Multiple vulnerabilities in Google Android



Published: 2018-08-08
Risk High
Patch available YES
Number of vulnerabilities 43
CVE-ID CVE-2017-13077
CVE-2017-18249
CVE-2017-18280
CVE-2017-18281
CVE-2017-18282
CVE-2017-18283
CVE-2017-18292
CVE-2017-18293
CVE-2017-18294
CVE-2017-18295
CVE-2017-18296
CVE-2017-18297
CVE-2017-18298
CVE-2017-18299
CVE-2017-18300
CVE-2017-18301
CVE-2017-18302
CVE-2017-18303
CVE-2017-18304
CVE-2017-18305
CVE-2017-18308
CVE-2017-18309
CVE-2017-18310
CVE-2018-11258
CVE-2018-11260
CVE-2018-11305
CVE-2018-5383
CVE-2018-9427
CVE-2018-9436
CVE-2018-9437
CVE-2018-9438
CVE-2018-9444
CVE-2018-9445
CVE-2018-9446
CVE-2018-9448
CVE-2018-9450
CVE-2018-9451
CVE-2018-9453
CVE-2018-9454
CVE-2018-9455
CVE-2018-9458
CVE-2018-9459
CVE-2018-9465
CWE-ID CWE-320
CWE-362
CWE-264
CWE-200
CWE-20
CWE-300
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #33 is available.
Vulnerable software
Subscribe
Google Android
Operating systems & Components / Operating system

Vendor Google

Security Bulletin

This security bulletin contains information about 43 vulnerabilities.

1) Key management errors

EUVDB-ID: #VU8837

Risk: High

CVSSv3.1: 9.1 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C]

CVE-ID: CVE-2017-13077

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to force a supplicant to reinstall a previously used pairwise key.

The weakness exists in the processing of the 802.11i 4-way handshake messages of the WPA and WPA2 protocols due to ambiguities in the processing of associated protocol messages. An adjacent attacker can use man-in-the-middle techniques to retransmit previously used message exchanges between supplicant and authenticator.

Vulnerable software versions

Google Android: All versions

External links

http://www.krackattacks.com/
http://papers.mathyvanhoef.com/ccs2017.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Race condition

EUVDB-ID: #VU11297

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18249

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The weakness exists in the add_free_nid function due to race condition. A local attacker can trigger memory corruption and cause the service to crash.

Mitigation

Update to version 4.12.

Vulnerable software versions

Google Android: All versions

External links

http://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30a61ddf8117c26ac5b295...


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Privilege escalation

EUVDB-ID: #VU14248

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18280

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Information disclosure

EUVDB-ID: #VU14243

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18281

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to flaws in the Qualcomm component. A remote attacker can bypass user interaction requirements and access arbitrary data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Privilege escalation

EUVDB-ID: #VU14249

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18282

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Privilege escalation

EUVDB-ID: #VU14250

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18283

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Privilege escalation

EUVDB-ID: #VU14251

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18292

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Privilege escalation

EUVDB-ID: #VU14252

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18293

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Privilege escalation

EUVDB-ID: #VU14253

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18294

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Privilege escalation

EUVDB-ID: #VU14247

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18295

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper input validation

EUVDB-ID: #VU14244

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18296

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Privilege escalation

EUVDB-ID: #VU14254

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18297

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Privilege escalation

EUVDB-ID: #VU14255

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18298

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Privilege escalation

EUVDB-ID: #VU14256

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18299

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Privilege escalation

EUVDB-ID: #VU14257

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18300

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Privilege escalation

EUVDB-ID: #VU14258

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18301

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Privilege escalation

EUVDB-ID: #VU14259

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18302

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Privilege escalation

EUVDB-ID: #VU14260

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18303

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Privilege escalation

EUVDB-ID: #VU14261

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18304

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Improper input validation

EUVDB-ID: #VU14245

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18305

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Privilege escalation

EUVDB-ID: #VU14262

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18308

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Privilege escalation

EUVDB-ID: #VU14263

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18309

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Improper input validation

EUVDB-ID: #VU14246

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-18310

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Privilege escalation

EUVDB-ID: #VU14264

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-11258

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Privilege escalation

EUVDB-ID: #VU14242

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-11260

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to flaws in the Qualcomm component. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Privilege escalation

EUVDB-ID: #VU14265

Risk: Low

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-11305

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to a flaw in the Qualcomm closed-source components. A remote attacker can bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: All versions

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Man-in-the-middle attack

EUVDB-ID: #VU13985

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-5383

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to conduct man-in-the-middle attack on the target system.

The weakness exists in the Bluetooth Low Energy (BLE) implementation of Secure Connections mode insufficient validation of elliptic curve parameters that are used to generate public keys during a Diffie-Hellman key exchange when the affected software performs device pairing operations. An adjacent attacker can intercept the public key exchange between the two targeted systems, inject a malicious public key to aid in determining the session key,  access sensitive information or forge and modify messages, which could be used to inject malicious software on the targeted system. 

Mitigation

Update to version 10.13.6.

Vulnerable software versions

Google Android: All versions

External links

http://support.apple.com/en-us/HT208937


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Improper input validation

EUVDB-ID: #VU14239

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9427

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a flaw in the Media framework. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 8.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Information disclosure

EUVDB-ID: #VU14232

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9436

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and access arbitrary data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Improper input validation

EUVDB-ID: #VU14240

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9437

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a flaw in the Media framework. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 6.0.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Improper input validation

EUVDB-ID: #VU14226

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9438

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists due to flaws in the Framework component. A local attacker can run a specially crafted application to bypass user interaction requirements and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Improper input validation

EUVDB-ID: #VU14241

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9444

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a flaw in the Media framework. A remote attacker can supply specially crafted input, trick the victim into loading, bypass user interaction requirements and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 7.1.2

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Privilege escalation

EUVDB-ID: #VU14228

Risk: Low

CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-9445

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to flaws in the Framework component. A local attacker can run a specially crafted application to bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

34) Privilege escalation

EUVDB-ID: #VU14237

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9446

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Information disclosure

EUVDB-ID: #VU14233

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9448

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and access arbitrary data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 8.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Privilege escalation

EUVDB-ID: #VU14236

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9450

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Information disclosure

EUVDB-ID: #VU14229

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9451

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to flaws in the Framework component. A local attacker can run a specially crafted application to bypass user interaction requirements and access arbitrary data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Information disclosure

EUVDB-ID: #VU14230

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9453

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and access arbitrary data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Information disclosure

EUVDB-ID: #VU14231

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9454

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and access arbitrary data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Improper input validation

EUVDB-ID: #VU14234

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9455

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Privilege escalation

EUVDB-ID: #VU14227

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9458

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to flaws in the Framework component. A local attacker can run a specially crafted application to bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 8.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

42) Privilege escalation

EUVDB-ID: #VU14235

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9459

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and gain elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Privilege escalation

EUVDB-ID: #VU14238

Risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9465

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to flaws in the System component. A local attacker can run a specially crafted application to bypass user interaction requirements and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Android: 6.0 - 8.1

External links

http://source.android.com/security/bulletin/2018-08-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###