본문 바로가기

취약점 정보2

삼성 모바일 8월 업데이트 안내

728x90
SMR-AUG-2017



Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung. 

Google patches include patches up to Android Security Bulletin - August 2017 package. 

The Bulletin (August 2017) contains the following CVE items: 
Critical: CVE-2017-0714, CVE-2017-0715, CVE-2017-0716, CVE-2017-0718, CVE-2017-0719, CVE-2017-0720, CVE-2017-0721, CVE-2017-0722, CVE-2017-0723, CVE-2017-0745, CVE-2017-0407, CVE-2017-9417 
High: CVE-2017-0576, CVE-2016-10286, CVE-2016-10244, CVE-2017-0713, CVE-2017-0724, CVE-2017-0725, CVE-2017-0726, CVE-2017-0727, CVE-2017-0728, CVE-2017-0729, CVE-2017-0730, CVE-2017-0731, CVE-2017-0732, CVE-2017-0733, CVE-2017-0734, CVE-2017-0735, CVE-2017-0736, CVE-2017-0687, CVE-2017-0737 
Moderate: CVE-2017-0583, CVE-2016-5346, CVE-2017-6425, CVE-2016-10236, CVE-2017-6426, CVE-2017-7370, CVE-2017-7372, CVE-2017-7373, CVE-2017-0451, CVE-2017-7308, CVE-2017-8264, CVE-2017-8266, CVE-2017-8268, CVE-2017-8258, CVE-2017-0560, CVE-2017-0712, CVE-2017-0738, CVE-2017-0739 
Low: CVE-2017-0452 

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. 
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release. 


SVE-2017-8889, SVE-2017-8891, and SVE-2017-8892: Stack overflow in trustlet

Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed. 
Lack of boundary checking of a buffer in trustlet can lead to memory corruption.
The applied patch adds boundary checking.


SVE-2017-8890: Over-read in trustlet

Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed. 
Lack of boundary checking of a buffer in trustlet can lead to unauthorized access to data outside of boundary.
The applied patch adds boundary checking.


SVE-2017-8893: Arbitrary write in trustlet

Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed. 
Assuming privilege escalation is achieved, lack of boundary checking in a trustlet can lead to arbitrary write.
The applied patch adds boundary checking.


SVE-2017-9008 and SVE-2017-9009: Integer overflow in trustlet

Severity: Low
Affected versions: N(7.x)
Reported on: April 24, 2017
Disclosure status: Privately disclosed. 
Lack of boundary checking of a buffer in trustlet can lead to memory corruption.
The patch removed the part of code related to Integer overflow.


SVE-2017-9383: Abnormal screen touch via malformed input with multiwindow_facade API

Severity: Low
Affected versions: M(6.0)
Reported on: May 31, 2017
Disclosure status: Privately disclosed. 
Lack of appropriate validation check for display ID can halt system due to NullPointException problem caused by mismatch to a non-existing display.
The supplied patch prevents unexpected exception by confirming the validation of display ID.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products. 

- Daniel Komaromy : SVE-2017-8889, SVE-2017-8890, SVE-2017-8891, SVE-2017-8892, SVE-2017-8893, SVE-2017-9008, SVE-2017-9009 
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2017-9383 
728x90