'안드로이드'에 해당되는 글 2건

LG Mobile Security Maintenance Release Summary (SMR)

The August Security Bulletin contains the 61 patches for the vulnerabilities from Google and LGE. The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. It also includes patches for the vulnerabilities. Almost security patch level is "2017-08-01" and the patches contains modified codes about the 60 CVE and 1 LVE items.

Security issues Summary

CVE Items from Google patch (Android Bulletin August 2017)
  • critical: 
    CVE-2017-0714
    CVE-2017-0715
    CVE-2017-0716
    CVE-2017-0718
    CVE-2017-0719
    CVE-2017-0720
    CVE-2017-0721
    CVE-2017-0722
    CVE-2017-0723
    CVE-2017-0745
    CVE-2017-0407
    CVE-2017-9417
  • high: 
    CVE-2017-0713
    CVE-2017-0724
    CVE-2017-0725
    CVE-2017-0726
    CVE-2017-0727
    CVE-2017-0728
    CVE-2017-0729
    CVE-2017-0730
    CVE-2017-0731
    CVE-2017-0732
    CVE-2017-0733
    CVE-2017-0734
    CVE-2017-0735
    CVE-2017-0736
    CVE-2017-0687
    CVE-2017-0737
    CVE-2017-6074
    CVE-2017-5970
    CVE-2017-0711
    CVE-2017-8255
    CVE-2016-10389
    CVE-2017-8253
    CVE-2017-8262
    CVE-2017-8263
    CVE-2017-8267
    CVE-2017-8273
  • moderate: 
    CVE-2017-0712
    CVE-2017-0738
    CVE-2017-0739
    CVE-2017-0705
    CVE-2017-0706
    CVE-2015-5707
    CVE-2017-0710
    CVE-2017-7308
    CVE-2014-9731
    CVE-2016-5863
    CVE-2017-8243
    CVE-2017-8246
    CVE-2017-8256
    CVE-2017-8257
    CVE-2017-8259
    CVE-2017-8260
    CVE-2017-8261
    CVE-2017-8264
    CVE-2017-8265
    CVE-2017-8266
    CVE-2017-8268
    CVE-2017-8270
    CVE-2017-8271
    CVE-2017-8272
    CVE-2017-8254
    CVE-2017-8258
    CVE-2017-8269
  • low: 
    N/A
LG Vulnerabilities and Exposures(LVE) Items from LG
  • high: 
    LVE-SMP-170014

Security issues Details

You can see the detail information on Google patches from Android Security Bulletin site.There is a description of the security issue, a severity, affected devices information and date reported.

LVE-SMP-170014
  • Severity : High
  • Date reported : April 20, 2017
  • Affected device information : Android devices with OS 6.0, 6.0.1, 7.0.0, 7.1.1
  • Description : 
    After Android for Work(AfW) work profile provisioned, users cannot install certificates into work profile keystore due to the master key inexistence that usally used to encrypt or decrypt all keys in work profile keystore.
저작자 표시
신고
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

SMR-AUG-2017



Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung. 

Google patches include patches up to Android Security Bulletin - August 2017 package. 

The Bulletin (August 2017) contains the following CVE items: 
Critical: CVE-2017-0714, CVE-2017-0715, CVE-2017-0716, CVE-2017-0718, CVE-2017-0719, CVE-2017-0720, CVE-2017-0721, CVE-2017-0722, CVE-2017-0723, CVE-2017-0745, CVE-2017-0407, CVE-2017-9417 
High: CVE-2017-0576, CVE-2016-10286, CVE-2016-10244, CVE-2017-0713, CVE-2017-0724, CVE-2017-0725, CVE-2017-0726, CVE-2017-0727, CVE-2017-0728, CVE-2017-0729, CVE-2017-0730, CVE-2017-0731, CVE-2017-0732, CVE-2017-0733, CVE-2017-0734, CVE-2017-0735, CVE-2017-0736, CVE-2017-0687, CVE-2017-0737 
Moderate: CVE-2017-0583, CVE-2016-5346, CVE-2017-6425, CVE-2016-10236, CVE-2017-6426, CVE-2017-7370, CVE-2017-7372, CVE-2017-7373, CVE-2017-0451, CVE-2017-7308, CVE-2017-8264, CVE-2017-8266, CVE-2017-8268, CVE-2017-8258, CVE-2017-0560, CVE-2017-0712, CVE-2017-0738, CVE-2017-0739 
Low: CVE-2017-0452 

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 12 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. 
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release. 


SVE-2017-8889, SVE-2017-8891, and SVE-2017-8892: Stack overflow in trustlet

Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed. 
Lack of boundary checking of a buffer in trustlet can lead to memory corruption.
The applied patch adds boundary checking.


SVE-2017-8890: Over-read in trustlet

Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed. 
Lack of boundary checking of a buffer in trustlet can lead to unauthorized access to data outside of boundary.
The applied patch adds boundary checking.


SVE-2017-8893: Arbitrary write in trustlet

Severity: Low
Affected versions: M(6.0), N(7.x)
Reported on: April 11, 2017
Disclosure status: Privately disclosed. 
Assuming privilege escalation is achieved, lack of boundary checking in a trustlet can lead to arbitrary write.
The applied patch adds boundary checking.


SVE-2017-9008 and SVE-2017-9009: Integer overflow in trustlet

Severity: Low
Affected versions: N(7.x)
Reported on: April 24, 2017
Disclosure status: Privately disclosed. 
Lack of boundary checking of a buffer in trustlet can lead to memory corruption.
The patch removed the part of code related to Integer overflow.


SVE-2017-9383: Abnormal screen touch via malformed input with multiwindow_facade API

Severity: Low
Affected versions: M(6.0)
Reported on: May 31, 2017
Disclosure status: Privately disclosed. 
Lack of appropriate validation check for display ID can halt system due to NullPointException problem caused by mismatch to a non-existing display.
The supplied patch prevents unexpected exception by confirming the validation of display ID.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products. 

- Daniel Komaromy : SVE-2017-8889, SVE-2017-8890, SVE-2017-8891, SVE-2017-8892, SVE-2017-8893, SVE-2017-9008, SVE-2017-9009 
- Qing Zhang of Xiaomi and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2017-9383 
저작자 표시
신고
블로그 이미지

Ryansecurity Ryansecurity

Life is fun security story

티스토리 툴바