Sign-up

ID

VAR-201906-0738


CVE

CVE-2018-13908


TITLE

plural Snapdragon Authorization vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-015631

DESCRIPTION

Truncated access authentication token leads to weakened access control for stored secure application data in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130. plural Snapdragon The product contains an authorization vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm Closed-Source Components are prone to the following security vulnerabilities: 1. Multiple buffer-overflow vulnerabilities 2. Multiple information disclosure vulnerabilities 3. Multiple out-of-bounds memory access vulnerabilities 4. An unauthorized-access vulnerability 5. Multiple denial-of-service vulnerabilities 6. An insecure-file-permissions vulnerability An attacker can exploit these issues to execute arbitrary code, perform unauthorized actions, cause denial-of-service condition and obtain sensitive information. This may aid in further attacks. These issues are being tracked by Android Bug IDs A-114074547,A-119050181,A-122474428,A-114067283,A-119049466,A-119050073,A-119049388,A-119050001,A-119049623,A-119051002,A-119050182,A-119052037,A-122472140,A-112303441 and A-123997497. Qualcomm MDM9206 is a central processing unit (CPU) product of Qualcomm (Qualcomm). An authorization issue vulnerability exists in several Qualcomm products. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products. The following products and versions are affected: Qualcomm IPQ8074; MDM9150; MDM9206; MDM9607; MDM9650; MDM9655; MSM8909W; MSM8996AU; SD 427; SD 430; SD 435; SD 439; SD 429; SD 450; SD 615/16; SD 415; SD 625; SD 632; SD 636; SD 650/52; 820; SD 820A; SD 835; SD 845; SD 850; SD 8CX; SDA660;

Trust: 2.07

sources: NVD: CVE-2018-13908 // JVNDB: JVNDB-2018-015631 // BID: 108300 // VULHUB: VHN-124014 // VULMON: CVE-2018-13908

AFFECTED PRODUCTS

vendor:qualcommmodel:qcs405scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 427scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sda660scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 710scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 425scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 820ascope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 429scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9607scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 615scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9206scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sdm660scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 450scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9655scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:ipq8074scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9150scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 616scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:qca8081scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 435scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 439scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sxr1130scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 712scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 625scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 632scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:msm8996auscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 8cxscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 410scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 415scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:qcs605scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 205scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 212scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 650scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 835scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 652scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:snapdragon high med 2016scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9650scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 850scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sdm630scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 845scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 820scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:qm215scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sdm439scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:msm8909wscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 670scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 412scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 430scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 210scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sd 636scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:ipq8074scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9150scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9206scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9607scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9650scope: - version: -

Trust: 0.8

vendor:qualcommmodel:mdm9655scope: - version: -

Trust: 0.8

vendor:qualcommmodel:msm8909wscope: - version: -

Trust: 0.8

vendor:qualcommmodel:msm8996auscope: - version: -

Trust: 0.8

vendor:qualcommmodel:qca8081scope: - version: -

Trust: 0.8

vendor:qualcommmodel:qcs405scope: - version: -

Trust: 0.8

vendor:googlemodel:pixel xlscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixel cscope:eqversion:0

Trust: 0.3

vendor:googlemodel:pixelscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexus playerscope:eqversion:0

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:9

Trust: 0.3

vendor:googlemodel:nexus 6pscope: - version: -

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:6

Trust: 0.3

vendor:googlemodel:nexusscope:eqversion:5x

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:0

Trust: 0.3

sources: BID: 108300 // JVNDB: JVNDB-2018-015631 // NVD: CVE-2018-13908

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-13908
value: HIGH

Trust: 1.0

NVD: CVE-2018-13908
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201905-183
value: HIGH

Trust: 0.6

VULHUB: VHN-124014
value: MEDIUM

Trust: 0.1

VULMON: CVE-2018-13908
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-13908
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-124014
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-13908
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-124014 // VULMON: CVE-2018-13908 // JVNDB: JVNDB-2018-015631 // CNNVD: CNNVD-201905-183 // NVD: CVE-2018-13908

PROBLEMTYPE DATA

problemtype:CWE-285

Trust: 1.9

sources: VULHUB: VHN-124014 // JVNDB: JVNDB-2018-015631 // NVD: CVE-2018-13908

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201905-183

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201905-183

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015631

PATCH
title:May 2019 Qualcomm Technologies, Inc. Security Bulletinurl:https://www.qualcomm.com/company/product-security/bulletins
Trust: 0.8
title:Multiple Qualcomm Product Authorization Issue Vulnerability Fixing Measuresurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92327
Trust: 0.6
title:Threatposturl:https://threatpost.com/google-critical-remote-code-execution-flaws-android/144497/
Trust: 0.1
sources:
            
            
            VULMON: CVE-2018-13908 // 
            
            
            
            JVNDB: JVNDB-2018-015631 // 
            
            
            
            CNNVD: CNNVD-201905-183

EXTERNAL IDS
db:NVDid:CVE-2018-13908
Trust: 2.9
db:BIDid:108300
Trust: 1.0
db:JVNDBid:JVNDB-2018-015631
Trust: 0.8
db:CNNVDid:CNNVD-201905-183
Trust: 0.7
db:VULHUBid:VHN-124014
Trust: 0.1
db:VULMONid:CVE-2018-13908
Trust: 0.1
sources:
            
            
            VULHUB: VHN-124014 // 
            
            
            
            VULMON: CVE-2018-13908 // 
            
            
            
            BID: 108300 // 
            
            
            
            JVNDB: JVNDB-2018-015631 // 
            
            
            
            CNNVD: CNNVD-201905-183 // 
            
            
            
            NVD: CVE-2018-13908

REFERENCES
url:https://www.qualcomm.com/company/product-security/bulletins
Trust: 2.1
url:https://nvd.nist.gov/vuln/detail/cve-2018-13908
Trust: 1.4
url:http://code.google.com/android/
Trust: 0.9
url:http://www.qualcomm.com/
Trust: 0.9
url:https://source.android.com/security/bulletin/2019-05-01
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-13908
Trust: 0.8
url:https://www.securityfocus.com/bid/108300
Trust: 0.7
url:https://vigilance.fr/vulnerability/google-android-multiple-vulnerabilities-of-may-2019-29239
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/285.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://threatpost.com/google-critical-remote-code-execution-flaws-android/144497/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-124014 // 
            
            
            
            VULMON: CVE-2018-13908 // 
            
            
            
            BID: 108300 // 
            
            
            
            JVNDB: JVNDB-2018-015631 // 
            
            
            
            CNNVD: CNNVD-201905-183 // 
            
            
            
            NVD: CVE-2018-13908

CREDITS
Wen Guanxing of Pangu LAB, Xiling Gong of Tencent Blade Team.,derrek
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201905-183

SOURCES
db:VULHUBid:VHN-124014
db:VULMONid:CVE-2018-13908
db:BIDid:108300
db:JVNDBid:JVNDB-2018-015631
db:CNNVDid:CNNVD-201905-183
db:NVDid:CVE-2018-13908

LAST UPDATE DATE
2024-11-23T21:37:13.321000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-124014date:2019-06-17T00:00:00
db:VULMONid:CVE-2018-13908date:2019-06-17T00:00:00
db:BIDid:108300date:2019-05-06T00:00:00
db:JVNDBid:JVNDB-2018-015631date:2019-06-21T00:00:00
db:CNNVDid:CNNVD-201905-183date:2019-06-18T00:00:00
db:NVDid:CVE-2018-13908date:2024-11-21T03:48:18.703

SOURCES RELEASE DATE
db:VULHUBid:VHN-124014date:2019-06-14T00:00:00
db:VULMONid:CVE-2018-13908date:2019-06-14T00:00:00
db:BIDid:108300date:2019-05-06T00:00:00
db:JVNDBid:JVNDB-2018-015631date:2019-06-21T00:00:00
db:CNNVDid:CNNVD-201905-183date:2019-05-07T00:00:00
db:NVDid:CVE-2018-13908date:2019-06-14T17:29:00.847