Details of VAR-201608-0370

ID

VAR-201608-0370

CVE

CVE-2014-9864

TITLE

Nexus 5 and 7 (2013) Runs on the device Android of Qualcomm Component drivers/misc/qseecom.c Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2016-004206

DESCRIPTION

drivers/misc/qseecom.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices does not validate ioctl calls, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28747998 and Qualcomm internal bug CR561841. AndroidonNexus is a high-end mobile phone series powered by Google's original Android system. Androidbefore2016-08-05onNexus5 and 7devices have privilege escalation vulnerabilities that allow an attacker to gain access to a well-crafted application. Google Nexus is prone to multiple privilege escalation vulnerabilities. Attackers can exploit these issues to execute arbitrary code with elevated privileges within the context of the kernel. These issues are being tracked by Android Bug IDs A-28768146, A-28747998, A-28748271, A-28747684, A-28749629, A-28749721, A-28749728, A-28749743, A-28749803, A-28750155, A-28750726, A-28751152, A-28767589, A-28767796, A-28768281, A-28769208, A-28769221, A-28769352, A-28769368, A-28769546, A-28769912, A-28769920, A-28769959, A-28815575, A-28804057, A-28803642, A-28803645, A-28803962, A-28804030, A-28398884, A-28813987, A-28814502, A-28814652, A-28815158, A-28749283, and A-28770207

Trust: 2.52

sources: NVD: CVE-2014-9864 // JVNDB: JVNDB-2016-004206 // CNVD: CNVD-2016-06293 // BID: 92219 // VULMON: CVE-2014-9864

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-06293

AFFECTED PRODUCTS

vendor:	google	model:	android	scope:	lte	version:	6.0.1	Trust: 1.0
vendor:	google	model:	android	scope:	eq	version:	2016-08-05	Trust: 0.8
vendor:	google	model:	android	scope:	eq	version:	5<2016-08-05	Trust: 0.6
vendor:	google	model:	android	scope:	eq	version:	7(2013)<2016-08-05	Trust: 0.6
vendor:	google	model:	android	scope:	eq	version:	6.0.1	Trust: 0.6
vendor:	google	model:	nexus	scope:	eq	version:	7	Trust: 0.3
vendor:	google	model:	nexus 6p	scope:	-	version:	-	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	6	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	5x	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	5	Trust: 0.3

sources: CNVD: CNVD-2016-06293 // BID: 92219 // JVNDB: JVNDB-2016-004206 // CNNVD: CNNVD-201608-107 // NVD: CVE-2014-9864

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-9864
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-9864
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-06293
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201608-107
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2014-9864
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-9864
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	CVE-2014-9864
severity:	MEDIUM
baseScore:	6.9
vectorString:	AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2016-06293
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2014-9864
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-06293 // VULMON: CVE-2014-9864 // JVNDB: JVNDB-2016-004206 // CNNVD: CNNVD-201608-107 // NVD: CVE-2014-9864

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2016-004206 // NVD: CVE-2014-9864

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201608-107

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201608-107

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004206

PATCH

title:	Android Security Bulletin-August 2016	url:	http://source.android.com/security/bulletin/2016-08-01.html	Trust: 0.8
title:	qseecom: Add checks for API called in IOCTL	url:	https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=a1124defc680055e2f2a8c8e3da4a94ca2ec842e	Trust: 0.8
title:	Patch for AndroidonNexusdevices Privilege Escalation Vulnerability (CNVD-2016-06293)	url:	https://www.cnvd.org.cn/patchInfo/show/80379	Trust: 0.6
title:	Android on Nexus Qualcomm Fixes for component security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63500	Trust: 0.6
title:	Android Security Bulletins: Android Security Bulletin—August 2016	url:	https://vulmon.com/vendoradvisory?qidtp=android_security_bulletins&qid=1c52474e34daae48915f8b4129072a86	Trust: 0.1

sources: CNVD: CNVD-2016-06293 // VULMON: CVE-2014-9864 // JVNDB: JVNDB-2016-004206 // CNNVD: CNNVD-201608-107

EXTERNAL IDS

db:	NVD	id:	CVE-2014-9864	Trust: 3.4
db:	BID	id:	92219	Trust: 1.4
db:	JVNDB	id:	JVNDB-2016-004206	Trust: 0.8
db:	CNVD	id:	CNVD-2016-06293	Trust: 0.6
db:	CNNVD	id:	CNNVD-201608-107	Trust: 0.6
db:	VULMON	id:	CVE-2014-9864	Trust: 0.1

sources: CNVD: CNVD-2016-06293 // VULMON: CVE-2014-9864 // BID: 92219 // JVNDB: JVNDB-2016-004206 // CNNVD: CNNVD-201608-107 // NVD: CVE-2014-9864

REFERENCES

url:	https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=a1124defc680055e2f2a8c8e3da4a94ca2ec842e	Trust: 2.3
url:	http://source.android.com/security/bulletin/2016-08-01.html	Trust: 2.1
url:	http://www.securityfocus.com/bid/92219	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9864	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-9864	Trust: 0.8
url:	http://code.google.com/android/	Trust: 0.3
url:	https://developers.google.com/android/nexus/images#mantaray	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2016-06293 // VULMON: CVE-2014-9864 // BID: 92219 // JVNDB: JVNDB-2016-004206 // CNNVD: CNNVD-201608-107 // NVD: CVE-2014-9864

CREDITS

The vendor reported these issues.

Trust: 0.3

sources: BID: 92219

SOURCES

db:	CNVD	id:	CNVD-2016-06293
db:	VULMON	id:	CVE-2014-9864
db:	BID	id:	92219
db:	JVNDB	id:	JVNDB-2016-004206
db:	CNNVD	id:	CNNVD-201608-107
db:	NVD	id:	CVE-2014-9864

LAST UPDATE DATE

2025-04-13T23:02:45.178000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-06293	date:	2016-08-15T00:00:00
db:	VULMON	id:	CVE-2014-9864	date:	2016-11-28T00:00:00
db:	BID	id:	92219	date:	2016-08-01T00:00:00
db:	JVNDB	id:	JVNDB-2016-004206	date:	2016-08-10T00:00:00
db:	CNNVD	id:	CNNVD-201608-107	date:	2016-08-09T00:00:00
db:	NVD	id:	CVE-2014-9864	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-06293	date:	2016-08-12T00:00:00
db:	VULMON	id:	CVE-2014-9864	date:	2016-08-06T00:00:00
db:	BID	id:	92219	date:	2016-08-01T00:00:00
db:	JVNDB	id:	JVNDB-2016-004206	date:	2016-08-10T00:00:00
db:	CNNVD	id:	CNNVD-201608-107	date:	2016-08-09T00:00:00
db:	NVD	id:	CVE-2014-9864	date:	2016-08-06T10:59:02.570