Sign-up

ID

VAR-201810-1158


CVE

CVE-2018-3588


TITLE

plural Snapdragon Access control vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-011593

DESCRIPTION

There is improper access control of the SSC and GPU mapped regions which lead to inject code from HLOS in Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear in version MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 820, SD 820A, SD 835, SDA660. Qualcomm Closed-Source Components are prone to multiple unspecified vulnerabilities. An attacker can exploit these issues to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Android Bug IDs A-68326803, A-62213176, A-73539234, A-72950814, A-77484228, A-111090697, A-68326811, A-78240387, A-78239234, A-68326819, A-71501117, A-72950958, A-74236425, A-77484229, A-79419793, A-109677940, A-109677982, A-109677964, A-109678202, A-109678380, A-111091377, A-111090533, A-111093202, A-111090698, A-111093021, and A-111093167. Qualcomm MDM9206, etc. are the central processing unit (CPU) products of Qualcomm (Qualcomm) applied to different platforms. An access control error vulnerability exists in the Core of several Qualcomm Snapdragon products. The following products (for automotive, mobile, and wearables) are affected: Qualcomm MDM9206; MDM9607; MDM9650; MSM8996AU; SD 210; SD 212; SD 205; SD 820; SD 820A; SD 835;

Trust: 2.07

sources: NVD: CVE-2018-3588 // JVNDB: JVNDB-2018-011593 // BID: 106494 // VULHUB: VHN-133619 // VULMON: CVE-2018-3588

AFFECTED PRODUCTS

vendor:qualcommmodel:sd 205scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 210scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 212scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:msm8996auscope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 820scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 835scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sd 820ascope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:mdm9650scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:mdm9206scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:mdm9607scope:eqversion: -

Trust: 1.6

vendor:qualcommmodel:sda660scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9206scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9607scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9650scope: - version: -

Trust: 0.8

vendor:qualcommmodel:msm8996auscope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 205scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 210scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 212scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 820scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 820ascope: - version: -

Trust: 0.8

vendor:qualcommmodel:sd 835scope: - version: -

Trust: 0.8

vendor:qualcommmodel:sda 660scope: - version: -

Trust: 0.8

vendor:googlemodel:pixel xlscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixel cscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixelscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexus playerscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:9

Trust: 0.3

vendor:googlemodel:nexus 6pscope: - version: -

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:6

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:5x

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:0

Trust: 0.3

sources: BID: 106494 // JVNDB: JVNDB-2018-011593 // CNNVD: CNNVD-201810-1297 // NVD: CVE-2018-3588

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-3588
value: HIGH

Trust: 1.0

NVD: CVE-2018-3588
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201810-1297
value: HIGH

Trust: 0.6

VULHUB: VHN-133619
value: HIGH

Trust: 0.1

VULMON: CVE-2018-3588
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-3588
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-133619
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-3588
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-133619 // VULMON: CVE-2018-3588 // JVNDB: JVNDB-2018-011593 // CNNVD: CNNVD-201810-1297 // NVD: CVE-2018-3588

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-133619 // JVNDB: JVNDB-2018-011593 // NVD: CVE-2018-3588

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201810-1297

TYPE

control error

Trust: 0.6

sources: CNNVD: CNNVD-201810-1297

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-011593

PATCH
title:October 2018 Qualcomm Technologies, Inc. Security Bulletinurl:https://www.qualcomm.com/company/product-security/bulletins
Trust: 0.8
title:Multiple Qualcomm Snapdragon Product control error vulnerability fixesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86368
Trust: 0.6
title:Android Security Bulletins: Android Security Bulletin—September 2018url:https://vulmon.com/vendoradvisory?qidtp=android_security_bulletins&qid=25cebb27b25b2e242f56769472d26cc5
Trust: 0.1
title:SamsungReleaseNotesurl:https://github.com/samreleasenotes/SamsungReleaseNotes 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2018-3588 // 
            
            
            
            JVNDB: JVNDB-2018-011593 // 
            
            
            
            CNNVD: CNNVD-201810-1297

EXTERNAL IDS
db:NVDid:CVE-2018-3588
Trust: 2.9
db:JVNDBid:JVNDB-2018-011593
Trust: 0.8
db:CNNVDid:CNNVD-201810-1297
Trust: 0.7
db:BIDid:106494
Trust: 0.3
db:VULHUBid:VHN-133619
Trust: 0.1
db:VULMONid:CVE-2018-3588
Trust: 0.1
sources:
            
            
            VULHUB: VHN-133619 // 
            
            
            
            VULMON: CVE-2018-3588 // 
            
            
            
            BID: 106494 // 
            
            
            
            JVNDB: JVNDB-2018-011593 // 
            
            
            
            CNNVD: CNNVD-201810-1297 // 
            
            
            
            NVD: CVE-2018-3588

REFERENCES
url:https://www.qualcomm.com/company/product-security/bulletins
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-3588
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-3588
Trust: 0.8
url:https://source.android.com/security/bulletin/2018-09-01.html
Trust: 0.4
url:http://code.google.com/android/
Trust: 0.3
url:http://www.qualcomm.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/samreleasenotes/samsungreleasenotes
Trust: 0.1
sources:
            
            
            VULHUB: VHN-133619 // 
            
            
            
            VULMON: CVE-2018-3588 // 
            
            
            
            BID: 106494 // 
            
            
            
            JVNDB: JVNDB-2018-011593 // 
            
            
            
            CNNVD: CNNVD-201810-1297 // 
            
            
            
            NVD: CVE-2018-3588

CREDITS
The vendor reported these issues.
Trust: 0.3
sources:
            
            
            BID: 106494

SOURCES
db:VULHUBid:VHN-133619
db:VULMONid:CVE-2018-3588
db:BIDid:106494
db:JVNDBid:JVNDB-2018-011593
db:CNNVDid:CNNVD-201810-1297
db:NVDid:CVE-2018-3588

LAST UPDATE DATE
2024-11-23T21:52:42.566000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-133619date:2019-10-03T00:00:00
db:VULMONid:CVE-2018-3588date:2019-10-03T00:00:00
db:BIDid:106494date:2018-09-04T00:00:00
db:JVNDBid:JVNDB-2018-011593date:2019-01-17T00:00:00
db:CNNVDid:CNNVD-201810-1297date:2019-10-23T00:00:00
db:NVDid:CVE-2018-3588date:2024-11-21T04:05:43.127

SOURCES RELEASE DATE
db:VULHUBid:VHN-133619date:2018-10-26T00:00:00
db:VULMONid:CVE-2018-3588date:2018-10-26T00:00:00
db:BIDid:106494date:2018-09-04T00:00:00
db:JVNDBid:JVNDB-2018-011593date:2019-01-17T00:00:00
db:CNNVDid:CNNVD-201810-1297date:2018-10-29T00:00:00
db:NVDid:CVE-2018-3588date:2018-10-26T13:29:01.823