Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Mar 2018 23:08:02 +0800
From: flanker017 <flankerhqd017@...il.com>
To: oss-security@...ts.openwall.com, zhuozhuozhuozhuozhuo@...il.com, 
	l.dmxcsnsbh@...il.com
Subject: Fwd: [scr485440] 5 Samsung CVEs

 Hello:

The following issues are addressed with corresponding CVEs assigned by
MITRE for Samsung Mobile Security February update 2018.

Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb

Referring to SMR-FEB-2018 section:

SVE-2017-10991: Heap overflow in sensorhub binder service lead to code
> execution in privileged process
> Severity: Moderate
> Affected Versions: M(6.0), N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Heap overflow vulnerability in sensorhub binder service can lead to code
> execution in privileged process.
> The patch checks the size of buffer before the memcpy() to avoid heap
> overflow.
>

This issue is assigned CVE-2018-9143
Credits: Qidan He (@...nker_hqd) , Zhuoyuan Li


> SVE-2017-11165: Buffer overflow in vision
> Severity: High
> Affected Versions: N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Buffer overflow vulnerability in vision service can lead to local
> arbitrary code execution in a privileged process when the frame size is
> over 2M.
> The patch protects the size under enqueue frame using memcpy.
>
>
This issue is assigned CVE-2018-9139
Credits: Qidan He(@...nker_hqd)

SVE-2017-10747: Code Execution and arbitrary file loading in Email
> Severity: Critical
> Affected Versions: M(6.0)
> Reported on: Nobember 2, 2017
> Disclosure status: Privately disclosed.
> Vulnerability email app allows an attacker to execute javascript using
> event attribute and load arbitrary local file using src attribute.
> The patch restricts the file scheme and javascript in event attribute.
>
> This issue is assigned CVE-2018-9140
Credits: Qidan He(@...nker_hqd), Gengming Liu(@...csnsbh), Zhen Feng

SVE-2017-10932: Arbitrary application installation in Secure Folder
> Severity: Moderate
> Affected Versions: N(7.x)
> Reported on: November 10, 2017
> Disclosure status: Privately disclosed.
> A random APK can be installed through Secure Folder SDCARD area.
> The patch fixed the logic to check package signature and package name to
> install verified Backup and restore APK.
>
> This issue is assigned CVE-2018-9142
Credits: Qidan He(@...nker_hqd)


> SVE-2017-11105: Code execution in Samsung Gallery
> Severity: Low
> Affected Versions: L(5.x), M(6.0), N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Vulnerability in Gallery allows code execution with a BMP file.
> The patch fixed the parser to validate proper resolution of BMP file.


This issue is assigned CVE-2018-9141
Credits: Qidan He(@...nker_hqd), Zhuoyuan Li

Thanks.
---------- Forwarded message ----------
From: <cve-request@...re.org>
Date: 2018-03-30 14:46 GMT+08:00
Subject: Re: [scr485440] 5 Samsung CVEs
Cc: cve-request@...re.org


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [Suggested description]
> On Samsung mobile devices with N(7.x) software, a buffer overflow in the
vision service allows code execution in a privileged process
> via a large frame size, aka
> SVE-2017-11165.
>
> ------------------------------------------
>
> [Additional Information]
> Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb
>
> Referring to SMR-FEB-2018 section:
>
> SVE-2017-11165: Buffer overflow in vision
> Severity: High
> Affected Versions: N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Buffer overflow vulnerability in vision service can lead to local
arbitrary code execution in a privileged process when the frame size is
over 2M.
> The patch protects the size under enqueue frame using memcpy.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Buffer Overflow
>
> ------------------------------------------
>
> [Vendor of Product]
> Samsung Mobile
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Samsung Mobile Android N(7.x) - N(7.x) before patch level SMR-FEB-2018
>
> ------------------------------------------
>
> [Affected Component]
> Samsung System Service: vision
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Local malicious app
>
> ------------------------------------------
>
> [Reference]
> https://security.samsungmobile.com/securityUpdate.smsb
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Qidan He (@...nker_hqd)

Use CVE-2018-9139.


> [Suggested description]
> On Samsung mobile devices with M(6.0) software, the Email application
allows XSS via an event attribute and arbitrary file loading via a src
attribute,
> aka SVE-2017-10747.
>
> ------------------------------------------
>
>
> Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb
>
> Referring to SMR-FEB-2018 section:
>
> SVE-2017-10747: Code Execution and arbitrary file loading in Email
> Severity: Critical
> Affected Versions: M(6.0)
> Reported on: Nobember 2, 2017
> Disclosure status: Privately disclosed.
> Vulnerability email app allows an attacker to execute javascript using
event attribute and load arbitrary local file using src attribute.
> The patch restricts the file scheme and javascript in event attribute.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Samsung Mobile
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Samsung Mobile M(6.0) - M(6.0) before patch level SMR-FEB-2018
>
> ------------------------------------------
>
> [Affected Component]
> Samsung Email Application
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Remote
>
> ------------------------------------------
>
> [Reference]
> https://security.samsungmobile.com/securityUpdate.smsb
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Qidan He (@...nker_hqd), Gengming Liu, Zhen Feng

Use CVE-2018-9140.


> [Suggested description]
> On Samsung mobile devices with L(5.x), M(6.0), and N(7.x) software,
Gallery allows remote attackers to execute arbitrary code via a
> BMP file with a crafted resolution, aka SVE-2017-11105.
>
> ------------------------------------------
>
> [Additional Information]
> Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb
>
> Referring to SMR-FEB-2018 section:
> SVE-2017-11105: Code execution in Samsung Gallery
> Severity: Low
> Affected Versions: L(5.x), M(6.0), N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Vulnerability in Gallery allows code execution with a BMP file.
> The patch fixed the parser to validate proper resolution of BMP file.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Buffer Overflow
>
> ------------------------------------------
>
> [Vendor of Product]
> Samsung Mobile
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Samsung Mobile Android L(5.x), M(6.0), N(7.x) - L(5.x), M(6.0), N(7.x)
before patch level SMR-FEB-2018
>
> ------------------------------------------
>
> [Affected Component]
> Samsung Gallery
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Remote BMP file
>
> ------------------------------------------
>
> [Reference]
> https://security.samsungmobile.com/securityUpdate.smsb
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Qidan He (@...nker_hqd), Zhuoyuan Li

Use CVE-2018-9141.


> [Suggested description]
> On Samsung mobile devices with N(7.x) software, attackers can install an
arbitrary APK in the Secure Folder SD Card area because
> of faulty validation of a package signature and package name, aka
SVE-2017-10932.
>
> ------------------------------------------
>
> [Additional Information]
> Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb
>
> Referring to SMR-FEB-2018 section:
> SVE-2017-10932: Arbitrary application installation in Secure Folder
> Severity: Moderate
> Affected Versions: N(7.x)
> Reported on: November 10, 2017
> Disclosure status: Privately disclosed.
> A random APK can be installed through Secure Folder SDCARD area.
> The patch fixed the logic to check package signature and package name to
install verified Backup and restore APK.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Insecure Permissions
>
> ------------------------------------------
>
> [Vendor of Product]
> Samsung Mobile
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Samsung Mobile N(7.x) - N(7.x) before patch level SMR-FEB-2018
>
> ------------------------------------------
>
> [Affected Component]
> Samsung Secure Folder
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Local Malicious App
>
> ------------------------------------------
>
> [Reference]
> https://security.samsungmobile.com/securityUpdate.smsb
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Qidan He (@...nker_hqd)

Use CVE-2018-9142.


> [Suggested description]
> On Samsung mobile devices with M(6.0) and N(7.x) software, a heap
overflow in the sensorhub binder service leads to code execution in a
privileged process,
> aka SVE-2017-10991.
>
> ------------------------------------------
>
> [Additional Information]
> Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb
>
> Referring to SMR-FEB-2018 section:
>
> SVE-2017-10991: Heap overflow in sensorhub binder service lead to code
execution in privileged process
> Severity: Moderate
> Affected Versions: M(6.0), N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Heap overflow vulnerability in sensorhub binder service can lead to code
execution in privileged process.
> The patch checks the size of buffer before the memcpy() to avoid heap
overflow.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Buffer Overflow
>
> ------------------------------------------
>
> [Vendor of Product]
> Samsung Mobile
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Samsung Mobile Android M(6.0), N(7.x) - M(6.0) N(7.x) before SMR-FEB-2018
>
> ------------------------------------------
>
> [Affected Component]
> Samsung System Process: sensorhub binder service
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Local malicious app
>
> ------------------------------------------
>
> [Reference]
> https://security.samsungmobile.com/securityUpdate.smsb
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Qidan He (@...nker_hqd) , Zhuoyuan Li

Use CVE-2018-9143.


- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJavdzuAAoJEA2h+fVryJLoC8wP/06qp7yIGOo/LxASGnUM1EEb
xBBEbyhlZ2d9NWb81Z5lsdx17JGfuZXSlS8rKMJCjP401ls8Vy6uDvjJdVKHQODw
mohK/IAO+3D7989JMBGTStBDcZfMydTN170CiKXnyxP0pRwEnb9To3XOB3fLnwmW
v1TlMndd+n3nBj9A0esycmxteZ4d7iL3JdMJlpMNsTKQLC/GgVCcuXOyyHs5WK5R
tMGDK1dbQoxoQpyYohmwsQY+YanKdcrilRiWn+fl4kNw6rRbkrQ0DDnrtsDJ/sPD
kRWOG7znaSWF0+Jnd0LGQvPHsJ/9iG949UuGvXau9k9jCl+q7t3wBmkfPSVhgqJp
HSyXuJLsTdlEEwc9Rb2W4e33X9IpFwH7eqW7Herb8L+tE6zNsiWsFxPAvSgXFg8v
LciDdklIHm5P09AHs/Wbtk3t1m6GTWMbJ9SZHHrDxWJBUYdwOnlqKKAcZsxEjXxu
9KI7nb2trZ3MclgOXC63Rkw9cmGXyn1hw1H/4uE3+eAFsQIMf0mEuPS2kCAT2ydQ
hL5hMM7LdxDpacGMP8qhQYP2EPq8d7vjk7U2S9IFHVw9+PBsCrzPy6kejY3WcHWn
+sQZ1McS9jno86n3DVqtwe2KR+1Yp2eoFYombziXxdy43XfRPpiJxjhenTKKml8d
L1OsYAsavgLdvMvOM6dK
=Y3Ps
-----END PGP SIGNATURE-----



-- 
Sincerely,
Flanker He (a.k.a. Qidan He)
Website: https://flanker017.me <http://flanker017.me>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ