Sign-up

ID

VAR-201810-0551


CVE

CVE-2018-11951


TITLE

Snapdragon Mobile Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-011453

DESCRIPTION

Improper access control in core module lead XBL_LOADER performs the ZI region clear for QTEE instead of XBL_SEC in Snapdragon Mobile in version SD 845, SD 850. Snapdragon Mobile Contains an access control vulnerability.Information may be tampered with. Qualcomm Closed-Source Components are prone to multiple unspecified vulnerabilities. An attacker can exploit these issues to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Android Bug IDs A-68326803, A-62213176, A-73539234, A-72950814, A-77484228, A-111090697, A-68326811, A-78240387, A-78239234, A-68326819, A-71501117, A-72950958, A-74236425, A-77484229, A-79419793, A-109677940, A-109677982, A-109677964, A-109678202, A-109678380, A-111091377, A-111090533, A-111093202, A-111090698, A-111093021, and A-111093167. Both Qualcomm SD 845 and SD 850 are central processing unit (CPU) products of Qualcomm (Qualcomm). Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

Trust: 2.07

sources: NVD: CVE-2018-11951 // JVNDB: JVNDB-2018-011453 // BID: 106494 // VULHUB: VHN-121862 // VULMON: CVE-2018-11951

AFFECTED PRODUCTS

vendor:qualcommmodel:sd 845scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 850scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 845scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 850scope: - version: -

Trust: 0.8

vendor:googlemodel:pixel xlscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixel cscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixelscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexus playerscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:9

Trust: 0.3

vendor:googlemodel:nexus 6pscope: - version: -

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:6

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:5x

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:0

Trust: 0.3

sources: BID: 106494 // JVNDB: JVNDB-2018-011453 // CNNVD: CNNVD-201810-1294 // NVD: CVE-2018-11951

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-11951
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-11951
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201810-1294
value: MEDIUM

Trust: 0.6

VULHUB: VHN-121862
value: MEDIUM

Trust: 0.1

VULMON: CVE-2018-11951
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-11951
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:N/I:C/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-121862
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:N/I:C/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-11951
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-121862 // VULMON: CVE-2018-11951 // JVNDB: JVNDB-2018-011453 // CNNVD: CNNVD-201810-1294 // NVD: CVE-2018-11951

PROBLEMTYPE DATA

problemtype:CWE-732

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-121862 // JVNDB: JVNDB-2018-011453 // NVD: CVE-2018-11951

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201810-1294

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201810-1294

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-011453

PATCH
title:October 2018 Qualcomm Technologies, Inc. Security Bulletinurl:https://www.qualcomm.com/company/product-security/bulletins
Trust: 0.8
title:Qualcomm SD 845  and SD 850 Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86365
Trust: 0.6
title:Android Security Bulletins: Android Security Bulletin—September 2018url:https://vulmon.com/vendoradvisory?qidtp=android_security_bulletins&qid=25cebb27b25b2e242f56769472d26cc5
Trust: 0.1
title:SamsungReleaseNotesurl:https://github.com/samreleasenotes/SamsungReleaseNotes 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2018-11951 // 
            
            
            
            JVNDB: JVNDB-2018-011453 // 
            
            
            
            CNNVD: CNNVD-201810-1294

EXTERNAL IDS
db:NVDid:CVE-2018-11951
Trust: 2.9
db:JVNDBid:JVNDB-2018-011453
Trust: 0.8
db:CNNVDid:CNNVD-201810-1294
Trust: 0.7
db:BIDid:106494
Trust: 0.3
db:VULHUBid:VHN-121862
Trust: 0.1
db:VULMONid:CVE-2018-11951
Trust: 0.1
sources:
            
            
            VULHUB: VHN-121862 // 
            
            
            
            VULMON: CVE-2018-11951 // 
            
            
            
            BID: 106494 // 
            
            
            
            JVNDB: JVNDB-2018-011453 // 
            
            
            
            CNNVD: CNNVD-201810-1294 // 
            
            
            
            NVD: CVE-2018-11951

REFERENCES
url:https://www.qualcomm.com/company/product-security/bulletins
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11951
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-11951
Trust: 0.8
url:https://source.android.com/security/bulletin/2018-09-01.html
Trust: 0.4
url:http://code.google.com/android/
Trust: 0.3
url:http://www.qualcomm.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/732.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/samreleasenotes/samsungreleasenotes
Trust: 0.1
sources:
            
            
            VULHUB: VHN-121862 // 
            
            
            
            VULMON: CVE-2018-11951 // 
            
            
            
            BID: 106494 // 
            
            
            
            JVNDB: JVNDB-2018-011453 // 
            
            
            
            CNNVD: CNNVD-201810-1294 // 
            
            
            
            NVD: CVE-2018-11951

CREDITS
The vendor reported these issues.
Trust: 0.3
sources:
            
            
            BID: 106494

SOURCES
db:VULHUBid:VHN-121862
db:VULMONid:CVE-2018-11951
db:BIDid:106494
db:JVNDBid:JVNDB-2018-011453
db:CNNVDid:CNNVD-201810-1294
db:NVDid:CVE-2018-11951

LAST UPDATE DATE
2024-08-14T13:27:31.216000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-121862date:2019-10-03T00:00:00
db:VULMONid:CVE-2018-11951date:2019-10-03T00:00:00
db:BIDid:106494date:2018-09-04T00:00:00
db:JVNDBid:JVNDB-2018-011453date:2019-01-15T00:00:00
db:CNNVDid:CNNVD-201810-1294date:2019-10-23T00:00:00
db:NVDid:CVE-2018-11951date:2019-10-03T00:03:26.223

SOURCES RELEASE DATE
db:VULHUBid:VHN-121862date:2018-10-26T00:00:00
db:VULMONid:CVE-2018-11951date:2018-10-26T00:00:00
db:BIDid:106494date:2018-09-04T00:00:00
db:JVNDBid:JVNDB-2018-011453date:2019-01-15T00:00:00
db:CNNVDid:CNNVD-201810-1294date:2018-10-29T00:00:00
db:NVDid:CVE-2018-11951date:2018-10-26T13:29:01.730