CVE-2018-11277

20.09.2018, 13:29

In Snapdragon (Automobile, Mobile, Wear) in version MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SDA660, the com.qualcomm.embms is a vendor package deployed in the system image which has an inadequate permission level and allows any application installed from Play Store to request this permission at install-time. The system application interfaces with the Radio Interface Layer leading to potential access control issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
qualcomm	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Vendor	Product	Version
qualcomm	msm8909w_firmware	-
qualcomm	msm8996au_firmware	-
qualcomm	sd210_firmware	-
qualcomm	sd212_firmware	-
qualcomm	sd205_firmware	-
qualcomm	sd430_firmware	-
qualcomm	sd450_firmware	-
qualcomm	sd615_firmware	-
qualcomm	sd616_firmware	-
qualcomm	sd415_firmware	-
qualcomm	sd617_firmware	-
qualcomm	sd625_firmware	-
qualcomm	sd650_firmware	-
qualcomm	sd652_firmware	-
qualcomm	sd810_firmware	-
qualcomm	sd820_firmware	-
qualcomm	sd820a_firmware	-
qualcomm	sd835_firmware	-
qualcomm	sd845_firmware	-
qualcomm	sda660_firmware	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

https://www.qualcomm.com/company/product-security/bulletins