Main Vulnerability Database Vulnerabilities #VU36363

Incorrect permission assignment for critical resource in Google Android - CVE-2018-11907

Published: November 27, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36363

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-11907

CWE-ID: CWE-732

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a local authenticated user to execute arbitrary code.

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /firmware/ which presents a potential issue.

How to mitigate CVE-2018-11907

Install update from vendor's website.

Sources

https://source.codeaurora.org/quic/le/meta-qti-bsp/commit/?id=ecd2fb4ab9e2a6851add554af03cebe337345c44
https://www.codeaurora.org/security-bulletin/2018/11/05/november-2018-code-aurora-forum-security-bulletin

Incorrect permission assignment for critical resource in Google Android - CVE-2018-11907

Detailed vulnerability description

How to mitigate CVE-2018-11907

Sources

Please verify you're human