LG 안드로이드 업데이트 권고

Android QuadRooter 보안취약점 포함

66개의 CVE 항목과 1개의 LVE 항목 패치 반영

The September Security Bulletin contains the 67 patches for the vulnerabilities from Google and LG. In particular it includes the fixes for the QuadRooter vulnerability from Qualcomm. The security patch level is [2016-09-01] and the patches contains the fix for the next 66 CVE items and 1 LVE item. The LG vulnerabilities and exposures (LVE) items are described in detail below.

Security issues Summary

CVE Items from Google patch (Android Bulletin September 2016)

• critical: 
  
  CVE-2016-3861

  , 

  CVE-2016-3862

  , 

  CVE-2016-2429

  , 

  CVE-2014-9902

  , 

  CVE-2016-3840

  , 

  CVE-2015-2686

  , 

  CVE-2016-3841

  , 

  CVE-2016-2504

  , 

  CVE-2016-3842

  , 

  CVE-2016-3843

  , 

  CVE-2016-3857

  , 

  CVE-2016-2474
• high: 
  
  CVE-2016-3863

  , 

  CVE-2016-3822

  , 

  CVE-2016-3870

  , 

  CVE-2016-3871

  , 

  CVE-2016-3872

  , 

  CVE-2016-3875

  , 

  CVE-2016-3876

  , 

  CVE-2016-3877

  , 

  CVE-2016-3823

  , 

  CVE-2016-3899

  , 

  CVE-2016-3878

  , 

  CVE-2016-3879

  , 

  CVE-2016-3880

  , 

  CVE-2016-3881

  , 

  CVE-2016-2495

  , 

  CVE-2014-9863

  , 

  CVE-2014-9864

  , 

  CVE-2014-9865

  , 

  CVE-2014-9866

  , 

  CVE-2014-9867

  , 

  CVE-2014-9868

  , 

  CVE-2014-9869

  , 

  CVE-2014-9870

  , 

  CVE-2014-9871

  , 

  CVE-2014-9872

  , 

  CVE-2014-9873

  , 

  CVE-2014-9874

  , 

  CVE-2014-9875

  , 

  CVE-2014-9876

  , 

  CVE-2014-9877

  , 

  CVE-2014-9878

  , 

  CVE-2014-9879

  , 

  CVE-2014-9880

  , 

  CVE-2014-9881

  , 

  CVE-2014-9882

  , 

  CVE-2014-9883

  , 

  CVE-2014-9884

  , 

  CVE-2014-9885

  , 

  CVE-2014-9886

  , 

  CVE-2014-9887

  , 

  CVE-2014-9888

  , 

  CVE-2014-9889

  , 

  CVE-2014-9890

  , 

  CVE-2014-9891

  , 

  CVE-2015-8937

  , 

  CVE-2015-8938

  , 

  CVE-2015-8939

  , 

  CVE-2015-8940

  , 

  CVE-2015-8941

  , 

  CVE-2015-8942

  , 

  CVE-2015-8943

  , 

  CVE-2016-2544

  , 

  CVE-2016-2546

  , 

  CVE-2014-9904

  , 

  CVE-2012-6701

  , 

  CVE-2016-3844

  , 

  CVE-2016-3845

  , 

  CVE-2016-3846

  , 

  CVE-2016-3847

  , 

  CVE-2016-3848

  , 

  CVE-2016-3849

  , 

  CVE-2016-3850

  , 

  CVE-2016-3843

  , 

  CVE-2016-3851

  , 

  CVE-2014-9892

  , 

  CVE-2014-9893

  , 

  CVE-2014-9894

  , 

  CVE-2014-9895

  , 

  CVE-2014-9896

  , 

  CVE-2014-9897

  , 

  CVE-2014-9898

  , 

  CVE-2014-9899

  , 

  CVE-2014-9900

  , 

  CVE-2015-8944

  , 

  CVE-2014-9903

  , 

  CVE-2016-3852

  , 

  CVE-2016-4482

  , 

  CVE-2014-9901

  , 

  CVE-2016-3854

  , 

  CVE-2016-3855

  , 

  CVE-2016-3856
• moderate: 
  
  CVE-2016-3883

  , 

  CVE-2016-3884

  , 

  CVE-2016-3885

  , 

  CVE-2016-3886

  , 

  CVE-2016-3887

  , 

  CVE-2016-3888

  , 

  CVE-2016-3889

  , 

  CVE-2016-3890

  , 

  CVE-2016-3891

  , 

  CVE-2016-3833

  , 

  CVE-2016-3895

  , 

  CVE-2016-3896

  , 

  CVE-2016-3897

  , 

  CVE-2016-3898

  , 

  CVE-2016-3853

  , 

  CVE-2016-2497

  , 

  CVE-2016-4578

  , 

  CVE-2016-4569

  , 

  CVE-2016-4578
• low: 
  
  CVE-2016-2427

QuadRooter CVE Items (Android QuadRooter Vulnerabilities)

• critical: 
  
  CVE-2016-2503

  , 

  CVE-2016-2504
• high: 
  
  CVE-2016-2059

  , 

  CVE-2016-5340

LG Vulnerabilities and Exposures(LVE) Items from LG

• high: 
  
  LVE-SMP-160027

Security issues Details

You can see the detail information on Google patches from Android Security Bulletin site.There is a description of the security issue, a severity, affected devices information and date reported.

Android QuadRooter vulnerability

QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. If any one of the four vulnerabilities is exploited, attacker can trigger privilege escalations for the purpose of gaining root access to a device. All four vulnerabilities require download and installation of a malicious application. These vulnerabilities are:

• CVE-2016-2059 : A Qualcomm public advisory was issued on April 26, 2016 detailing a vulnerability in the IPC router kernel module due to the possibility of the Linux IPC router being able to bind any port as a control port.
• CVE-2016-5340 : A Qualcomm public advisory was issued on July 28, 2016 detailing a vulnerability in the KGSL Linux Graphics Module due to an invalid path check on the ashmem memory file.
• CVE-2016-2503 and CVE-2016-2504 : A Qualcomm public advisory was issued on July 6, 2016 detailing two vulnerabilities in the KGSL Linux Graphics Module due to race conditions that could lead to a use after free. CVE-2016-2503 was already included in the LG Security Bulletin for August 2016.

LVE-SMP-160027 : information disclosure vulnerability on LGATCMDHandler

• Severity : High
• Date reported : Jun-13-2016
• Affected device Informaion : L(5.0.2/5.1.1), M(6.0/6.0.1)
• Description : 
  The vulnerability could enable to control data via AT command. The fix is designed to add additional authentication to LGATCMDHandler.