Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1685 BlackBerry powered by Android Security Bulletin – July 2017 6 July 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry powered by Android smartphones Publisher: BlackBerry Operating System: BlackBerry Device Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-9417 CVE-2017-8273 CVE-2017-8272 CVE-2017-8271 CVE-2017-8270 CVE-2017-8269 CVE-2017-8268 CVE-2017-8267 CVE-2017-8266 CVE-2017-8265 CVE-2017-8264 CVE-2017-8263 CVE-2017-8262 CVE-2017-8260 CVE-2017-8259 CVE-2017-8258 CVE-2017-8256 CVE-2017-8253 CVE-2017-8246 CVE-2017-8243 CVE-2017-7308 CVE-2017-6074 CVE-2017-5970 CVE-2017-3544 CVE-2017-0710 CVE-2017-0706 CVE-2017-0705 CVE-2017-0703 CVE-2017-0699 CVE-2017-0698 CVE-2017-0697 CVE-2017-0696 CVE-2017-0695 CVE-2017-0694 CVE-2017-0693 CVE-2017-0692 CVE-2017-0690 CVE-2017-0689 CVE-2017-0688 CVE-2017-0686 CVE-2017-0685 CVE-2017-0684 CVE-2017-0681 CVE-2017-0680 CVE-2017-0679 CVE-2017-0677 CVE-2017-0676 CVE-2017-0675 CVE-2017-0674 CVE-2017-0673 CVE-2017-0670 CVE-2017-0669 CVE-2017-0668 CVE-2017-0667 CVE-2017-0666 CVE-2017-0665 CVE-2017-0664 CVE-2017-0540 CVE-2016-5863 CVE-2016-2109 CVE-2015-5707 CVE-2014-9731 Reference: ASB-2017.0078 ASB-2017.0056 ESB-2017.1539 ESB-2017.1420 Original Bulletin: http://support.blackberry.com/kb/articleDetail?articleNumber=000045142 - --------------------------BEGIN INCLUDED TEXT-------------------- BlackBerry powered by Android Security Bulletin July 2017 Article Number: 000045142 First Published: July 05, 2017 Last Modified: July 05, 2017 Type: Security Bulletin Purpose of this Bulletin BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes; see BlackBerry.com/bbsirt for a complete list of monthly bulletins. This advisory is in response to the Android Security Bulletin (July) and addresses issues in that bulletin that affect BlackBerry powered by Android smartphones. Vulnerabilities Fixed in this Update The following vulnerabilities have been remediated in this update: Summary Description CVE Remote Code Execution in Android Runtime An app using the Java XML parser or which uses the UrlConnection Java class can be sent injected FTP commands to execute on an arbitrary server. CVE-2017-3544 Elevation of Privilege in Android Framework An AccessibilityNodeInfo object inside a Bundle can be constructed such that, when a Parcelable is passed to another process, the second process can unparcel it and reparcel it incorrectly. The Parcelable can then be sent to a third process, possibly bypassing permission checks. CVE-2017-0664 Elevation of Privilege in Android Framework In libs/gui/Surface.cpp, there is no bound on the index used to call gbuf on mSlots[buf].buffer, this can allow an OOB heap write in SurfaceFlinger which can enable a local malicious application to execute arbitrary code in the context of a privileged process. CVE-2017-0665 Elevation of Privilege in Android Framework In libs/ui/Fence.cpp a bad size check in Fence::unflatten can cause an integer underflow which can lead to a OOB write which could enable a local malicious application to execute arbitrary code in the context of a privileged process. CVE-2017-0666 Elevation of Privilege in Android Framework The attachBuffer() call in the camera server does not check that an index is in range before writing to the mSlots array. CVE-2017-0667 Information Disclosure in Android Framework When an app is uninstalled, the download manager does not immediately delete the files owned by that app. If the system is reset before the files are deleted, a newly installed app may gain access to files downloaded by a previously installed app. CVE-2017-0668 Information Disclosure in Android Framework On a device with multiple login users, the generic ContentProvider does not check which user owns files at given paths on the SD card. One user can use the ContentProvider to read media or files owned by other users. CVE-2017-0669 Denial of Service in Android Framework A memory leak in bionic results in a few hundred bytes leaking for every dlopen/dlclose pair. In a process like mediacodec that repeatedly calls dlopen/dlclose the codec libraries, this can result in a substantial memory leak which may eventually lead to a DOS. CVE-2017-0670 Denial of Service in ASN.1 Parsing A bad ASN.1 packet could request allocation of large amounts of memory, causing a remote denial of service by resource exhaustion. CVE-2016-2109 Remote Code Execution in Mediaserver In lihevc in the ihevcd_cabac_decode_bypass_bins_egk function, ps_bitstrm can overflow and several members of ps_bitstrm are passed to BIT_GET which leads to an out-of-bounds write and possible code execution. CVE-2017-0540 Remote Code Execution in Mediaserver There is a heap buffer overflow in decoder/ih264d_parse_pslice.c (of libavc) in the function ih264d_get_mbaff_neighbours that can lead to an out-of-bounds write because the ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in ih264d_start_of_pic but the old value is used afterwards. CVE-2017-0673 Elevation of Privilege in Mediaserver In the impeg2_mc_fullx_fully_8x8_sse42 function, there is a missing bounds check on a memory write, leading to a possible escalation of privilege in a privileged process. CVE-2017-0674 Remote Code Execution in Mediaserver There is a possible out-of-bounds write in libhevc, resulting in possible remote arbitrary code execution in mediaserver. CVE-2017-0675 Remote Code Execution in Mediaserver A heap buffer overflow in the ihevcd_parse_pic_init function in libhevc could allow an attacker to write to memory in media.codec. CVE-2017-0676 Remote Code Execution in Mediaserver In decoder/ih264d_process_bslice.c (of libavc), because the first picture in list1 could still be invalid, a use-after-free can occur in ih264d_one_to_one which can lead to remote arbitrary code execution in the context of a privileged process. CVE-2017-0677 Remote Code Execution in Mediaserver In function ih264d_get_implicit_weights there is an OOB write into the pu4_wt_mat buffer which can lead to remote code execution through memory corruption. CVE-2017-0679 Remote Code Execution in Mediaserver In decoder/ih264d_mb_utils.c (of libavc) if there is an odd number of macroblocks in Mbaff frames, the MbParams is miscalculated leading to an OOB write which can lead to remote arbitrary code execution in the context of a privileged process. CVE-2017-0680 Remote Code Execution in Tremolo In the Tremolo library (used for Ogg Vorbis), because char types are treated as signed on some platforms (x86) and unsigned on others (ARM), the sign extension for several checks in mapping_info_unpack can result in checks against negative values, when they were intended to be positive values. CVE-2017-0681 Elevation of Privilege in SoftAVC encoder In the SoftAVC encoder, there is a possible out-of-bounds write if setParameter is called to change the width and height after buffers have been allocated. CVE-2017-0684 Denial of Service in Mediaserver In Android M, there is a race condition in impeg2d_process_video_bit_stream and impeg2d_dec_frm where the number of bytes consumed was not being incremented, leading to an endless loop, causing a remote denial of service in mediaserver. CVE-2017-0685 Denial of Service in Mediaserver In Android M, there is a null pointer dereference in impeg2_mc_fullx_fully_8x8_sse42 leading to a remote denial of service in mediaserver. CVE-2017-0686 Denial of Service in Mediaserver A dead loop resulting from a malformed media file in decoder/ih264d_dpb_mgr.c (of libavc) can result in a remote DoS due to hanging during decoding or eventual segfault. CVE-2017-0688 Denial of Service in Mediaserver In decoder/ihevcd_nal.c (of libhevc) when parsing an invalid pps/slice in an h265 file, an infinite loop can occur which can lead to a remote denial of service. CVE-2017-0689 Denial of Service in Mediaserver A null pointer exception can occur if an attacker can allocate too much memory and cause a new object instantiation to fail. CVE-2017-0690 Denial of Service in Mediaserver In the sonivox library, a media file with its offset value equal to nodeOffset would trigger infinite recursion in TinyCacheSource::readAt, leading to a remote denial of service in mediaserver. CVE-2017-0692 Denial of Service in Mediaserver In decoder/ih264d_api.c (of libavc) an error in the use of the u1_top_bottom_decoded flag causes a null pointer dereference which can lead to a remote denial of service. CVE-2017-0693 Denial of Service in Mediaserver In the sonivox library, a media file that sets the pSize value read by NextChunk to -8 will end up in an infinite loop, resulting in a remote denial of service due to resource exhaustion. CVE-2017-0694 Denial of Service in Mediaserver In libhevc ps_pps_ref is incremented without checking its value, leading to an eventual out-of-bounds read in ihevcd_copy_pps resulting in a denial of service. CVE-2017-0695 Denial of Service in Mediaserver There is an out-of-bounds read in ih264d_deblock_mb_nonmbaff that leads to denial of service. CVE-2017-0696 Denial of Service in Mediaserver In libstagefright/MPEG4Extractor.cpp (of libstagefright) a memory leak can occur if there is an error reading from mDataSource as pssh.data will not be freed, this can eventually lead to a remote denial of service. CVE-2017-0697 Information Disclosure in Mediaserver The media server uses internal heap pointers as supposedly-opaque handles, and writes them to memory that is shared with the application. An app could use this to break ASLR or otherwise manipulate the media server. CVE-2017-0698 Information Disclosure in Mediaserver There is a possible out-of-bounds read in the ih264_intra_pred_luma_4x4_mode_diag_dr_ssse3 function in libavc, leading to possible information disclosure in a privileged process. CVE-2017-0699 Elevation of Privilege in System UI Applications are able to declare new account types which results in the settings app sending an intent on that application's behalf when creating a new account of that type. These intents carry the Settings app's permissions, and can thus reach receivers which are otherwise restricted to system apps only. CVE-2017-0703 Remote Code Execution in Broadcom Component The vulnerability exists in the function wlc_bss_parse_wme_ie. The specific flaw is a buffer overflow when parsing the WME IE in the Association Response from an access point, allowing a buffer overflow and code execution. CVE-2017-9417 Elevation of Privilege in Broadcom Component The vulnerability is in the function wl_cfgvendor_significant_change_cfg. The specific flaw is that it is missing a boundary check in the handling of GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS. CVE-2017-0705 Elevation of Privilege in Broadcom Component There is a missing bounds check leading to a memcpy in the function wl_cfg80211_mgmt_tx, allowing for kernel memory corruption. CVE-2017-0706 Elevation of Privilege in Kernel Networking Subsystem The vulnerability is in the dccp_rcv_state_process function. The specific flaw is that the function mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, allows for memory corruption by a local application which makes IPV6_RECVPKTINFO setsockopt system call. CVE-2017-6074 Denial of Service in Kernel Networking Subsystem The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options. CVE-2017-5970 Elevation of Privilege in Kernel SCSI Driver There is an integer overflow in the sg_start_req function, potentially leading to kernel memory corruption. CVE-2015-5707 Elevation of Privilege in Kernel TCB A process with CAP_SYS_RESOURCE bypasses the permission check allowing arbitrary ptrace access. CVE-2017-0710 Elevation of Privilege in Kernel Networking Driver There is an incorrect integer overflow check in AF_PACKET handling code causing kernel heap corruption. CVE-2017-7308 Information Disclosure in Kernel File System The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target's name along with a trailing \0 character, which allows local users to obtain sensitive information via a crafted filesystem image. CVE-2014-9731 Elevation of Privilege in Camera Driver In msm_cci_i2c_read in the camera driver, there is a missing bounds check that allows for an out-of-bounds write in the kernel. CVE-2017-8253 Elevation of Privilege in GPU Driver In the code handling ioctl cmd IOCTL_KGSL_GPUOBJ_ALLOC and IOCTL_KGSL_GPUOBJ_FREE there is a race condition which can lead to UAF and corrupt the kernel heap. CVE-2017-8262 Elevation of Privilege in Ashmem There is a missing bound check in ashmem ASHMEM_CACHE_FLUSH_RANGE handling which can cause elevation of privilege. CVE-2017-8263 Elevation of Privilege in Ashmem There is a TOCTOU issue in ashmem_cache_op of ashmem driver leading to OOB read/write of kernel memory. CVE-2017-8267 Elevation of Privilege in Bootloader While processing fastboot boot command when verified boot feature is disabled, with length greater than boot image buffer, a buffer overflow could occur. CVE-2017-8273 Elevation of Privilege in USB HID driver In hiddev_ioctl_usage, if the condition uref->report_id == HID_REPORT_ID_UNKNOWN is true, several checks in the else block are not performed, allowing for a heap buffer overflow. CVE-2016-5863 Elevation of Privilege in SoC Driver There is a missing bound check issue in function pil_mss_reset_load_mba can cause kernel heap buffer overflow. CVE-2017-8243 Elevation of Privilege in Sound Driver The vulnerability is in the memory management of certain audio streams. The specific flaw is that a field was not set to NULL after being freed, resulting in a dangling pointer that could later be used. CVE-2017-8246 Elevation of Privilege in Wi-Fi Driver The vulnerability is in the hdd_set_rx_filter function. The specific flaw is that the hdd_driver_rxfilter_command_handler function can pass more multicast addresses than the hdd_set_rx_filter can handle, resulting in heap memory corruption. CVE-2017-8256 Elevation of Privilege in SoC Driver The domain_list variable is allocated based on a user controlled size but bound checked with another size. Inconsistency in those two sizes leads to kernel heap corruption. CVE-2017-8259 Elevation of Privilege in Camera Driver The vulnerability is in the handling of user provided ispif commands. The specific flaw is that a user provided enum was being provided to a verification function that took a uint_8, allowing for integer truncation and the subsequent use of an illegal value, resulting in memory corruption. CVE-2017-8260 Elevation of Privilege in Camera Driver Failure of clock enabling in msm_csiphy_init can can cause OOB issue in kernel memory. CVE-2017-8264 Elevation of Privilege in Video Driver There is a double free issue in venus_hfi.c when multiple instances trying to reallocate the vote_data memory CVE-2017-8265 Elevation of Privilege in Video Driver There is a race condition in /mdss_debug.c can cause UAF of the file->private_data->buf buffer and lead to kernel heap corruption. CVE-2017-8266 Elevation of Privilege in Camera Driver The vulnerability is in in the function msm_cpp_cfg_frame. The specific flaw is that the new_frame->last_stripe_index and new_frame->first_stripe_index fields are user provided, but used without any verification, resulting in memory corruption. CVE-2017-8268 Elevation of Privilege in Wi-Fi Driver Due to insufficient locking, there is a race condition between pktlog_enable and pktlog_setsize that results in a potential use after free, leading to memory corruption in the kernel. CVE-2017-8270 Elevation of Privilege in Video Driver In the mdss_rotator_ioctl ioctl handler, there is a possible out-of-bounds write when writing to the msmfb_data planes variable on the stack, in mdss_rotator_import_buffer, resulting in kernel stack corruption. CVE-2017-8271 Elevation of Privilege in Video Driver There is an out-of-bounds write to the kernel stack in mdss_mdp_wfd_import_data, when copying to msmfb_data planes, resulting in kernel stack corruption. CVE-2017-8272 Information Disclosure in Camera Driver The vulnerability is in the function msm_isp_set_dual_HW_master_slave_mode. The specific flaw is that the dual_hw_ms_cmd->num_src is not validated, allowing for out-of-bounds access to kernel memory. CVE-2017-8258 Information Disclosure in IPA Driver In the RMNET_IOCTL_ADD_MUX_CHANNEL ioctl handler, if the vchannel_name string passed in is too long, it ends up not being null terminated in the driver, which leads to possible information disclosure. CVE-2017-8269 Back to top Available Updates BlackBerry is making an updated software version available for BlackBerry powered by Android smartphones that have been purchased from ShopBlackBerry.com. Updated software builds may also be available from other retailers or carriers, dependent on their deployment schedules. To identify an up to date software build, navigate to the Settings>About Phone menu. Look for the following Android security patch level: July 1st, 2017 or later If your BlackBerry powered by Android smartphone does not have an up-to-date software build available, please contact your retailer or carrier directly for security maintenance release availability information. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWV2N4Ix+lLeg9Ub1AQh1Zg//dMG0Sm7MFqqMW7BdL6yqIoM/lw0Sa8H6 89Lgm+cty8+2PImKCNScKIMhvW4ix3Fsd4jLPhu9LWZoqlEiMLoqwSPy9H1gC7Qk DrFNjcCCHChTBc2vRIE3gbNMpObEv2VsHfQcrLDY1jOSgm4dwMv7RYyptCTSAXr5 KNneYAwxwNa6VRq/MoZtA0+7VejeuTHmQDHRoiAAlqEvCTwt+F4Sz/ZejUcxUwo4 xFAhXIWPqEhxR2sKYTpS7Ub78RxJLrlrrR3N5boDRYylp6ib7QC8+qFQ8EyaaOSE 0/DGj84Iqgc2tRUSQjRYDKhSXvKrl0JEK7ueHtfWidZW4vDIL9phhajnMvxHliVY yzWoavPYBZxVjM85TOxM0zWhsmhG/EGqo59BAAo2BYpMi5UPu/cMsHyigNnwoYwt ya3mBS/q7uYeStxnuj/lR8Geeqoi77a17u8IKIqXWVi1iNMX7SqK4Shx/bv64uWE ePHJRqfJz3ZDUGvWndVfev7+aCEl82CP2iPLj+cpiEjaxuHmg+NmjcfrVp4xFa0e SIWv4OYOUHT/jzF8nAxYLnR0i60xd6h3lPbz006dICppvSgS6u1Sxf5JvimbFvY/ 5VDSdiSoDc3pid9RAuXnGfYjIbysRkuaMfFTJ7t495Y/+356CMw6XLRgN5WcfeFe gs2+OgzVu7s= =6Wxu -----END PGP SIGNATURE-----