728x90
SMR-MAR-2017
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.
Google patches include patches up to Android Security Bulletin - March 2017 package.
The Bulletin (March 2017) contains the following CVE items:
CVE-2015-8816(C), CVE-2014-9781(H), CVE-2016-3843(C), CVE-2016-6674(H), CVE-2016-6675(H), CVE-2014-9675(H), CVE-2016-6728(C), CVE-2016-7910(C), CVE-2016-6757(M), CVE-2016-8406(M), CVE-2016-6690(L), CVE-2015-3288(C), CVE-2016-8422(C), CVE-2016-8423(C), CVE-2016-8415(H), CVE-2017-0404(H), CVE-2016-8452(H), CVE-2017-0399(M), CVE-2017-0400(M), CVE-2017-0402(M), CVE-2017-0395(M), CVE-2016-8418(C), CVE-2017-0437(H), CVE-2017-0438(H), CVE-2017-0439(H), CVE-2016-8419(H), CVE-2016-8420(H), CVE-2016-8421(H), CVE-2017-0440(H), CVE-2017-0441(H), CVE-2017-0442(H), CVE-2017-0443(H), CVE-2016-8476(H), CVE-2016-8414(M), CVE-2017-0451(M), CVE-2017-0423(M), CVE-2016-9806(C), CVE-2016-8655(H), CVE-2016-9793(H), CVE-2016-8416(M), CVE-2016-8477(M), CVE-2016-2182(C), CVE-2017-0466(C), CVE-2017-0467(C), CVE-2017-0468(C), CVE-2017-0469(C), CVE-2017-0470(C), CVE-2017-0471(C), CVE-2017-0472(C), CVE-2017-0473(C), CVE-2017-0474(C), CVE-2017-0475(C), CVE-2017-0478(H), CVE-2017-0479(H), CVE-2017-0480(H), CVE-2017-0481(H), CVE-2017-0482(H), CVE-2017-0483(H), CVE-2017-0484(H), CVE-2017-0485(H), CVE-2017-0486(H), CVE-2017-0487(H), CVE-2017-0488(H), CVE-2017-0390(H), CVE-2017-0392(H), CVE-2017-0489(M), CVE-2017-0490(M), CVE-2017-0491(M), CVE-2017-0495(M), CVE-2017-0496(M), CVE-2017-0497(M), CVE-2017-0498(M), and CVE-2017-0499(L).
Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
Severity: Medium
Affected versions: L(5.0/5.1), M(6.0) all tablet devices
Reported on: December 4, 2016
Disclosure status: Privately disclosed.
A vulnerability allows an unauthorized user to create additional user accounts in tablets resulting in unauthorized access to user data in external storage.
The patch protects tablet devices by removing "add user" feature on lockscreen interface.
Severity: Critical
Affected versions: Galaxy S5 with Qualcomm AP chipset
Reported on: December 20, 2016
Disclosure status: Privately disclosed.
A buffer overflow vulnerability exist in Qualcomm bootloader.
The patch prevents buffer overflow by removing the problematic source code.
Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0)
Reported on: January 12, 2017
Disclosure status: Privately disclosed.
Lack of appropriate exception handling in some receivers of the AudioService application allows attackers crash the system easily resulting in a possible DoS attack.
The patch prevents system crashes by handling unexpected exceptions.
We truely appreciate the following researchers for helping Samsung to improve the security of our products.
- Costandinos "Dino" Tsagaratos : SVE-2016-7797
- Frédéric Basse : SVE-2016-7930
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2017-8114, SVE-2017-8116, SVE-2017-8117
This SMR package includes patches from Google and Samsung.
Google patches include patches up to Android Security Bulletin - March 2017 package.
The Bulletin (March 2017) contains the following CVE items:
CVE-2015-8816(C), CVE-2014-9781(H), CVE-2016-3843(C), CVE-2016-6674(H), CVE-2016-6675(H), CVE-2014-9675(H), CVE-2016-6728(C), CVE-2016-7910(C), CVE-2016-6757(M), CVE-2016-8406(M), CVE-2016-6690(L), CVE-2015-3288(C), CVE-2016-8422(C), CVE-2016-8423(C), CVE-2016-8415(H), CVE-2017-0404(H), CVE-2016-8452(H), CVE-2017-0399(M), CVE-2017-0400(M), CVE-2017-0402(M), CVE-2017-0395(M), CVE-2016-8418(C), CVE-2017-0437(H), CVE-2017-0438(H), CVE-2017-0439(H), CVE-2016-8419(H), CVE-2016-8420(H), CVE-2016-8421(H), CVE-2017-0440(H), CVE-2017-0441(H), CVE-2017-0442(H), CVE-2017-0443(H), CVE-2016-8476(H), CVE-2016-8414(M), CVE-2017-0451(M), CVE-2017-0423(M), CVE-2016-9806(C), CVE-2016-8655(H), CVE-2016-9793(H), CVE-2016-8416(M), CVE-2016-8477(M), CVE-2016-2182(C), CVE-2017-0466(C), CVE-2017-0467(C), CVE-2017-0468(C), CVE-2017-0469(C), CVE-2017-0470(C), CVE-2017-0471(C), CVE-2017-0472(C), CVE-2017-0473(C), CVE-2017-0474(C), CVE-2017-0475(C), CVE-2017-0478(H), CVE-2017-0479(H), CVE-2017-0480(H), CVE-2017-0481(H), CVE-2017-0482(H), CVE-2017-0483(H), CVE-2017-0484(H), CVE-2017-0485(H), CVE-2017-0486(H), CVE-2017-0487(H), CVE-2017-0488(H), CVE-2017-0390(H), CVE-2017-0392(H), CVE-2017-0489(M), CVE-2017-0490(M), CVE-2017-0491(M), CVE-2017-0495(M), CVE-2017-0496(M), CVE-2017-0497(M), CVE-2017-0498(M), and CVE-2017-0499(L).
* Severity : (C)-Critical, (H)-High, (M)-Moderate, (L)-Low
※ Please see Android Security Bulletin for detailed information on Google patches.
Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
SVE-2016-7797: Restricted account security flaw
Severity: Medium
Affected versions: L(5.0/5.1), M(6.0) all tablet devices
Reported on: December 4, 2016
Disclosure status: Privately disclosed.
A vulnerability allows an unauthorized user to create additional user accounts in tablets resulting in unauthorized access to user data in external storage.
The patch protects tablet devices by removing "add user" feature on lockscreen interface.
SVE-2016-7930: Multiple Buffer Overflow in Qualcomm Bootloader
Severity: Critical
Affected versions: Galaxy S5 with Qualcomm AP chipset
Reported on: December 20, 2016
Disclosure status: Privately disclosed.
A buffer overflow vulnerability exist in Qualcomm bootloader.
The patch prevents buffer overflow by removing the problematic source code.
SVE-2017-8114, SVE-2017-8116, and SVE-2017-8117: Crash on AudioService via unprotected intent
Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0)
Reported on: January 12, 2017
Disclosure status: Privately disclosed.
Lack of appropriate exception handling in some receivers of the AudioService application allows attackers crash the system easily resulting in a possible DoS attack.
The patch prevents system crashes by handling unexpected exceptions.
¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.
Acknowledgements
We truely appreciate the following researchers for helping Samsung to improve the security of our products.
- Costandinos "Dino" Tsagaratos : SVE-2016-7797
- Frédéric Basse : SVE-2016-7930
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2017-8114, SVE-2017-8116, SVE-2017-8117
728x90
'취약점 정보2' 카테고리의 다른 글
Security updates available for Adobe Flash Player (0) | 2017.03.15 |
---|---|
Lg 모바일 안드로이드 3월 정기업데이트 내역 (0) | 2017.03.14 |
구글 안드로이드 3월 업데이트 내역 (0) | 2017.03.14 |
Drupal Highly Critical - Arbitrary Code Execution (0) | 2017.03.13 |
VMware Workstation 12 Pro Version 12.5.3 Release Notes (0) | 2017.03.11 |