Lucene search

K
androidsecurityAndroid Open Source ProjectANDROID:2018-04-01
HistoryApr 02, 2018 - 12:00 a.m.

Pixel / Nexus Security Bulletin—April 2018

2018-04-0200:00:00
Android Open Source Project
source.android.com
84

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

Low

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.001 Low

EPSS

Percentile

42.1%

The Pixel / Nexus Security Bulletin contains details of security vulnerabilities and functional improvements affecting supported Google Pixel and Nexus devices (Google devices). For Google devices, security patch levels of 2018-04-05 or later address all issues in this bulletin and all issues in the April 2018 Android Security Bulletin. To learn how to check a device’s security patch level, see Check and update your Android version.

All supported Google devices will receive an update to the 2018-04-05 patch level. We encourage all customers to accept these updates to their devices.

Note: The Google device firmware images are available on the Google Developer site.

Announcements

In addition to the security vulnerabilities described in the April 2018 Android Security Bulletin, Google devices also contain patches for the security vulnerabilities described below. Partners were notified of these issues at least a month ago and may choose to incorporate them as part of their device updates.

Security patches

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

Framework

CVE References Type Severity Updated AOSP versions
CVE-2017-13294 A-71814449 [2] ID Moderate 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
CVE-2017-13295 A-62537081 DoS Moderate 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1

Media framework

CVE References Type Severity Updated AOSP versions
CVE-2017-13300 A-71567394* DoS High 6.0, 6.0.1
CVE-2017-13296 A-70897454 ID Moderate 7.0, 7.1.1, 7.1.2, 8.0, 8.1
DoS High 6.0, 6.0.1
CVE-2017-13297 A-71766721 ID Moderate 7.0, 7.1.1, 7.1.2, 8.0, 8.1
DoS High 6.0, 6.0.1
CVE-2017-13298 A-72117051 ID Moderate 7.0, 7.1.1, 7.1.2, 8.0, 8.1
DoS High 6.0, 6.0.1
CVE-2017-13299 A-70897394 NSI NSI 7.0, 7.1.1, 7.1.2, 8.0, 8.1
DoS High 6.0, 6.0.1

System

CVE References Type Severity Updated AOSP versions
CVE-2017-13301 A-66498711 [2] DoS Moderate 8.0
CVE-2017-13302 A-69969749 DoS Moderate 8.0

Broadcom components

CVE References Type Severity Component
CVE-2017-13303 A-71359108* B-V2018010501 ID Moderate bcmdhd driver

Kernel components

CVE References Type Severity Component
CVE-2017-13304 A-70576999* ID Moderate mnh_sm driver
CVE-2017-13305 A-70526974* ID Moderate encrypted-keys
CVE-2017-17449 A-70980949 Upstream kernel ID Moderate netlink tap
CVE-2017-13306 A-70295063* EoP Moderate mnh driver
CVE-2017-13307 A-69128924* EoP Moderate pci sysfs
CVE-2017-17712 A-71500434 Upstream kernel EoP Moderate net ipv4
CVE-2017-15115 A-70217214 Upstream kernel EoP Moderate sctp

Qualcomm components

CVE References Type Severity Component
CVE-2018-3598 A-71501698 QC-CR#1097390 ID Moderate camera_v2 driver
CVE-2018-5826 A-69128800* QC-CR#2157283 ID Moderate qcacld-3.0 hdd driver
CVE-2017-15853 A-65853393* QC-CR#2116517 QC-CR#2125577 ID Moderate WLAN
CVE-2018-3584 A-64610600* QC-CR#2142046 ID Moderate rmnet_usb
CVE-2017-8269 A-33967002* QC-CR#2013145 QC-CR#2114278 ID Moderate IPA driver
CVE-2017-15837 A-64403015* QC-CR#2116387 ID Moderate NL80211 driver
CVE-2018-5823 A-72957335 QC-CR#2139436 EoP Moderate WLAN
CVE-2018-5825 A-72957269 QC-CR#2151146 [2] [3] EoP Moderate IPA driver
CVE-2018-5824 A-72957235 QC-CR#2149399 [2] EoP Moderate WLAN
CVE-2018-5827 A-72956920 QC-CR#2161977 EoP Moderate WLAN
CVE-2018-5822 A-71501692 QC-CR#2115221 EoP Moderate QC WLAN
CVE-2018-5821 A-71501687 QC-CR#2114363 EoP Moderate modem driver
CVE-2018-5820 A-71501686 QC-CR#2114336 EoP Moderate Modem driver
CVE-2018-3599 A-71501666 QC-CR#2047235 EoP Moderate Qualcomm Core Services
CVE-2018-3596 A-35263529* QC-CR#640898 EoP Moderate WLAN
CVE-2018-3568 A-72957136 QC-CR#2152824 EoP Moderate WLAN
CVE-2018-3567 A-72956997 QC-CR#2147119 [2] EoP Moderate WLAN
CVE-2017-15855 A-72957336 QC-CR#2149501 EoP Moderate WLAN
CVE-2018-5828 A-71501691 QC-CR#2115207 EoP Moderate QC WLAN
CVE-2017-15836 A-71501693 QC-CR#2119887 EoP Moderate QC WLAN
CVE-2017-14890 A-71501695 QC-CR#2120751 EoP Moderate QC WLAN
CVE-2017-14894 A-71501694 QC-CR#2120424 EoP Moderate QC WLAN
CVE-2017-14880 A-68992477 QC-CR#2078734 [2] EoP Moderate IPA WAN driver
CVE-2017-11075 A-70237705 QC-CR#2098332 EoP Moderate Audio DSP driver

Functional updates

These updates are included for affected Pixel devices to address functionality issues not related to the security of Pixel devices. The table includes associated references; the affected category, such as Bluetooth or mobile data; improvements; and affected devices.

References Category Improvements Devices
A-35963245 Performance Enable Assisted Dialing support Pixel 2, Pixel 2 XL
A-37681923 A-68215016 Logging Improve anomaly detection metrics All
A-63908720 Logging Improve diskstats logging All
A-64101451 Performance Improve handover from VoLTE to VoWi-Fi during Emergency calls on certain carriers Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-64586126 Camera Improve microvideo performance in Google Camera Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-64610438 Performance Reduce delays upon opening specific apps Pixel 2, Pixel 2 XL
A-65175134 Video Improve decoding of certain video streams Pixel, Pixel XL
A-65347520 Performance Improve fingerprint and keyboard latency in certain situations Pixel 2, Pixel 2 XL
A-65490850 UI Adjust notifications when entering or exiting Wi-Fi coverage during a video call Pixel 2, Pixel 2 XL
A-65509134 Connectivity Enable IMS911 on certain networks Pixel 2, Pixel 2 XL, Pixel, Pixel XL
A-66951771 Logging Detect Wi-Fi Passport statistics for developers All
A-66957450 Performance Improve lock screen performance All
A-67094673 Logging Improve start time logging All
A-67589241 Performance Improve magnetic sensor performance on Pixel 2/Pixel 2 XL Pixel 2, Pixel 2 XL
A-67593274 Battery Reduce battery drain after modem issues Pixel 2, Pixel 2 XL
A-67634615 Stability Improve modem stability on Pixel and Pixel 2 phones Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-67750231 UI Adjust Call Forwarding UI Nexus 5X, Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-67774904 Connectivity Improve multi-calling performance over Wi-Fi Pixel, Pixel XL
A-67777512 Connectivity Improve data connectivity for T-Mobile users in parts of Australia Pixel, Pixel XL
A-67882977 Certification Update certification Pixel, Pixel XL
A-68150449 A-68059359 A-69797741 A-69378640 A-68824279 Stability Improve Wi-Fi stability on Pixel 2 phones Pixel 2, Pixel 2 XL
A-68217064 Performance Improve handover to Wi-Fi Calling in low-coverage areas Pixel 2, Pixel 2 XL
A-68398312 Performance Improve conference call performance over Wifi Pixel 2, Pixel 2 XL
A-68671462 Connectivity Improve VoLTE performance for some carriers Nexus 5X, Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-68841424 Connectivity Adjust APN updating behavior All
A-68863351 UI Improve settings app icons All
A-68923696 A-68922470 A-68940490 Certification Upgrade certificates to ensure continued service. Nexus 5X, Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-68931709 Developer Add methods to PeerHandle API for developers All
A-68959671 Connectivity Update Verizon Service APK for Pixel phones Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-69003183 Logging Improve Wi-Fi and RPM logging Pixel 2, Pixel 2 XL
A-69017578 A-68138080 A-68205105 A-70731000 A-69574837 A-68474108 A-70406781 Connectivity, Performance Improve connectivity and performance on certain carrier networks Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-69064494 Performance Improve notification listening apps All
A-69152057 Connectivity Address call forwarding issue. All
A-69209000 Connectivity Improve internet connectivity on Pixel 2 on certain WiFi networks Pixel 2
A-69238007 A-68202289 A-69334308 Connectivity Adjust APN settings Nexus 5X, Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-69261367 A-70512352 Messaging Improve MMS messaging performance on certain carriers Nexus 5X, Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-69275204 Battery Adjust battery learned capacity increment and decrement limits Pixel 2, Pixel 2 XL
A-69334266 Connectivity Change voice domain to CS for certain carriers Pixel XL
A-69475609 Performance Adjust timeouts for Phone App All
A-69672417 Stability Improve stability for Pixel 2 devices in certain parts of Canada Pixel 2, Pixel 2 XL
A-69848394 A-68275646 Performance Improve instant Apps performance All
A-69870527 UI Improve indicators for emergency call connectivity Pixel 2, Pixel 2 XL
A-70045970 Battery Optimize search logic to improve battery performance. Pixel 2, Pixel 2 XL
A-70094083 A-70094701 Battery Improve battery logging for Pixel 2 and Pixel 2 XL Pixel 2, Pixel 2 XL
A-70214869 GPS Improve GPS Time performance on Pixel 2 XL Pixel 2 XL
A-70338906 Audio Improve audio speaker performance during phone calls All
A-70398372 UI Adjust advanced calling settings for Verizon Nexus 5X, Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-70576351 Connectivity Change to prioritize certain bands Nexus 5X, Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-70580873 A-70912923 A-71497259 Connectivity Improve in-call performance for some carriers Pixel, Pixel XL, Pixel 2, Pixel 2 XL
A-70815434 Connectivity Improve network performance on Simyo carrier Nexus 5X
A-71708302 Logging Improve connectivity metrics All
A-71983424 Performance Improve experience switching between LTE and Wifi Pixel 2 XL
A-72119809 Connectivity Improve data performance for devices with certain SIM cards All
A-72175011 Logging Improve autofill logging All
A-72797728 A-71599119 Logging Improve internal troubleshooting tools All
A-72871435 Logging Improve network performance when both VPN and Wi-Fi are enabled All

Common questions and answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

Security patch levels of 2018-04-05 or later address all issues associated with the 2018-04-05 security patch level and all previous patch levels. To learn how to check a device’s security patch level, read the instructions on the Pixel and Nexus update schedule.

2. What do the entries in the Type column mean?

Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.

Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available

3. What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

Prefix Reference
A- Android bug ID
QC- Qualcomm reference number
M- MediaTek reference number
N- NVIDIA reference number
B- Broadcom reference number

4. What does a * next to the Android bug ID in the References column mean?

Issues that are not publicly available have a * next to the Android bug ID in the References column. The update for that issue is generally contained in the latest binary drivers for Nexus devices available from the Google Developer site.

5. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?

Security vulnerabilities that are documented in the Android Security Bulletins are required in order to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin, are not required for declaring a security patch level.

Versions

Version Date Notes
1.0 April 2, 2018 Bulletin published.
1.1 April 4, 2018 Bulletin revised to include AOSP links.
1.2 April 10, 2018 Bulletin revised to update description for A-72871435.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

Low

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.001 Low

EPSS

Percentile

42.1%