Details of VAR-201810-0549

ID

VAR-201810-0549

CVE

CVE-2018-11846

TITLE

Snapdragon Mobile Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2018-011616

DESCRIPTION

The use of a non-time-constant memory comparison operation can lead to timing/side channel attacks in Snapdragon Mobile in version SD 210/SD 212/SD 205, SD 845, SD 850. Snapdragon Mobile Contains an information disclosure vulnerability.Information may be obtained. Qualcomm Closed-Source Components are prone to multiple unspecified vulnerabilities. An attacker can exploit these issues to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Android Bug IDs A-68326803, A-62213176, A-73539234, A-72950814, A-77484228, A-111090697, A-68326811, A-78240387, A-78239234, A-68326819, A-71501117, A-72950958, A-74236425, A-77484229, A-79419793, A-109677940, A-109677982, A-109677964, A-109678202, A-109678380, A-111091377, A-111090533, A-111093202, A-111090698, A-111093021, and A-111093167. Qualcomm SD 210 and others are central processing unit (CPU) products of Qualcomm (Qualcomm) for mobile devices. Security flaws exist in several Qualcomm Snapdragon products. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. The following products (for mobile devices) are affected: Qualcomm SD 210; SD 212; SD 205; SD 845; SD 850

Trust: 2.07

sources: NVD: CVE-2018-11846 // JVNDB: JVNDB-2018-011616 // BID: 106494 // VULHUB: VHN-121746 // VULMON: CVE-2018-11846

AFFECTED PRODUCTS

vendor:	qualcomm	model:	sd 212	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd 205	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd 210	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd 845	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd 850	scope:	eq	version:	-	Trust: 1.6
vendor:	qualcomm	model:	sd 205	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 210	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 212	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 845	scope:	-	version:	-	Trust: 0.8
vendor:	qualcomm	model:	sd 850	scope:	-	version:	-	Trust: 0.8
vendor:	google	model:	pixel xl	scope:	eq	version:	0	Trust: 0.3
vendor:	google	model:	pixel c	scope:	eq	version:	0	Trust: 0.3
vendor:	google	model:	pixel	scope:	eq	version:	0	Trust: 0.3
vendor:	google	model:	nexus player	scope:	eq	version:	0	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	9	Trust: 0.3
vendor:	google	model:	nexus 6p	scope:	-	version:	-	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	6	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	5x	Trust: 0.3
vendor:	google	model:	android	scope:	eq	version:	0	Trust: 0.3

sources: BID: 106494 // JVNDB: JVNDB-2018-011616 // CNNVD: CNNVD-201810-1288 // NVD: CVE-2018-11846

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-11846
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-11846
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201810-1288
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-121746
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2018-11846
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-11846
severity:	MEDIUM
baseScore:	4.7
vectorString:	AV:L/AC:M/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-121746
severity:	MEDIUM
baseScore:	4.7
vectorString:	AV:L/AC:M/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-11846
baseSeverity:	MEDIUM
baseScore:	4.7
vectorString:	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.0
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-121746 // VULMON: CVE-2018-11846 // JVNDB: JVNDB-2018-011616 // CNNVD: CNNVD-201810-1288 // NVD: CVE-2018-11846

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-121746 // JVNDB: JVNDB-2018-011616 // NVD: CVE-2018-11846

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201810-1288

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201810-1288

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-011616

PATCH

title:	October 2018 Qualcomm Technologies, Inc. Security Bulletin	url:	https://www.qualcomm.com/company/product-security/bulletins	Trust: 0.8
title:	Multiple Qualcomm Snapdragon Product security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86359	Trust: 0.6
title:	Android Security Bulletins: Android Security Bulletin—September 2018	url:	https://vulmon.com/vendoradvisory?qidtp=android_security_bulletins&qid=25cebb27b25b2e242f56769472d26cc5	Trust: 0.1
title:	SamsungReleaseNotes	url:	https://github.com/samreleasenotes/SamsungReleaseNotes	Trust: 0.1

sources: VULMON: CVE-2018-11846 // JVNDB: JVNDB-2018-011616 // CNNVD: CNNVD-201810-1288

EXTERNAL IDS

db:	NVD	id:	CVE-2018-11846	Trust: 2.9
db:	JVNDB	id:	JVNDB-2018-011616	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-1288	Trust: 0.7
db:	BID	id:	106494	Trust: 0.3
db:	VULHUB	id:	VHN-121746	Trust: 0.1
db:	VULMON	id:	CVE-2018-11846	Trust: 0.1

sources: VULHUB: VHN-121746 // VULMON: CVE-2018-11846 // BID: 106494 // JVNDB: JVNDB-2018-011616 // CNNVD: CNNVD-201810-1288 // NVD: CVE-2018-11846

REFERENCES

url:	https://www.qualcomm.com/company/product-security/bulletins	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11846	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-11846	Trust: 0.8
url:	https://source.android.com/security/bulletin/2018-09-01.html	Trust: 0.4
url:	http://code.google.com/android/	Trust: 0.3
url:	http://www.qualcomm.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/samreleasenotes/samsungreleasenotes	Trust: 0.1

sources: VULHUB: VHN-121746 // VULMON: CVE-2018-11846 // BID: 106494 // JVNDB: JVNDB-2018-011616 // CNNVD: CNNVD-201810-1288 // NVD: CVE-2018-11846

CREDITS

The vendor reported these issues.

Trust: 0.3

sources: BID: 106494

SOURCES

db:	VULHUB	id:	VHN-121746
db:	VULMON	id:	CVE-2018-11846
db:	BID	id:	106494
db:	JVNDB	id:	JVNDB-2018-011616
db:	CNNVD	id:	CNNVD-201810-1288
db:	NVD	id:	CVE-2018-11846

LAST UPDATE DATE

2024-08-14T13:27:31.567000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-121746	date:	2018-12-10T00:00:00
db:	VULMON	id:	CVE-2018-11846	date:	2018-12-10T00:00:00
db:	BID	id:	106494	date:	2018-09-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-011616	date:	2019-01-17T00:00:00
db:	CNNVD	id:	CNNVD-201810-1288	date:	2018-10-29T00:00:00
db:	NVD	id:	CVE-2018-11846	date:	2018-12-10T19:10:06.257

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-121746	date:	2018-10-26T00:00:00
db:	VULMON	id:	CVE-2018-11846	date:	2018-10-26T00:00:00
db:	BID	id:	106494	date:	2018-09-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-011616	date:	2019-01-17T00:00:00
db:	CNNVD	id:	CNNVD-201810-1288	date:	2018-10-29T00:00:00
db:	NVD	id:	CVE-2018-11846	date:	2018-10-26T13:29:01.200