Main Vulnerability Database Vulnerabilities #VU36364

Incorrect permission assignment for critical resource in Google Android - CVE-2018-11908

Published: November 27, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36364

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-11908

CWE-ID: CWE-732

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a local authenticated user to execute arbitrary code.

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper access control can lead to device node and executable to be run from /data/ which presents a potential issue.

How to mitigate CVE-2018-11908

Install update from vendor's website.

Sources

https://source.codeaurora.org/quic/le/meta-qti-bsp/commit/?id=ecd2fb4ab9e2a6851add554af03cebe337345c44
https://www.codeaurora.org/security-bulletin/2018/11/05/november-2018-code-aurora-forum-security-bulletin

Incorrect permission assignment for critical resource in Google Android - CVE-2018-11908

Detailed vulnerability description

How to mitigate CVE-2018-11908

Sources

Please verify you're human