Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.
The following CVE items from September 2017 Android Security Bulletin are included in this Security Update package:
Critical
CVE-2016-9794, CVE-2017-0756, CVE-2017-0757, CVE-2017-0758, CVE-2017-0759, CVE-2017-0760, CVE-2017-0761, CVE-2017-0762, CVE-2017-0763, CVE-2017-0764, CVE-2017-0765, CVE-2016-0842
High
CVE-2014-9940, CVE-2017-0648, CVE-2017-10661, CVE-2017-0421, CVE-2017-0752, CVE-2017-6983, CVE-2017-0755, CVE-2017-0767, CVE-2017-0768, CVE-2017-0769, CVE-2017-0770, CVE-2017-0771, CVE-2017-0772, CVE-2017-0773, CVE-2017-0774, CVE-2017-0775, CVE-2017-0776, CVE-2017-0777, CVE-2017-0778, CVE-2017-0670, CVE-2016-6712
Moderate
CVE-2017-0537, CVE-2017-0586, CVE-2017-8242, CVE-2017-8259, CVE-2017-8260, CVE-2017-8261, CVE-2017-8265, CVE-2017-8270, CVE-2017-0742, CVE-2017-9682, CVE-2017-0779, CVE-2017-0784
Low
CVE-2017-0650
Already included in previous updates
CVE-2017-8254, CVE-2014-9971, CVE-2014-9972, CVE-2014-9976, CVE-2015-0574, CVE-2015-8593, CVE-2015-8594, CVE-2015-9063, CVE-2015-9064, CVE-2015-9065, CVE-2016-10384, CVE-2016-10386
Not applicable to Samsung devices
CVE-2016-10385, CVE-2016-10390, CVE-2017-0750, CVE-2017-10662, CVE-2017-10663, CVE-2017-0741, CVE-2017-0753, CVE-2017-0766, CVE-2017-0780
※ Please see Android Security Bulletin for detailed information on Google patches.
Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
SVE-2017-9299: Arbitrary code execution with svoice privileges
Severity: High
Affected versions: M(6.0), N(7.x)
Reported on: May 22, 2017
Disclosure status: Privately disclosed.
A vulnerability in SVoice allows attackers to modify dynamic libraries included in the app, resulting in arbitrary code execution as SVoice privilege.
The patch prevents access to dynamic libraries.
SVE-2017-9357: Email can be sent by malicious application via unprotected component
Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0), N(7.x)
Reported on: May 27, 2017
Disclosure status: Privately disclosed.
An unprotected component of Samsung Email application allows attackers to send emails with user’s account without any user interactions.
The patch restricts the senders capable of broadcasting the intent by permission.
SVE-2017-9659: Security authentication reset issue without user confirmation
Severity: Moderate
Affected versions: M(6.0), N(7.0, 7.1)
Reported on: July 05, 2017
Disclosure status: Privately disclosed.
A vulnerability allows attackers to register a new security certificate without user authentication.
The patch addressed the issue.
Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.
Acknowledgements
We truely appreciate the following researchers for helping Samsung to improve the security of our products.
- MOULU Andre : SVE-2017-9299
- Yousra Aafer of Purdue University : SVE-2017-9357
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2017-9659
'취약점 정보2' 카테고리의 다른 글
| Cisco 제품군 취약점 보안 업데이트 권고 (0) | 2017.09.08 |
|---|---|
| Lg 모바일 9월 업데이트 내역 (0) | 2017.09.08 |
| Apache Struts 2 취약점 (S2-053) (0) | 2017.09.08 |
| Chrome Releases 업데이트 안내 (0) | 2017.09.07 |
| 공유기 취약점 악용 악성코드 유포주의 (0) | 2017.09.07 |