Multiple Vulnerabilities in Google Android OS Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2018-062
Date(s) Issued: 
Thursday, June 7, 2018
Subject: 
Multiple Vulnerabilities in Google Android OS Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for arbitrary code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution within the context of a privileged process. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • Android OS builds utilizing Security Patch Levels issued prior to June 5, 2018.
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for arbitrary code execution within the context of a privileged process. Details of these vulnerabilities are as follows:

  • Multiple information disclosure vulnerabilities in Framework. (CVE-2017-13227, CVE-2018-9340)
  • Multiple elevation of privilege vulnerabilities in Framework. (CVE-2018-9338, CVE-2018-9339)
  • Multiple elevation of privilege vulnerabilities in Kernel components. (CVE-2017-17558, CVE-2017-17806, CVE-2017-17807, CVE-2018-9363)
  • An elevation of privilege vulnerability in LG components. (CVE-2018-9364)
  • Multiple arbitrary code vulnerabilities in Media framework. (CVE-2017-13230, CVE-2018-5146, CVE-2018-9341)
  • Multiple elevation of privilege vulnerabilities in Media framework. (CVE-2018-9344, CVE-2018-9409)
  • Multiple information disclosure vulnerabilities in Media framework. (CVE-2018-9345, CVE-2018-9346)
  • Multiple denial of service vulnerabilities in Media framework. (CVE-2018-9347, CVE-2018-9348)
  • Multiple elevation of privilege vulnerabilities in MediaTek components. (CVE-2018-9366, CVE-2018-9367, CVE-2018-9368, CVE-2018-9369, CVE-2018-9370, CVE-2018-9371, CVE-2018-9372, CVE-2018-9373)
  • Multiple elevation of privilege vulnerabilities in NVIDIA components. (CVE-2017-6290, CVE-2017-6292, CVE-2017-6294)
  • Multiple vulnerabilities in Qualcomm closed-source components. (CVE-2017-18156, CVE-2017-18157, CVE-2018-5884, CVE-2018-5885, CVE-2018-5891, CVE-2018-5892, CVE-2018-5894)
  • Multiple elevation of privilege vulnerabilities in Qualcomm components. (CVE-2017-13077, CVE-2017-18158, CVE-2017-18159, CVE-2018-3569, CVE-2018-5830, CVE-2018-5831, CVE-2018-5834, CVE-2018-5835, CVE-2018-5854)
  • An arbitrary code vulnerability in Qualcomm components. (CVE-2017-18155)
  • Multiple information disclosure vulnerabilities in Qualcomm components. (CVE-2018-5829, CVE-2018-5896)
  • Multiple arbitrary code vulnerabilities in System. (CVE-2018-9355, CVE-2018-9356, CVE-2018-9357)
  • Multiple information disclosure vulnerabilities in System. (CVE-2018-9358, CVE-2018-9359, CVE-2018-9360, CVE-2018-9361)
  • A denial of service vulnerability in System. (CVE-2018-9362)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of a privileged process. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Depending on the privileges associated with the application, an attacker could then install programs; view, change, delete data, or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Actions: 
  • After appropriate testing, immediately apply updates by Google Android or mobile carriers to vulnerable systems when they become available.
  • Remind users to only download applications from trusted vendors in the Play Store.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources.
References: 

Google Android:

https://source.android.com/security/bulletin/2018-06-01

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6290

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6292

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6294

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13077

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13227

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13230

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17558

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17806

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17807

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18155

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18156

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18157

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18158

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18159

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3569

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5829

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5830

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5831

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5834

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5835

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5854

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5884

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5885

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5891

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5892

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5894

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5896

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9338

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9339

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9340

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9341

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9344

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9345

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9346

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9347

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9348

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9355

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9356

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9357

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9358

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9359

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9360

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9361

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9362

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9363

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9364

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9366

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9367

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9368

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9369

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9370

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9371

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9372

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9373

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9409