Another month is here and Android finds itself with a mixture of Critical and High vulnerabilities.
The latest Android Security Bulletin brings to us yet another mixture of vulnerabilities marked Critical and High. This time around the System was the biggest winner, with sixteen issues, marked High. If you are of a mind for security you will certainly want to know what’s happening to the Android platform—and the March Security Bulletin.
Before we dive into what’s included with this month’s Android Security Bulletin, it’s always good to know what security release is installed on your device. As I’ve been testing the waters of the Android Q Beta (not recommended to be used by the general public), it should come as no surprise that my daily driver, a Pixel 3, is running a current security patch (March 5, 2018).
To find out what patch level you are running, open Settings and go to About Phone. If you use Android Pie, that location changed to Settings | Security & Location | Security updated. Scroll down and tap the version of Android found on your device. The resulting window (Figure A) will reveal your security patch level.
You will find different types of vulnerabilities listed. Possible types include:
- RCE—Remote code execution
- EoP—Elevation of privilege
- ID—Information disclosure
- DoS—Denial of service
And now, onto the issues.
03/01/2019 Security Patch Level
Critical Issues
There are only three critical issues found in this month’s bulletin. The first two were found in the Media Framework, and are marked Critical because they could enable a remote attacker, using a malicious file, to launch arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2019-1989A-118399205 RCE
- CVE-2019-1990A-118453553 RCE
The only other Critical issue for the 03/01 security patch level was found in the System. This flaw was marked critical because it could enable a remote attacker, using a malicious transmission, to execute arbitrary code within the context of a privileged process. The related bug (listed by CVE, Reference, and Type) is:
- CVE-2019-2009A-120665616 RCE
High Issues
We go back to the Framework for four issues marked High. These vulnerabilities were marked as such because they could enable a locally installed malicious application to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2018-20346A-121156452 EoP
- CVE-2019-1985 A-118694079* EoP
- CVE-2019-2003A-116321860 EoP
- CVE-2019-2004A-115739809 ID
Next, we find three High issues found in the Media Framework. These vulnerabilities are marked as such because they could enable a remote attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2019-2006A-116665972 EoP
- CVE-2019-2007A-120789744 EoP
- CVE-2019-2008A-122309228 EoP
The System was hit pretty hard this month, with a total of sixteen vulnerabilities marked High. These issues were listed as such because they could enable a remote attacker, using a malicious transmission, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2019-2010A-118152591 EoP
- CVE-2019-2011A-120084106 EoP
- CVE-2019-2012A-120497437 EoP
- CVE-2019-2013A-120497583 EoP
- CVE-2019-2014A-120499324 EoP
- CVE-2019-2015A-120503926 EoP
- CVE-2019-2016A-120664978 EoP
- CVE-2019-2017A-121035711 EoP
- CVE-2019-2018A-110172241 EoP
- CVE-2018-9561A-111660010 ID
- CVE-2018-9563A-114237888 ID
- CVE-2018-9564A-114238578 ID
- CVE-2019-2019A-115635871 ID
- CVE-2019-2020A-116788646 ID
- CVE-2019-2021A-120428041 ID
- CVE-2019-2022A-120506143 ID
03/05/2019 Security Patch Level
Critical Issues
There were only four issues marked Critical in this patch level. All four issues were found in Qualcomm open-sourced components. Details for these issues can be found in the Qualcomm Security Bulletin. Related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:
- CVE-2017-8252 A-112277630 QC-CR#2106159 EcoSystem
- CVE-2017-8252 A-114041175 QC-CR#2128529 EcoSystem
- CVE-2018-11817 A-114041192 QC-CR#2241830 DSP_Services
- CVE-2018-11817 A-114041747 QC-CR#2166542 DSP_Services
High Issues
This patch level had only six issues marked High. The first vulnerability, marked High, was found in the System, and was marked as such because it could enable a locally installed malicious application to execute arbitrary code within the context of a privileged application. The related bug (listed by CVE, Reference, and Type) is:
- CVE-2019-2023A-121035042 EoP
Next, we find three issues marked High in various Kernel components. These vulnerabilities were marked as such because they could enable a local attacker, using a malicious file, to execute arbitrary code within the context of a privileged process. The related bugs (listed by CVE, Reference, Type, and Component) are:
- CVE-2018-10883 A-117311198 EoP ext4 filesystem
- CVE-2019-2024 A-111761954 EoP em28xx driver
- CVE-2019-2025 A-116855682 EoP Binder driver
Finally, there were two issues, marked High, found in the Qualcomm open-sourced components.
Details for these issues can be found in the Qualcomm Security Bulletin. Related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:
- CVE-2018-13899 A-119053086 QC-CR#2295915 Video
- CVE-2018-13917 A-120487091 QC-CR#2251019 WIN NSS Host
Upgrade and update
The developers will work diligently to patch the vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates but that you apply them as soon as they become available.