728x90
SMR-AUG-2017
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.
Google patches include patches up to Android Security Bulletin - August 2017 package.
The Bulletin (August 2017) contains the following CVE items:
Critical: CVE-2017-0714, CVE-2017-0715, CVE-2017-0716, CVE-2017-0718, CVE-2017-0719, CVE-2017-0720, CVE-2017-0721, CVE-2017-0722, CVE-2017-0723, CVE-2017-0745, CVE-2017-0407, CVE-2017-9417
High: CVE-2017-0576, CVE-2016-10286, CVE-2016-10244, CVE-2017-0713, CVE-2017-0724, CVE-2017-0725, CVE-2017-0726, CVE-2017-0727, CVE-2017-0728, CVE-2017-0729, CVE-2017-0730, CVE-2017-0731, CVE-2017-0732, CVE-2017-0733, CVE-2017-0734, CVE-2017-0735, CVE-2017-0736, CVE-2017-0687, CVE-2017-0737
Moderate: CVE-2017-0583, CVE-2016-5346, CVE-2017-6425, CVE-2016-10236, CVE-2017-6426, CVE-2017-7370, CVE-2017-7372, CVE-2017-7373, CVE-2017-0451, CVE-2017-7308, CVE-2017-8264, CVE-2017-8266, CVE-2017-8268, CVE-2017-8258, CVE-2017-0560, CVE-2017-0712, CVE-2017-0738, CVE-2017-0739
Low: CVE-2017-0452
Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in trustlet can lead to memory corruption.
The applied patch adds boundary checking.
Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in trustlet can lead to unauthorized access to data outside of boundary.
The applied patch adds boundary checking.
Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed.
Assuming privilege escalation is achieved, lack of boundary checking in a trustlet can lead to arbitrary write.
The applied patch adds boundary checking.
Severity: Low
Affected versions: N(7.x)
Reported on: April 24, 2017
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in trustlet can lead to memory corruption.
The patch removed the part of code related to Integer overflow.
Severity: Low
Affected versions: M(6.0)
Reported on: May 31, 2017
Disclosure status: Privately disclosed.
Lack of appropriate validation check for display ID can halt system due to NullPointException problem caused by mismatch to a non-existing display.
The supplied patch prevents unexpected exception by confirming the validation of display ID.
We truely appreciate the following researchers for helping Samsung to improve the security of our products.
- Daniel Komaromy : SVE-2017-8889, SVE-2017-8890, SVE-2017-8891, SVE-2017-8892, SVE-2017-8893, SVE-2017-9008, SVE-2017-9009
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2017-9383
This SMR package includes patches from Google and Samsung.
Google patches include patches up to Android Security Bulletin - August 2017 package.
The Bulletin (August 2017) contains the following CVE items:
Critical: CVE-2017-0714, CVE-2017-0715, CVE-2017-0716, CVE-2017-0718, CVE-2017-0719, CVE-2017-0720, CVE-2017-0721, CVE-2017-0722, CVE-2017-0723, CVE-2017-0745, CVE-2017-0407, CVE-2017-9417
High: CVE-2017-0576, CVE-2016-10286, CVE-2016-10244, CVE-2017-0713, CVE-2017-0724, CVE-2017-0725, CVE-2017-0726, CVE-2017-0727, CVE-2017-0728, CVE-2017-0729, CVE-2017-0730, CVE-2017-0731, CVE-2017-0732, CVE-2017-0733, CVE-2017-0734, CVE-2017-0735, CVE-2017-0736, CVE-2017-0687, CVE-2017-0737
Moderate: CVE-2017-0583, CVE-2016-5346, CVE-2017-6425, CVE-2016-10236, CVE-2017-6426, CVE-2017-7370, CVE-2017-7372, CVE-2017-7373, CVE-2017-0451, CVE-2017-7308, CVE-2017-8264, CVE-2017-8266, CVE-2017-8268, CVE-2017-8258, CVE-2017-0560, CVE-2017-0712, CVE-2017-0738, CVE-2017-0739
Low: CVE-2017-0452
※ Please see Android Security Bulletin for detailed information on Google patches.
Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
SVE-2017-8889, SVE-2017-8891, and SVE-2017-8892: Stack overflow in trustlet
Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in trustlet can lead to memory corruption.
The applied patch adds boundary checking.
SVE-2017-8890: Over-read in trustlet
Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in trustlet can lead to unauthorized access to data outside of boundary.
The applied patch adds boundary checking.
SVE-2017-8893: Arbitrary write in trustlet
Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed.
Assuming privilege escalation is achieved, lack of boundary checking in a trustlet can lead to arbitrary write.
The applied patch adds boundary checking.
SVE-2017-9008 and SVE-2017-9009: Integer overflow in trustlet
Severity: Low
Affected versions: N(7.x)
Reported on: April 24, 2017
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in trustlet can lead to memory corruption.
The patch removed the part of code related to Integer overflow.
SVE-2017-9383: Abnormal screen touch via malformed input with multiwindow_facade API
Severity: Low
Affected versions: M(6.0)
Reported on: May 31, 2017
Disclosure status: Privately disclosed.
Lack of appropriate validation check for display ID can halt system due to NullPointException problem caused by mismatch to a non-existing display.
The supplied patch prevents unexpected exception by confirming the validation of display ID.
Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.
Acknowledgements
We truely appreciate the following researchers for helping Samsung to improve the security of our products.
- Daniel Komaromy : SVE-2017-8889, SVE-2017-8890, SVE-2017-8891, SVE-2017-8892, SVE-2017-8893, SVE-2017-9008, SVE-2017-9009
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2017-9383
728x90
'취약점 정보2' 카테고리의 다른 글
WinDbg 업데이트 (0) | 2017.08.30 |
---|---|
Lg 모바일 8월 업데이트 안내 (0) | 2017.08.25 |
Apache2Triad 1.5.4 CSRF / XSS / Session Fixation (0) | 2017.08.22 |
Microsoft Resnet - DNS Configuration Web Vulnerability (0) | 2017.08.22 |
postgresql-9.4 security update (0) | 2017.08.16 |