Sign-up

ID

VAR-201804-0531


CVE

CVE-2017-18125


TITLE

plural Qualcomm Run on product Android Session fixation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-003991

DESCRIPTION

In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835, SD 845, SD 850, when secure camera is activated it stores captured data in protected buffers. The TEE application which uses secure camera expects those buffers to contain data captured during the current camera session. It is possible though for HLOS to put aside and reuse one or more of the protected buffers with previously captured data during next camera session. Such data reuse must be prevented as the TEE applications expects to receive valid data captured during the current session only. plural Qualcomm Run on product Android Contains a session fixation vulnerability.Information may be tampered with. Google Android is prone to multiple unspecified security vulnerabilities. Little is known about these issues or its effects at this time. We will update this BID as more information emerges. Android is a Linux-based open source operating system jointly developed by Google and the Open Handheld Alliance (OHA). Qualcomm MDM9206, etc. are the central processing unit (CPU) products of Qualcomm (Qualcomm) applied to different platforms. A security vulnerability exists in Qualcomm closed-source components in Android versions prior to 2018-04-05. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. The following products (for phones and watches) are affected: Qualcomm MDM9206; Qualcomm MDM9607; Qualcomm MDM9650; Qualcomm SD 210; Qualcomm SD 212; Qualcomm SD 205; Qualcomm SD 835; Qualcomm SD 845; Qualcomm SD 850

Trust: 2.07

sources: NVD: CVE-2017-18125 // JVNDB: JVNDB-2018-003991 // BID: 103671 // VULHUB: VHN-109216 // VULMON: CVE-2017-18125

AFFECTED PRODUCTS

vendor:qualcommmodel:sd 212scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 210scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 205scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 835scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 845scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:mdm9650scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:mdm9206scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:mdm9607scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 850scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:mdm9206scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9607scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9650scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 205scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 210scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 212scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 835scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 845scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 850scope: - version: -

Trust: 0.8

vendor:googlemodel:pixel xlscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixel cscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixel xlscope:eqversion:20

Trust: 0.3

vendor:googlemodel:pixelscope:eqversion:20

Trust: 0.3

vendor:googlemodel:pixelscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:9

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:7

Trust: 0.3

vendor:googlemodel:nexus 6pscope: - version: -

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:6

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:5x

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:5

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:4

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:10

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:0

Trust: 0.3

sources: BID: 103671 // JVNDB: JVNDB-2018-003991 // CNNVD: CNNVD-201804-557 // NVD: CVE-2017-18125

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-18125
value: HIGH

Trust: 1.0

NVD: CVE-2017-18125
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201804-557
value: MEDIUM

Trust: 0.6

VULHUB: VHN-109216
value: MEDIUM

Trust: 0.1

VULMON: CVE-2017-18125
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-18125
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-109216
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-18125
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-109216 // VULMON: CVE-2017-18125 // JVNDB: JVNDB-2018-003991 // CNNVD: CNNVD-201804-557 // NVD: CVE-2017-18125

PROBLEMTYPE DATA

problemtype:CWE-384

Trust: 1.9

sources: VULHUB: VHN-109216 // JVNDB: JVNDB-2018-003991 // NVD: CVE-2017-18125

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201804-557

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201804-557

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003991

PATCH
title:Android のセキュリティに関する公開情報 - 2018 年 4 月url:https://source.android.com/security/bulletin/2018-04-01
Trust: 0.8
title:Android Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83319
Trust: 0.6
title:Android Security Bulletins: Android Security Bulletin—April 2018url:https://vulmon.com/vendoradvisory?qidtp=android_security_bulletins&qid=068d787c35ce8cea494780f9a47b5827
Trust: 0.1
title:SamsungReleaseNotesurl:https://github.com/samreleasenotes/SamsungReleaseNotes 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-18125 // 
            
            
            
            JVNDB: JVNDB-2018-003991 // 
            
            
            
            CNNVD: CNNVD-201804-557

EXTERNAL IDS
db:NVDid:CVE-2017-18125
Trust: 2.9
db:BIDid:103671
Trust: 1.5
db:JVNDBid:JVNDB-2018-003991
Trust: 0.8
db:CNNVDid:CNNVD-201804-557
Trust: 0.7
db:VULHUBid:VHN-109216
Trust: 0.1
db:VULMONid:CVE-2017-18125
Trust: 0.1
sources:
            
            
            VULHUB: VHN-109216 // 
            
            
            
            VULMON: CVE-2017-18125 // 
            
            
            
            BID: 103671 // 
            
            
            
            JVNDB: JVNDB-2018-003991 // 
            
            
            
            CNNVD: CNNVD-201804-557 // 
            
            
            
            NVD: CVE-2017-18125

REFERENCES
url:https://source.android.com/security/bulletin/2018-04-01
Trust: 2.1
url:http://www.securityfocus.com/bid/103671
Trust: 1.3
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-18125
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-18125
Trust: 0.8
url:http://code.google.com/android/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/384.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://source.android.com/security/bulletin/2018-04-01.html
Trust: 0.1
url:https://github.com/samreleasenotes/samsungreleasenotes
Trust: 0.1
sources:
            
            
            VULHUB: VHN-109216 // 
            
            
            
            VULMON: CVE-2017-18125 // 
            
            
            
            BID: 103671 // 
            
            
            
            JVNDB: JVNDB-2018-003991 // 
            
            
            
            CNNVD: CNNVD-201804-557 // 
            
            
            
            NVD: CVE-2017-18125

CREDITS
The vendor reported these issues.
Trust: 0.3
sources:
            
            
            BID: 103671

SOURCES
db:VULHUBid:VHN-109216
db:VULMONid:CVE-2017-18125
db:BIDid:103671
db:JVNDBid:JVNDB-2018-003991
db:CNNVDid:CNNVD-201804-557
db:NVDid:CVE-2017-18125

LAST UPDATE DATE
2024-11-23T21:39:09.931000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-109216date:2018-05-14T00:00:00
db:VULMONid:CVE-2017-18125date:2018-05-14T00:00:00
db:BIDid:103671date:2018-04-05T00:00:00
db:JVNDBid:JVNDB-2018-003991date:2018-06-08T00:00:00
db:CNNVDid:CNNVD-201804-557date:2018-05-31T00:00:00
db:NVDid:CVE-2017-18125date:2024-11-21T03:19:24.140

SOURCES RELEASE DATE
db:VULHUBid:VHN-109216date:2018-04-11T00:00:00
db:VULMONid:CVE-2017-18125date:2018-04-11T00:00:00
db:BIDid:103671date:2018-04-05T00:00:00
db:JVNDBid:JVNDB-2018-003991date:2018-06-08T00:00:00
db:CNNVDid:CNNVD-201804-557date:2018-04-12T00:00:00
db:NVDid:CVE-2017-18125date:2018-04-11T15:29:00.507