Details of VAR-201809-0886

ID

VAR-201809-0886

CVE

CVE-2018-11277

TITLE

plural Snapdragon Vulnerabilities related to authorization, authority, and access control in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-010806

DESCRIPTION

In Snapdragon (Automobile, Mobile, Wear) in version MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SDA660, the com.qualcomm.embms is a vendor package deployed in the system image which has an inadequate permission level and allows any application installed from Play Store to request this permission at install-time. The system application interfaces with the Radio Interface Layer leading to potential access control issue. Snapdragon (Automobile , Mobile , Wear) Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MSM8909W, etc. are the central processing unit (CPU) products of Qualcomm (Qualcomm) for different platforms. Permissions and access control vulnerabilities exist in Telephony in several Qualcomm Snapdragon products. The vulnerability stems from the fact that com.qualcomm.embms is deployed in a system image with improper permissions and allows any installed application from the Play Store to request permissions. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

Trust: 1.71

sources: NVD: CVE-2018-11277 // JVNDB: JVNDB-2018-010806 // VULHUB: VHN-121120

AFFECTED PRODUCTS

vendor:	qualcomm	model:	sd810	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sda660	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd650	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd625	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd820a	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd652	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd617	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd845	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd820	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd835	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	msm8996au	scope:	eq	version:	-	Trust: 1.0
vendor:	qualcomm	model:	sd616	scope:	eq	version:	-	Trust: 1.0
vendor:	qualcomm	model:	sd205	scope:	eq	version:	-	Trust: 1.0
vendor:	qualcomm	model:	msm8909w	scope:	eq	version:	-	Trust: 1.0
vendor:	qualcomm	model:	sd415	scope:	eq	version:	-	Trust: 1.0
vendor:	qualcomm	model:	sd210	scope:	eq	version:	-	Trust: 1.0
vendor:	qualcomm	model:	sd450	scope:	eq	version:	-	Trust: 1.0
vendor:	qualcomm	model:	sd615	scope:	eq	version:	-	Trust: 1.0
vendor:	qualcomm	model:	sd212	scope:	eq	version:	-	Trust: 1.0
vendor:	qualcomm	model:	sd430	scope:	eq	version:	-	Trust: 1.0
vendor:	qualcomm	model:	msm8909w	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	msm8996au	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 205	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 210	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 212	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 415	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 430	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 450	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 615	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 616	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 617	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 625	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 650	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 652	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 810	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 820	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 820a	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 835	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sda 660	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2018-010806 // CNNVD: CNNVD-201809-968 // NVD: CVE-2018-11277

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-11277
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-11277
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201809-968
value:	HIGH
Trust: 0.6
VULHUB:	VHN-121120
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-11277
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-121120
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-11277
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-121120 // JVNDB: JVNDB-2018-010806 // CNNVD: CNNVD-201809-968 // NVD: CVE-2018-11277

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.1
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-121120 // JVNDB: JVNDB-2018-010806 // NVD: CVE-2018-11277

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201809-968

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201809-968

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010806

PATCH

title:	September 2018 Qualcomm Technologies, Inc. Security Bulletin	url:	https://www.qualcomm.com/company/product-security/bulletins	Trust: 0.8
title:	Multiple Qualcomm Snapdragon Product Privilege License and Access Control Vulnerability Fixes	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85081	Trust: 0.6

sources: JVNDB: JVNDB-2018-010806 // CNNVD: CNNVD-201809-968

EXTERNAL IDS

db:	NVD	id:	CVE-2018-11277	Trust: 2.5
db:	JVNDB	id:	JVNDB-2018-010806	Trust: 0.8
db:	CNNVD	id:	CNNVD-201809-968	Trust: 0.7
db:	VULHUB	id:	VHN-121120	Trust: 0.1

sources: VULHUB: VHN-121120 // JVNDB: JVNDB-2018-010806 // CNNVD: CNNVD-201809-968 // NVD: CVE-2018-11277

REFERENCES

url:	https://www.qualcomm.com/company/product-security/bulletins	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11277	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-11277	Trust: 0.8

sources: VULHUB: VHN-121120 // JVNDB: JVNDB-2018-010806 // CNNVD: CNNVD-201809-968 // NVD: CVE-2018-11277

SOURCES

db:	VULHUB	id:	VHN-121120
db:	JVNDB	id:	JVNDB-2018-010806
db:	CNNVD	id:	CNNVD-201809-968
db:	NVD	id:	CVE-2018-11277

LAST UPDATE DATE

2024-11-23T22:30:17.496000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-121120	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-010806	date:	2018-12-25T00:00:00
db:	CNNVD	id:	CNNVD-201809-968	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2018-11277	date:	2024-11-21T03:43:02.667

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-121120	date:	2018-09-20T00:00:00
db:	JVNDB	id:	JVNDB-2018-010806	date:	2018-12-25T00:00:00
db:	CNNVD	id:	CNNVD-201809-968	date:	2018-09-21T00:00:00
db:	NVD	id:	CVE-2018-11277	date:	2018-09-20T13:29:01.167