Sign-up

ID

VAR-201810-0036


CVE

CVE-2017-18313


TITLE

Snapdragon Mobile and Snapdragon Wear Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-014329

DESCRIPTION

Under certain mode of operations, HLOS may be able get direct or indirect access through DXE channels to tamper with the authenticated WCNSS firmware stored in DDR because DXE-accessible memory is located within the authenticated image in Snapdragon Mobile and Snapdragon Wear in version MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 615/16/SD 415, SD 617. Snapdragon Mobile and Snapdragon Wear Contains an access control vulnerability.Information may be tampered with. Qualcomm Closed-Source Components are prone to multiple unspecified vulnerabilities. An attacker can exploit these issues to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Android Bug IDs A-68326803, A-62213176, A-73539234, A-72950814, A-77484228, A-111090697, A-68326811, A-78240387, A-78239234, A-68326819, A-71501117, A-72950958, A-74236425, A-77484229, A-79419793, A-109677940, A-109677982, A-109677964, A-109678202, A-109678380, A-111091377, A-111090533, A-111093202, A-111090698, A-111093021, and A-111093167. Qualcomm MSM8909W, etc. are the central processing unit (CPU) products of Qualcomm (Qualcomm) for different platforms. Attackers can exploit this vulnerability to tamper with authenticated WCNSS firmware stored in DDR. The following products (mobile devices and watches) are affected: Qualcomm MSM8909W; SD 210; SD 212; SD 205; SD 410/12; SD 615/16; SD 415; SD 617

Trust: 2.07

sources: NVD: CVE-2017-18313 // JVNDB: JVNDB-2017-014329 // BID: 106494 // VULHUB: VHN-109423 // VULMON: CVE-2017-18313

AFFECTED PRODUCTS

vendor:qualcommmodel:sd 205scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 212scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 210scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:msm8909wscope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 615scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 412scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 616scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 410scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 617scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 415scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:msm8909wscope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 205scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 210scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 212scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 410scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 412scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 415scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 615scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 616scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 617scope: - version: -

Trust: 0.8

vendor:googlemodel:pixel xlscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixel cscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixelscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexus playerscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:9

Trust: 0.3

vendor:googlemodel:nexus 6pscope: - version: -

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:6

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:5x

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:0

Trust: 0.3

sources: BID: 106494 // JVNDB: JVNDB-2017-014329 // CNNVD: CNNVD-201810-1166 // NVD: CVE-2017-18313

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-18313
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-18313
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201810-1166
value: MEDIUM

Trust: 0.6

VULHUB: VHN-109423
value: MEDIUM

Trust: 0.1

VULMON: CVE-2017-18313
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-18313
severity: MEDIUM
baseScore: 5.7
vectorString: AV:A/AC:M/AU:N/C:N/I:C/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 5.5
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-109423
severity: MEDIUM
baseScore: 5.7
vectorString: AV:A/AC:M/AU:N/C:N/I:C/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 5.5
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-18313
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: ADJACENT
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.6
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-109423 // VULMON: CVE-2017-18313 // JVNDB: JVNDB-2017-014329 // CNNVD: CNNVD-201810-1166 // NVD: CVE-2017-18313

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-109423 // JVNDB: JVNDB-2017-014329 // NVD: CVE-2017-18313

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201810-1166

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201810-1166

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-014329

PATCH
title:October 2018 Qualcomm Technologies, Inc. Security Bulletinurl:https://www.qualcomm.com/company/product-security/bulletins
Trust: 0.8
title:Multiple Qualcomm Snapdragon Product access control error vulnerability fixesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86264
Trust: 0.6
title:Android Security Bulletins: Android Security Bulletin—September 2018url:https://vulmon.com/vendoradvisory?qidtp=android_security_bulletins&qid=25cebb27b25b2e242f56769472d26cc5
Trust: 0.1
title:SamsungReleaseNotesurl:https://github.com/samreleasenotes/SamsungReleaseNotes 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-18313 // 
            
            
            
            JVNDB: JVNDB-2017-014329 // 
            
            
            
            CNNVD: CNNVD-201810-1166

EXTERNAL IDS
db:NVDid:CVE-2017-18313
Trust: 2.9
db:JVNDBid:JVNDB-2017-014329
Trust: 0.8
db:CNNVDid:CNNVD-201810-1166
Trust: 0.7
db:BIDid:106494
Trust: 0.3
db:VULHUBid:VHN-109423
Trust: 0.1
db:VULMONid:CVE-2017-18313
Trust: 0.1
sources:
            
            
            VULHUB: VHN-109423 // 
            
            
            
            VULMON: CVE-2017-18313 // 
            
            
            
            BID: 106494 // 
            
            
            
            JVNDB: JVNDB-2017-014329 // 
            
            
            
            CNNVD: CNNVD-201810-1166 // 
            
            
            
            NVD: CVE-2017-18313

REFERENCES
url:https://source.android.com/security/bulletin/2018-09-01#qualcomm-closed-source-components
Trust: 1.8
url:https://www.qualcomm.com/company/product-security/bulletins
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-18313
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-18313
Trust: 0.8
url:https://source.android.com/security/bulletin/2018-09-01.html
Trust: 0.4
url:http://code.google.com/android/
Trust: 0.3
url:http://www.qualcomm.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/samreleasenotes/samsungreleasenotes
Trust: 0.1
sources:
            
            
            VULHUB: VHN-109423 // 
            
            
            
            VULMON: CVE-2017-18313 // 
            
            
            
            BID: 106494 // 
            
            
            
            JVNDB: JVNDB-2017-014329 // 
            
            
            
            CNNVD: CNNVD-201810-1166 // 
            
            
            
            NVD: CVE-2017-18313

CREDITS
The vendor reported these issues.
Trust: 0.3
sources:
            
            
            BID: 106494

SOURCES
db:VULHUBid:VHN-109423
db:VULMONid:CVE-2017-18313
db:BIDid:106494
db:JVNDBid:JVNDB-2017-014329
db:CNNVDid:CNNVD-201810-1166
db:NVDid:CVE-2017-18313

LAST UPDATE DATE
2024-11-23T21:52:46.257000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-109423date:2019-10-03T00:00:00
db:VULMONid:CVE-2017-18313date:2019-10-03T00:00:00
db:BIDid:106494date:2018-09-04T00:00:00
db:JVNDBid:JVNDB-2017-014329date:2019-02-01T00:00:00
db:CNNVDid:CNNVD-201810-1166date:2019-10-23T00:00:00
db:NVDid:CVE-2017-18313date:2024-11-21T03:19:50.010

SOURCES RELEASE DATE
db:VULHUBid:VHN-109423date:2018-10-23T00:00:00
db:VULMONid:CVE-2017-18313date:2018-10-23T00:00:00
db:BIDid:106494date:2018-09-04T00:00:00
db:JVNDBid:JVNDB-2017-014329date:2019-02-01T00:00:00
db:CNNVDid:CNNVD-201810-1166date:2018-10-24T00:00:00
db:NVDid:CVE-2017-18313date:2018-10-23T13:29:02.837