Details of VAR-201608-0377

ID

VAR-201608-0377

CVE

CVE-2014-9871

TITLE

Nexus 5 and 7 (2013) Run on device Android of Qualcomm Component buffer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-004215

DESCRIPTION

Multiple buffer overflows in drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allow attackers to gain privileges via a crafted application, aka Android internal bug 28749803 and Qualcomm internal bug CR514717. Nexus 5 and 7 (2013) Run on device Android of Qualcomm Component drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c Contains a buffer overflow vulnerability. AndroidonNexus is a high-end mobile phone series powered by Google's original Android system. Google Nexus is prone to multiple privilege escalation vulnerabilities. Attackers can exploit these issues to execute arbitrary code with elevated privileges within the context of the kernel. These issues are being tracked by Android Bug IDs A-28768146, A-28747998, A-28748271, A-28747684, A-28749629, A-28749721, A-28749728, A-28749743, A-28749803, A-28750155, A-28750726, A-28751152, A-28767589, A-28767796, A-28768281, A-28769208, A-28769221, A-28769352, A-28769368, A-28769546, A-28769912, A-28769920, A-28769959, A-28815575, A-28804057, A-28803642, A-28803645, A-28803962, A-28804030, A-28398884, A-28813987, A-28814502, A-28814652, A-28815158, A-28749283, and A-28770207

Trust: 2.52

sources: NVD: CVE-2014-9871 // JVNDB: JVNDB-2016-004215 // CNVD: CNVD-2016-06286 // BID: 92219 // VULMON: CVE-2014-9871

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-06286

AFFECTED PRODUCTS

vendor:	google	model:	android	scope:	lte	version:	6.0.1	Trust: 1.0
vendor:	google	model:	android	scope:	eq	version:	2016-08-05	Trust: 0.8
vendor:	google	model:	android	scope:	eq	version:	5<2016-08-05	Trust: 0.6
vendor:	google	model:	android	scope:	eq	version:	7(2013)<2016-08-05	Trust: 0.6
vendor:	google	model:	android	scope:	eq	version:	6.0.1	Trust: 0.6
vendor:	google	model:	nexus	scope:	eq	version:	7	Trust: 0.3
vendor:	google	model:	nexus 6p	scope:	-	version:	-	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	6	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	5x	Trust: 0.3
vendor:	google	model:	nexus	scope:	eq	version:	5	Trust: 0.3

sources: CNVD: CNVD-2016-06286 // BID: 92219 // JVNDB: JVNDB-2016-004215 // CNNVD: CNNVD-201608-114 // NVD: CVE-2014-9871

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-9871
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-9871
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-06286
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201608-114
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2014-9871
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-9871
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2016-06286
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2014-9871
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-06286 // VULMON: CVE-2014-9871 // JVNDB: JVNDB-2016-004215 // CNNVD: CNNVD-201608-114 // NVD: CVE-2014-9871

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2016-004215 // NVD: CVE-2014-9871

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201608-114

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201608-114

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004215

PATCH

title:	Android Security Bulletin-August 2016	url:	http://source.android.com/security/bulletin/2016-08-01.html	Trust: 0.8
title:	msm: camera: Fix potential memory overflow errors	url:	https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=f615e40c706708f74cd826d5b19c63025f54c041	Trust: 0.8
title:	AndroidonNexusdevices has multiple buffer overflow vulnerability patches	url:	https://www.cnvd.org.cn/patchInfo/show/80386	Trust: 0.6
title:	Android on Nexus Qualcomm Fixes for component buffer overflow vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63507	Trust: 0.6
title:	Android Security Bulletins: Android Security Bulletin—August 2016	url:	https://vulmon.com/vendoradvisory?qidtp=android_security_bulletins&qid=1c52474e34daae48915f8b4129072a86	Trust: 0.1

sources: CNVD: CNVD-2016-06286 // VULMON: CVE-2014-9871 // JVNDB: JVNDB-2016-004215 // CNNVD: CNNVD-201608-114

EXTERNAL IDS

db:	NVD	id:	CVE-2014-9871	Trust: 3.4
db:	BID	id:	92219	Trust: 1.4
db:	JVNDB	id:	JVNDB-2016-004215	Trust: 0.8
db:	CNVD	id:	CNVD-2016-06286	Trust: 0.6
db:	CNNVD	id:	CNNVD-201608-114	Trust: 0.6
db:	VULMON	id:	CVE-2014-9871	Trust: 0.1

sources: CNVD: CNVD-2016-06286 // VULMON: CVE-2014-9871 // BID: 92219 // JVNDB: JVNDB-2016-004215 // CNNVD: CNNVD-201608-114 // NVD: CVE-2014-9871

REFERENCES

url:	http://source.android.com/security/bulletin/2016-08-01.html	Trust: 2.7
url:	https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=f615e40c706708f74cd826d5b19c63025f54c041	Trust: 1.7
url:	http://www.securityfocus.com/bid/92219	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9871	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-9871	Trust: 0.8
url:	http://code.google.com/android/	Trust: 0.3
url:	https://developers.google.com/android/nexus/images#mantaray	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/119.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2016-06286 // VULMON: CVE-2014-9871 // BID: 92219 // JVNDB: JVNDB-2016-004215 // CNNVD: CNNVD-201608-114 // NVD: CVE-2014-9871

CREDITS

The vendor reported these issues.

Trust: 0.3

sources: BID: 92219

SOURCES

db:	CNVD	id:	CNVD-2016-06286
db:	VULMON	id:	CVE-2014-9871
db:	BID	id:	92219
db:	JVNDB	id:	JVNDB-2016-004215
db:	CNNVD	id:	CNNVD-201608-114
db:	NVD	id:	CVE-2014-9871

LAST UPDATE DATE

2025-04-12T22:57:51.739000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-06286	date:	2016-08-12T00:00:00
db:	VULMON	id:	CVE-2014-9871	date:	2016-11-28T00:00:00
db:	BID	id:	92219	date:	2016-08-01T00:00:00
db:	JVNDB	id:	JVNDB-2016-004215	date:	2016-08-10T00:00:00
db:	CNNVD	id:	CNNVD-201608-114	date:	2016-08-09T00:00:00
db:	NVD	id:	CVE-2014-9871	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-06286	date:	2016-08-12T00:00:00
db:	VULMON	id:	CVE-2014-9871	date:	2016-08-06T00:00:00
db:	BID	id:	92219	date:	2016-08-01T00:00:00
db:	JVNDB	id:	JVNDB-2016-004215	date:	2016-08-10T00:00:00
db:	CNNVD	id:	CNNVD-201608-114	date:	2016-08-09T00:00:00
db:	NVD	id:	CVE-2014-9871	date:	2016-08-06T10:59:11.790