삼성 smart security update

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – November 2016 package.

The Bulletin (November 2016) contains the following CVE items:
CVE-2014-9802(H), CVE-2014-9895(H), CVE-2016-3859(H), CVE-2016-5340(C), CVE-2016-7117(C), CVE-2016-2059(H), CVE-2016-3931(H), CVE-2016-3903(H), CVE-2016-3934(H), CVE-2015-8951(H), CVE-2016-3938(H), CVE-2016-3939(H), CVE-2016-3905(H), CVE-2016-6676(H), CVE-2016-5342(H), CVE-2016-3809(H), CVE-2015-0572(M), CVE-2016-3860(M), CVE-2016-6679(M), CVE-2016-3902(M), CVE-2016-6681(M), CVE-2016-6682(M), CVE-2016-6691(H), CVE-2016-6693(H), CVE-2016-6694(H), CVE-2016-6695(H), CVE-2016-6696(H), CVE-2016-6699(C), CVE-2016-3862(C), CVE-2016-6700(C), CVE-2016-6701(H), CVE-2016-6702(H), CVE-2016-6703(H), CVE-2016-6704(H), CVE-2016-6705(H), CVE-2016-6706(H), CVE-2016-6707(H), CVE-2016-6708(H), CVE-2016-3912(H), CVE-2016-6709(H), CVE-2016-6710(H), CVE-2014-9908(H), CVE-2015-0410(H), CVE-2016-6711(H), CVE-2016-6712(H), CVE-2016-6713(H), CVE-2016-6714(H), CVE-2016-3754(H), CVE-2016-6715(M), CVE-2016-6717(M), CVE-2016-6718(M), CVE-2016-6719(M), CVE-2016-3889(M), CVE-2016-6720(M), CVE-2016-6721(M), CVE-2016-6722(M), CVE-2016-6723(M), CVE-2016-6724(M), CVE-2016-2184(C), and CVE-2014-9874(H).
* Severity : (C)-Critical, (H)-High, (M)-Moderate, (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 14 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-6343: Unauthorized API access via system service call

Severity: Medium
Affected versions: M(6.0)
Reported on: May 26, 2016
Disclosure status: Privately disclosed.
The vulnerability allowing unauthorized access to system APIs from system service with improper access control enables attackers to control the device screen.
The patch includes checks for access control.


SVE-2016-6736: Kernel Crash on /dev/fimg2d ioctl command

Severity: Medium
Affected versions: All devices with Exynos 5433/54xx/7420 chipsets
Reported on: June 11, 2016
Disclosure status: Privately disclosed.
The fimg2d which is one of the graphic devices for Exynos chipsets doesn’t have exception control routines to handle unexpected commands and it can lead to kernel panic.
The patch prevents kernel panic by ignoring inappropriate commands at the state.


SVE-2016-6853: Use After Free in /dev/fimg2d

Severity: Medium
Affected versions: All devices with Exynos 5433/54xx/7420 chipsets
Reported on: August 5, 2016
Disclosure status: Privately disclosed.
A use-after-free vulnerability in fimg2d allows attackers to gain access to unauthorized data.
The patch with error handling was applied.


SVE-2016-6906: A IDX Out of Bound vulnerability in systemui can make crash and ui restart

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1)
Reported on: August 16, 2016
Disclosure status: Privately disclosed.
One of the activities in SystemUI can produce array index out of bounds exception as a combination of some APIs and it leads to UI restart.
The patch fixes the vulnerability in the corresponding APIs.


SVE-2016-7044: system_server crash, DoS (AntService)

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: September 6, 2016
Disclosure status: Privately disclosed.
The system services “AntService” doesn’t have proper access control and exception handling. And it allows attackers to use system API of “AntService” and cause rebooting of device by force-crashing the service.
The patch restricts unauthorized access to the “AntService” and filters out improper cases which may cause crash.


SVE-2016-7179 and SVE-2016-7182: Broadcasting unprotected intent can activate Turn off all Sound

Severity: Low
Affected versions: M(6.0)
Reported on: September 22, 2016
Disclosure status: Privately disclosed.
The vulnerability allows unauthorized processes to turn off all sound by broadcasting an unprotected intent.
The patch protects the receiver by changing to protected intent.


SVE-2016-7220 and SVE-2016-7225: Heap-overflow in “tlc_server”

Severity: Medium
Affected versions: M(6.0)
Reported on: September 29, 2016
Disclosure status: Privately disclosed.
There are two overflow vulnerabilities. One is Heap overflow due to passing an improper size when allocating buffers and the other is Integer overflow due to not verifying the bounds of the value.
The patch removes the part of code related with Heap overflow and verifies the range of integer value to prevent Integer overflow.


SVE-2016-7504: Linux kernel race condition on CopyOnWrite (DirtyCOW)

Severity: Critical
Affected versions: All devices
Reported on: October 20, 2016
Disclosure status: Privately disclosed.
Where a lot of write operations and calls to madvise() happens, one of the write operations can reach and write to read-only memory map by a race condition on the Linux kernel when operating with CopyOnWrite(COW) operation.
The fix introduces a new “state” for copy-on-write pages which prevents the race condition.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Zhaozhanpeng of Cheetah Mobile : SVE-2016-6343
- James Fang and Anthony LAOU HINE TSUEI of Tencent Keen Lab : SVE-2016-6736, SVE-2016-6853
- Quhe of Alipay unLimit Security Team : SVE-2016-6906
- He En of MS509 Team : SVE-2016-7044
- Qing Zhang of Qihoo 360 and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2016-7179, SVE-2016-7182
- Gal Beniamini of Google Project Zero : SVE-2016-7220