ID

VAR-201902-0683


CVE

CVE-2018-5839


TITLE

plural Snapdragon Access control vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-014640

DESCRIPTION

Improperly configured memory protection allows read/write access to modem image from HLOS kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in versions MDM9150, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8996AU, QCS605, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SDX20, SXR1130. plural Snapdragon The product contains an access control vulnerability.Information may be obtained and information may be altered. Qualcomm Closed-Source Components are prone to multiple unspecified vulnerabilities. An attacker can exploit these issues to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Android Bug IDs A-109678453, A-111089815, A-112279482, A-112278875, A-109678259, A-111088838, A-111092944, A-112278972, A-112279521, A-112279426, A-112279483, A-112279144, A-112279544, and A-119050566. Qualcomm MDM9640 is a central processing unit (CPU) product of Qualcomm (Qualcomm). An access control error vulnerability exists in several Qualcomm products; the vulnerability results from network systems or products not properly restricting access to resources from unauthorized roles. The following products are affected: Qualcomm MDM9150; MDM9615; MDM9625; MDM9635M; MDM9640; MDM9650; MDM9655; MSM8996AU; ;SD 850;SD 855;SD 8CX;SDA660;SDM630;SDM660;SDX20;SXR1130

Trust: 1.98

sources: NVD: CVE-2018-5839 // JVNDB: JVNDB-2018-014640 // BID: 106845 // VULHUB: VHN-135871

AFFECTED PRODUCTS

vendor:qualcommmodel:sda660scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9150scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 845scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9650scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:qcs605scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9625scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9655scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 820ascope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 855scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 636scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 8cxscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sxr1130scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:snapdragon consumer internet of thingsscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sdx20scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:snapdragon computescope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 712scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sdm660scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9615scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sdm630scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:msm8996auscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 850scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 675scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:snapdragon industrial internet of thingsscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:snapdragon autoscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9635mscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 710scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9640scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 820scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 835scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 670scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9150scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9615scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9625scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9635mscope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9640scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9650scope: - version: -

Trust: 0.8

vendor:qualcommmodel:snapdragon autoscope: - version: -

Trust: 0.8

vendor:qualcommmodel:snapdragon computescope: - version: -

Trust: 0.8

vendor:qualcommmodel:snapdragon consumer iotscope: - version: -

Trust: 0.8

vendor:qualcommmodel:snapdragon industrial iotscope: - version: -

Trust: 0.8

vendor:googlemodel:pixel xlscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixel cscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixelscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexus playerscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:9

Trust: 0.3

vendor:googlemodel:nexus 6pscope: - version: -

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:6

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:5x

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:0

Trust: 0.3

sources: BID: 106845 // JVNDB: JVNDB-2018-014640 // NVD: CVE-2018-5839

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-5839
value: HIGH

Trust: 1.0

NVD: CVE-2018-5839
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201902-245
value: HIGH

Trust: 0.6

VULHUB: VHN-135871
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-5839
severity: MEDIUM
baseScore: 6.6
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-135871
severity: MEDIUM
baseScore: 6.6
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-5839
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 5.2
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-135871 // JVNDB: JVNDB-2018-014640 // CNNVD: CNNVD-201902-245 // NVD: CVE-2018-5839

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.1

problemtype:CWE-284

Trust: 0.8

sources: VULHUB: VHN-135871 // JVNDB: JVNDB-2018-014640 // NVD: CVE-2018-5839

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201902-245

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201902-245

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-014640

PATCH

title:February 2019 Qualcomm Technologies, Inc. Security Bulletinurl:https://www.qualcomm.com/company/product-security/bulletins

Trust: 0.8

sources: JVNDB: JVNDB-2018-014640

EXTERNAL IDS

db:NVDid:CVE-2018-5839

Trust: 2.8

db:BIDid:106845

Trust: 2.0

db:JVNDBid:JVNDB-2018-014640

Trust: 0.8

db:CNNVDid:CNNVD-201902-245

Trust: 0.7

db:VULHUBid:VHN-135871

Trust: 0.1

sources: VULHUB: VHN-135871 // BID: 106845 // JVNDB: JVNDB-2018-014640 // CNNVD: CNNVD-201902-245 // NVD: CVE-2018-5839

REFERENCES

url:http://www.securityfocus.com/bid/106845

Trust: 2.3

url:https://www.qualcomm.com/company/product-security/bulletins

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2018-5839

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5839

Trust: 0.8

url:http://code.google.com/android/

Trust: 0.3

url:http://www.qualcomm.com/

Trust: 0.3

url:https://source.android.com/security/bulletin/2019-02-01

Trust: 0.3

sources: VULHUB: VHN-135871 // BID: 106845 // JVNDB: JVNDB-2018-014640 // CNNVD: CNNVD-201902-245 // NVD: CVE-2018-5839

CREDITS

The vendor reported these issues.

Trust: 0.9

sources: BID: 106845 // CNNVD: CNNVD-201902-245

SOURCES

db:VULHUBid:VHN-135871
db:BIDid:106845
db:JVNDBid:JVNDB-2018-014640
db:CNNVDid:CNNVD-201902-245
db:NVDid:CVE-2018-5839

LAST UPDATE DATE

2024-08-14T13:26:57.396000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-135871date:2019-10-03T00:00:00
db:BIDid:106845date:2019-02-04T00:00:00
db:JVNDBid:JVNDB-2018-014640date:2019-04-01T00:00:00
db:CNNVDid:CNNVD-201902-245date:2019-10-23T00:00:00
db:NVDid:CVE-2018-5839date:2019-10-03T00:03:26.223

SOURCES RELEASE DATE

db:VULHUBid:VHN-135871date:2019-02-25T00:00:00
db:BIDid:106845date:2019-02-04T00:00:00
db:JVNDBid:JVNDB-2018-014640date:2019-04-01T00:00:00
db:CNNVDid:CNNVD-201902-245date:2019-02-04T00:00:00
db:NVDid:CVE-2018-5839date:2019-02-25T22:29:02.900