삼성 모바일 2017년 1월 정기 업데이트

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung. 

Google patches include patches up to Android Security Bulletin – January 2017 package. 

The Bulletin (January 2017) contains the following CVE items: 
CVE-2016-3843(C), CVE-2016-3869(H), CVE-2015-8961(C), CVE-2016-6738(H), CVE-2016-3904(H), CVE-2016-6743(H), CVE-2016-6748(M), CVE-2016-6749(M), CVE-2016-7917(M), CVE-2016-5195(C), CVE-2015-8966(C), CVE-2016-9120(C), CVE-2015-8967(H), CVE-2016-6782(H), CVE-2016-6783(H), CVE-2016-6784(H), CVE-2016-6758(H), CVE-2016-6759(H), CVE-2016-6760(H), CVE-2016-6761(H), CVE-2016-6755(H), CVE-2016-6788(H), CVE-2016-6791(H), CVE-2016-8391(H), CVE-2016-8392(H), CVE-2015-7872(H), CVE-2016-6756(M), CVE-2016-8401(M), CVE-2016-8402(M), CVE-2016-8403(M), CVE-2016-8404(M), CVE-2016-8405(M), CVE-2016-8407(M), CVE-2016-8398(H), CVE-2016-8398(H), CVE-2016-8437(H), CVE-2016-8439(H), CVE-2016-8440(H), CVE-2016-8441(H), CVE-2016-8438(C), CVE-2016-8442(C), CVE-2016-8450(H), CVE-2016-6754(H), CVE-2017-0381(C), CVE-2016-5180(H), CVE-2017-0382(H), CVE-2017-0383(H), CVE-2017-0384(H), CVE-2017-0385(H), CVE-2017-0386(H), CVE-2017-0387(H), CVE-2017-0388(H), CVE-2016-3911(H), CVE-2017-0389(H), CVE-2017-0390(H), CVE-2017-0391(H), CVE-2017-0392(H), CVE-2017-0393(H), CVE-2017-0394(H), CVE-2017-0396(M), CVE-2017-0397(M), CVE-2017-0398(M), CVE-2017-0399(M), CVE-2017-0400(M), CVE-2017-0401(M), CVE-2017-0402(M), and CVE-2016-6720(M).

* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.

Along with Google patches, Samsung Mobile provides 28 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹. 
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release. 

SVE-2016-6362: out of bound read in gpu driver

Severity: Low 
Affected versions: M(6.0), N(7.0) devices with Exynos AP chipsets
Reported on: May 31, 2016
Disclosure status: Privately disclosed. 
Vulnerability in gpu driver does not properly check the boundary of buffers leading to a possible memory corruption.
The applied patch avoids an illegal access to memory by checking the boundary.

SVE-2016-6917: Forcing factory resets with a large manifest file on Samsung Android Devices

Severity: Medium 
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: August 13, 2016
Disclosure status: Privately disclosed. 
A system crash at boot time can be triggered by a malformed manifest file during parsing of active install session APKs, resulting in a possible DoS attack.
The applied patch avoids parsing active install session APKs.

SVE-2016-7122: Unexpected SystemUI FC driven by arbitrary application

Severity: Low 
Affected versions: L(5.0/5.1), M(6.0), N(7.0)
Reported on: September 13, 2016
Disclosure status: Privately disclosed. 
Lack of appropriate exception handling in some applications allows attackers to make a systemUI crash easily resulting in a possible DoS attack.
The patch prevents systemUI crashes by handling unexpected exceptions.

SVE-2016-7183: Security issue patch that exposes path of files through log

Severity: Low 
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0)
Reported on: September 21, 2016
Disclosure status: Privately disclosed. 
The vulnerability exposes the lists of files stored in sdcard to the system protected log when receiving certain intent.
The patch restricts the senders capable of broadcasting the intent by permission.

SVE-2016-7340: Information disclosure via /dev/dsm_ctrl_dev

Severity: Medium 
Affected versions: L(5.1), M(6.0), N(7.0)
Reported on: October 8, 2016
Disclosure status: Privately disclosed. 
This vulnerability allows reading data outside of buffer boundary due to not checking the boundary.
The applied patch avoids an illegal access to memory by checking the boundary.

SVE-2016-7466: ko(Kernel Module) signature can be bypassed

Severity: Low
Affected versions: M(6.0), N(7.0) devices with Exynos5433, Exynos7420, or Exynos7870 chipset
Reported on: October 4, 2016
Disclosure status: Privately disclosed. 
Assuming the device is rooted, a vulnerability allows an attacker to bypass kernel module confirmation by manipulating the count value of kernel modules required to check the integrity.
The patch prevents the modification of the count value at the build time.

SVE-2016-7484: Buffer overflow vulnerability in sensor hub

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0) devices with Exynos54xx, Exynos7420, Exynos8890, or Exynos8895 chipset
Reported on: October 18, 2016
Disclosure status: Privately disclosed. 
There is a potential buffer overflow problem due to not confirming boundary condition before memory copy.
The supplied patch prevents buffer overflow by confirming the sizes of source and destination, but the Linux file permission already protects access to this code.

SVE-2016-7500: Multiple Buffer Overflows in TSP sysfs cmd_store

Severity: Low
Affected versions: M(6.0), N(7.0) devices with Exynos8890 chipset
Reported on: October 20, 2016
Disclosure status: Privately disclosed. 
There are some potential buffer overflow problems in TSP sysfs due to not confirming boundary condition before memory copy.
The supplied patch prevents buffer overflow by confirming the sizes of source and destination, but the TSP sysfs is already protected by the Linux file permission.

SVE-2016-7501: Race condition in sec_ts touchscreen sysfs interface

Severity: Low
Affected versions: M(6.0), N(7.0) devices with MSM8939, MSM8996, MSM8998, Exynos7580, Exynos8890, or Exynos8895 chipset
Reported on: October 20, 2016
Disclosure status: Privately disclosed. 
There is no synchronization mechanism between getting the size of the readbuffer and its actual reading, which can result in buffer overflow by race conditions.
The fix avoids race condition by using locking mechanism, but the sysfs is already protected by the Linux file permission.

SVE-2016-7510: Buffer overflow in "fps" sysfs entry

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0)
Reported on: October 22, 2016
Disclosure status: Privately disclosed. 
There is a potential buffer overflow problem in “fps” sysfs due to not confirming boundary condition before memory copy.
The supplied patch prevents buffer overflow by confirming the sizes of source and destination, but the “fps” sysfs is already protected by the Linux file permission.

SVE-2016-7551: Exposure of Kernel Address on the Log

Severity: Low
Affected versions: All devices with Exynos5 chipset
Reported on: October 25, 2016
Disclosure status: Privately disclosed. 
The vulnerability allows unprivileged users to get kernel addresses from the log due to using wrong format specifier.
The fix shows ‘0’ value for the kernel addresses to unprivileged users.

SVE-2016-7650: VR Service Security Issue

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: November 8, 2016
Disclosure status: Privately disclosed. 
There is no mechanism to limit to the number of active VR service threads, which can result in system crash by exceeding available number of system threads.
The patch prevents system crash by limiting the number of VR service threads at a time.

SVE-2016-7654: Secure data exposure in EAS autodiscover packet

Severity: High
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.0)
Reported on: November 4, 2016
Disclosure status: Privately disclosed. 
The vulnerability discloses user credentials to sub-domain whenever users log in at an email account under certain conditions.
The patch avoids disclosure by removing code sending user credentials.

SVE-2016-7751: Several Security flaws in libskia library

Severity: Medium
Affected versions: M(6.0)
Reported on: November 29, 2016
Disclosure status: Privately disclosed. 
The vulnerability allows an attacker to trigger a crash when parsing malformed images.
The patch prevents a crash by using fixed values instead of variable ones for buffers.

SVE-2016-7897: Several RKP issues

Severity: Medium
Affected versions: M(6.0), N(7.0) devices with Exynos7420, Exynos8895, MSM8996, or MSM8998 chipset
Reported on: October 24, 2016
Disclosure status: Privately disclosed. 
There are 6 vulnerabilities related with RKP, including memory corruption, information disclosure, privilege escalation, and authentication bypass.
The adequate remedies are applied to each vulnerability.


In addition, the following CVEs are included as part of Samsung security patches:
CVE-2016-8655(C)

* Severity : (C)-Critical,   (H)-High,   (M)-Medium,   (L)-Low

¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products. 

- James Fang and Anthony LAOU HINE TSUEI of Tencent Keen Lab : SVE-2016-6362 
- Ryan Johnson and Angelos Stavrou of Kryptowire : SVE-2016-6917 
- Quhe of Alipay unLimit Security Team : SVE-2016-7122 
- Qing Zhang of Qihoo 360 and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2016-7183 
- Gal Beniamini of Google Project Zero : SVE-2016-7340, SVE-2016-7466, SVE-2016-7484, SVE-2016-7500, SVE-2016-7501, SVE-2016-7510, SVE-2016-7551, SVE-2016-7897 
- Yaoguang Chen of Ant-financial Light-Year Security Lab : SVE-2016-7650 
- Nesterov Ilya and Goncharov Maxim : SVE-2016-7654