Sign-up

ID

VAR-201902-0683


CVE

CVE-2018-5839


TITLE

plural Snapdragon Access control vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-014640

DESCRIPTION

Improperly configured memory protection allows read/write access to modem image from HLOS kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in versions MDM9150, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8996AU, QCS605, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SDX20, SXR1130. plural Snapdragon The product contains an access control vulnerability.Information may be obtained and information may be altered. Qualcomm Closed-Source Components are prone to multiple unspecified vulnerabilities. An attacker can exploit these issues to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Android Bug IDs A-109678453, A-111089815, A-112279482, A-112278875, A-109678259, A-111088838, A-111092944, A-112278972, A-112279521, A-112279426, A-112279483, A-112279144, A-112279544, and A-119050566. Qualcomm MDM9640 is a central processing unit (CPU) product of Qualcomm (Qualcomm). An access control error vulnerability exists in several Qualcomm products; the vulnerability results from network systems or products not properly restricting access to resources from unauthorized roles. The following products are affected: Qualcomm MDM9150; MDM9615; MDM9625; MDM9635M; MDM9640; MDM9650; MDM9655; MSM8996AU; ;SD 850;SD 855;SD 8CX;SDA660;SDM630;SDM660;SDX20;SXR1130

Trust: 1.98

sources: NVD: CVE-2018-5839 // JVNDB: JVNDB-2018-014640 // BID: 106845 // VULHUB: VHN-135871

AFFECTED PRODUCTS

vendor:qualcommmodel:sda660scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9150scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 845scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9650scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:qcs605scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9625scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9655scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 820ascope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 855scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 636scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 8cxscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sxr1130scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:snapdragon consumer internet of thingsscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sdx20scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:snapdragon computescope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 712scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sdm660scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9615scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sdm630scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:msm8996auscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 850scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 675scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:snapdragon industrial internet of thingsscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:snapdragon autoscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9635mscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 710scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9640scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 820scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 835scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 670scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9150scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9615scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9625scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9635mscope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9640scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9650scope: - version: -

Trust: 0.8

vendor:qualcommmodel:snapdragon autoscope: - version: -

Trust: 0.8

vendor:qualcommmodel:snapdragon computescope: - version: -

Trust: 0.8

vendor:qualcommmodel:snapdragon consumer iotscope: - version: -

Trust: 0.8

vendor:qualcommmodel:snapdragon industrial iotscope: - version: -

Trust: 0.8

vendor:googlemodel:pixel xlscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixel cscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixelscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexus playerscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:9

Trust: 0.3

vendor:googlemodel:nexus 6pscope: - version: -

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:6

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:5x

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:0

Trust: 0.3

sources: BID: 106845 // JVNDB: JVNDB-2018-014640 // NVD: CVE-2018-5839

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-5839
value: HIGH

Trust: 1.0

NVD: CVE-2018-5839
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201902-245
value: HIGH

Trust: 0.6

VULHUB: VHN-135871
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-5839
severity: MEDIUM
baseScore: 6.6
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-135871
severity: MEDIUM
baseScore: 6.6
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-5839
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 5.2
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-135871 // JVNDB: JVNDB-2018-014640 // CNNVD: CNNVD-201902-245 // NVD: CVE-2018-5839

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.1

problemtype:CWE-284

Trust: 0.8

sources: VULHUB: VHN-135871 // JVNDB: JVNDB-2018-014640 // NVD: CVE-2018-5839

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201902-245

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201902-245

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-014640

PATCH
title:February 2019 Qualcomm Technologies, Inc. Security Bulletinurl:https://www.qualcomm.com/company/product-security/bulletins
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-014640

EXTERNAL IDS
db:NVDid:CVE-2018-5839
Trust: 2.8
db:BIDid:106845
Trust: 2.0
db:JVNDBid:JVNDB-2018-014640
Trust: 0.8
db:CNNVDid:CNNVD-201902-245
Trust: 0.7
db:VULHUBid:VHN-135871
Trust: 0.1
sources:
            
            
            VULHUB: VHN-135871 // 
            
            
            
            BID: 106845 // 
            
            
            
            JVNDB: JVNDB-2018-014640 // 
            
            
            
            CNNVD: CNNVD-201902-245 // 
            
            
            
            NVD: CVE-2018-5839

REFERENCES
url:http://www.securityfocus.com/bid/106845
Trust: 2.3
url:https://www.qualcomm.com/company/product-security/bulletins
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-5839
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5839
Trust: 0.8
url:http://code.google.com/android/
Trust: 0.3
url:http://www.qualcomm.com/
Trust: 0.3
url:https://source.android.com/security/bulletin/2019-02-01
Trust: 0.3
sources:
            
            
            VULHUB: VHN-135871 // 
            
            
            
            BID: 106845 // 
            
            
            
            JVNDB: JVNDB-2018-014640 // 
            
            
            
            CNNVD: CNNVD-201902-245 // 
            
            
            
            NVD: CVE-2018-5839

CREDITS
The vendor reported these issues.
Trust: 0.9
sources:
            
            
            BID: 106845 // 
            
            
            
            CNNVD: CNNVD-201902-245

SOURCES
db:VULHUBid:VHN-135871
db:BIDid:106845
db:JVNDBid:JVNDB-2018-014640
db:CNNVDid:CNNVD-201902-245
db:NVDid:CVE-2018-5839

LAST UPDATE DATE
2024-08-14T13:26:57.396000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-135871date:2019-10-03T00:00:00
db:BIDid:106845date:2019-02-04T00:00:00
db:JVNDBid:JVNDB-2018-014640date:2019-04-01T00:00:00
db:CNNVDid:CNNVD-201902-245date:2019-10-23T00:00:00
db:NVDid:CVE-2018-5839date:2019-10-03T00:03:26.223

SOURCES RELEASE DATE
db:VULHUBid:VHN-135871date:2019-02-25T00:00:00
db:BIDid:106845date:2019-02-04T00:00:00
db:JVNDBid:JVNDB-2018-014640date:2019-04-01T00:00:00
db:CNNVDid:CNNVD-201902-245date:2019-02-04T00:00:00
db:NVDid:CVE-2018-5839date:2019-02-25T22:29:02.900