018-9409).
g) Multiple information disclosure vulnerabilities in Media framework – (CVE-2018-9345, CVE-2018-9346).
h) Multiple denial of service vulnerabilities in Media framework – (CVE-2018-9347, CVE-2018-9348).
i) Multiple elevation of privilege vulnerabilities in MediaTek components – (CVE-2018-9366, CVE-2018-9367, CVE-2018-9368, CVE-2018-9369, CVE-2018-9370, CVE-2018-9371, CVE-2018-9372, CVE-2018-9373).
j) Multiple elevation of privilege vulnerabilities in NVIDIA components – (CVE-2017-6290, CVE-2017-6292, CVE-2017-6294).
k) Multiple vulnerabilities in Qualcomm closed-source components – (CVE-2017-18156, CVE-2017-18157, CVE-2018-5884, CVE-2018-5885, CVE-2018-5891, CVE-2018-5892, CVE-2018-5894).
l) Multiple elevation of privilege vulnerabilities in Qualcomm components – (CVE-2017-13077, CVE-2017-18158, CVE-2017-18159, CVE-2018-3569, CVE-2018-5830, CVE-2018-5831, CVE-2018-5834, CVE-2018-5835, CVE-2018-5854).
m) An arbitrary code vulnerability in Qualcomm components – (CVE-2017-18155).
n) Multiple information disclosure vulnerabilities in Qualcomm components – (CVE-2018-5829, CVE-2018-5896).
o) Multiple arbitrary code vulnerabilities in System – (CVE-2018-9355, CVE-2018-9356, CVE-2018-9357).
p) Multiple information disclosure vulnerabilities in System – (CVE-2018-9358, CVE-2018-9359, CVE-2018-9360, CVE-2018-9361).
q) A denial of service vulnerability in System – (CVE-2018-9362).
These vulnerabilities could be exploited through multiple methods such as email, web browsing and MMS when processing media files. Depending on the privileges associated with the application, an attacker could then install programs, view, change, delete data or create new accounts with full user rights.
| Further information on these vulnerabilities and how they can be mitigated can be found on the Android Website at https://source.android.com/security/bulletin/2018-06-01 |