Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.1685
BlackBerry powered by Android Security Bulletin – July 2017
6 July 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry powered by Android smartphones
Publisher: BlackBerry
Operating System: BlackBerry Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Root Compromise -- Existing Account
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2017-9417 CVE-2017-8273 CVE-2017-8272
CVE-2017-8271 CVE-2017-8270 CVE-2017-8269
CVE-2017-8268 CVE-2017-8267 CVE-2017-8266
CVE-2017-8265 CVE-2017-8264 CVE-2017-8263
CVE-2017-8262 CVE-2017-8260 CVE-2017-8259
CVE-2017-8258 CVE-2017-8256 CVE-2017-8253
CVE-2017-8246 CVE-2017-8243 CVE-2017-7308
CVE-2017-6074 CVE-2017-5970 CVE-2017-3544
CVE-2017-0710 CVE-2017-0706 CVE-2017-0705
CVE-2017-0703 CVE-2017-0699 CVE-2017-0698
CVE-2017-0697 CVE-2017-0696 CVE-2017-0695
CVE-2017-0694 CVE-2017-0693 CVE-2017-0692
CVE-2017-0690 CVE-2017-0689 CVE-2017-0688
CVE-2017-0686 CVE-2017-0685 CVE-2017-0684
CVE-2017-0681 CVE-2017-0680 CVE-2017-0679
CVE-2017-0677 CVE-2017-0676 CVE-2017-0675
CVE-2017-0674 CVE-2017-0673 CVE-2017-0670
CVE-2017-0669 CVE-2017-0668 CVE-2017-0667
CVE-2017-0666 CVE-2017-0665 CVE-2017-0664
CVE-2017-0540 CVE-2016-5863 CVE-2016-2109
CVE-2015-5707 CVE-2014-9731
Reference: ASB-2017.0078
ASB-2017.0056
ESB-2017.1539
ESB-2017.1420
Original Bulletin:
http://support.blackberry.com/kb/articleDetail?articleNumber=000045142
- --------------------------BEGIN INCLUDED TEXT--------------------
BlackBerry powered by Android Security Bulletin July 2017
Article Number: 000045142 First Published: July 05, 2017 Last Modified: July
05, 2017 Type: Security Bulletin
Purpose of this Bulletin
BlackBerry has released a security update to address multiple vulnerabilities
in BlackBerry powered by Android smartphones. We recommend users update to the
latest available software build. BlackBerry releases security bulletins to
notify users of its Android smartphones about available security fixes; see
BlackBerry.com/bbsirt for a complete list of monthly bulletins. This advisory
is in response to the Android Security Bulletin (July) and addresses issues in
that bulletin that affect BlackBerry powered by Android smartphones.
Vulnerabilities Fixed in this Update
The following vulnerabilities have been remediated in this update:
Summary Description CVE
Remote Code Execution in Android Runtime
An app using the Java XML parser or which uses the UrlConnection Java class
can be sent injected FTP commands to execute on an arbitrary server.
CVE-2017-3544
Elevation of Privilege in Android Framework
An AccessibilityNodeInfo object inside a Bundle can be constructed such that,
when a Parcelable is passed to another process, the second process can
unparcel it and reparcel it incorrectly. The Parcelable can then be sent to a
third process, possibly bypassing permission checks.
CVE-2017-0664
Elevation of Privilege in Android Framework
In libs/gui/Surface.cpp, there is no bound on the index used to call gbuf on
mSlots[buf].buffer, this can allow an OOB heap write in SurfaceFlinger which
can enable a local malicious application to execute arbitrary code in the
context of a privileged process.
CVE-2017-0665
Elevation of Privilege in Android Framework
In libs/ui/Fence.cpp a bad size check in Fence::unflatten can cause an integer
underflow which can lead to a OOB write which could enable a local malicious
application to execute arbitrary code in the context of a privileged process.
CVE-2017-0666
Elevation of Privilege in Android Framework
The attachBuffer() call in the camera server does not check that an index is
in range before writing to the mSlots array.
CVE-2017-0667
Information Disclosure in Android Framework
When an app is uninstalled, the download manager does not immediately delete
the files owned by that app. If the system is reset before the files are
deleted, a newly installed app may gain access to files downloaded by a
previously installed app.
CVE-2017-0668
Information Disclosure in Android Framework
On a device with multiple login users, the generic ContentProvider does not
check which user owns files at given paths on the SD card. One user can use
the ContentProvider to read media or files owned by other users.
CVE-2017-0669
Denial of Service in Android Framework
A memory leak in bionic results in a few hundred bytes leaking for every
dlopen/dlclose pair. In a process like mediacodec that repeatedly calls
dlopen/dlclose the codec libraries, this can result in a substantial memory
leak which may eventually lead to a DOS.
CVE-2017-0670
Denial of Service in ASN.1 Parsing
A bad ASN.1 packet could request allocation of large amounts of memory,
causing a remote denial of service by resource exhaustion.
CVE-2016-2109
Remote Code Execution in Mediaserver
In lihevc in the ihevcd_cabac_decode_bypass_bins_egk function, ps_bitstrm can
overflow and several members of ps_bitstrm are passed to BIT_GET which leads
to an out-of-bounds write and possible code execution.
CVE-2017-0540
Remote Code Execution in Mediaserver
There is a heap buffer overflow in decoder/ih264d_parse_pslice.c (of libavc)
in the function ih264d_get_mbaff_neighbours that can lead to an out-of-bounds
write because the ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in
ih264d_start_of_pic but the old value is used afterwards.
CVE-2017-0673
Elevation of Privilege in Mediaserver
In the impeg2_mc_fullx_fully_8x8_sse42 function, there is a missing bounds
check on a memory write, leading to a possible escalation of privilege in a
privileged process.
CVE-2017-0674
Remote Code Execution in Mediaserver
There is a possible out-of-bounds write in libhevc, resulting in possible
remote arbitrary code execution in mediaserver.
CVE-2017-0675
Remote Code Execution in Mediaserver
A heap buffer overflow in the ihevcd_parse_pic_init function in libhevc could
allow an attacker to write to memory in media.codec.
CVE-2017-0676
Remote Code Execution in Mediaserver
In decoder/ih264d_process_bslice.c (of libavc), because the first picture in
list1 could still be invalid, a use-after-free can occur in ih264d_one_to_one
which can lead to remote arbitrary code execution in the context of a
privileged process.
CVE-2017-0677
Remote Code Execution in Mediaserver
In function ih264d_get_implicit_weights there is an OOB write into the
pu4_wt_mat buffer which can lead to remote code execution through memory
corruption.
CVE-2017-0679
Remote Code Execution in Mediaserver
In decoder/ih264d_mb_utils.c (of libavc) if there is an odd number of
macroblocks in Mbaff frames, the MbParams is miscalculated leading to an OOB
write which can lead to remote arbitrary code execution in the context of a
privileged process.
CVE-2017-0680
Remote Code Execution in Tremolo
In the Tremolo library (used for Ogg Vorbis), because char types are treated
as signed on some platforms (x86) and unsigned on others (ARM), the sign
extension for several checks in mapping_info_unpack can result in checks
against negative values, when they were intended to be positive values.
CVE-2017-0681
Elevation of Privilege in SoftAVC encoder
In the SoftAVC encoder, there is a possible out-of-bounds write if
setParameter is called to change the width and height after buffers have been
allocated.
CVE-2017-0684
Denial of Service in Mediaserver
In Android M, there is a race condition in impeg2d_process_video_bit_stream
and impeg2d_dec_frm where the number of bytes consumed was not being
incremented, leading to an endless loop, causing a remote denial of service in
mediaserver.
CVE-2017-0685
Denial of Service in Mediaserver
In Android M, there is a null pointer dereference in
impeg2_mc_fullx_fully_8x8_sse42 leading to a remote denial of service in
mediaserver.
CVE-2017-0686
Denial of Service in Mediaserver
A dead loop resulting from a malformed media file in decoder/ih264d_dpb_mgr.c
(of libavc) can result in a remote DoS due to hanging during decoding or
eventual segfault.
CVE-2017-0688
Denial of Service in Mediaserver
In decoder/ihevcd_nal.c (of libhevc) when parsing an invalid pps/slice in an
h265 file, an infinite loop can occur which can lead to a remote denial of
service.
CVE-2017-0689
Denial of Service in Mediaserver
A null pointer exception can occur if an attacker can allocate too much memory
and cause a new object instantiation to fail.
CVE-2017-0690
Denial of Service in Mediaserver
In the sonivox library, a media file with its offset value equal to nodeOffset
would trigger infinite recursion in TinyCacheSource::readAt, leading to a
remote denial of service in mediaserver.
CVE-2017-0692
Denial of Service in Mediaserver
In decoder/ih264d_api.c (of libavc) an error in the use of the
u1_top_bottom_decoded flag causes a null pointer dereference which can lead to
a remote denial of service.
CVE-2017-0693
Denial of Service in Mediaserver
In the sonivox library, a media file that sets the pSize value read by
NextChunk to -8 will end up in an infinite loop, resulting in a remote denial
of service due to resource exhaustion.
CVE-2017-0694
Denial of Service in Mediaserver
In libhevc ps_pps_ref is incremented without checking its value, leading to an
eventual out-of-bounds read in ihevcd_copy_pps resulting in a denial of
service.
CVE-2017-0695
Denial of Service in Mediaserver
There is an out-of-bounds read in ih264d_deblock_mb_nonmbaff that leads to
denial of service.
CVE-2017-0696
Denial of Service in Mediaserver
In libstagefright/MPEG4Extractor.cpp (of libstagefright) a memory leak can
occur if there is an error reading from mDataSource as pssh.data will not be
freed, this can eventually lead to a remote denial of service.
CVE-2017-0697
Information Disclosure in Mediaserver
The media server uses internal heap pointers as supposedly-opaque handles, and
writes them to memory that is shared with the application. An app could use
this to break ASLR or otherwise manipulate the media server.
CVE-2017-0698
Information Disclosure in Mediaserver
There is a possible out-of-bounds read in the
ih264_intra_pred_luma_4x4_mode_diag_dr_ssse3 function in libavc, leading to
possible information disclosure in a privileged process.
CVE-2017-0699
Elevation of Privilege in System UI
Applications are able to declare new account types which results in the
settings app sending an intent on that application's behalf when creating a
new account of that type. These intents carry the Settings app's permissions,
and can thus reach receivers which are otherwise restricted to system apps
only.
CVE-2017-0703
Remote Code Execution in Broadcom Component
The vulnerability exists in the function wlc_bss_parse_wme_ie. The specific
flaw is a buffer overflow when parsing the WME IE in the Association Response
from an access point, allowing a buffer overflow and code execution.
CVE-2017-9417
Elevation of Privilege in Broadcom Component
The vulnerability is in the function wl_cfgvendor_significant_change_cfg. The
specific flaw is that it is missing a boundary check in the handling of
GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS.
CVE-2017-0705
Elevation of Privilege in Broadcom Component
There is a missing bounds check leading to a memcpy in the function
wl_cfg80211_mgmt_tx, allowing for kernel memory corruption.
CVE-2017-0706
Elevation of Privilege in Kernel Networking Subsystem
The vulnerability is in the dccp_rcv_state_process function. The specific flaw
is that the function mishandles DCCP_PKT_REQUEST packet data structures in the
LISTEN state, allows for memory corruption by a local application which makes
IPV6_RECVPKTINFO setsockopt system call.
CVE-2017-6074
Denial of Service in Kernel Networking Subsystem
The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux
kernel through 4.9.9 allows attackers to cause a denial of service (system
crash) via (1) an application that makes crafted system calls or possibly (2)
IPv4 traffic with invalid IP options.
CVE-2017-5970
Elevation of Privilege in Kernel SCSI Driver
There is an integer overflow in the sg_start_req function, potentially leading
to kernel memory corruption.
CVE-2015-5707
Elevation of Privilege in Kernel TCB
A process with CAP_SYS_RESOURCE bypasses the permission check allowing
arbitrary ptrace access.
CVE-2017-0710
Elevation of Privilege in Kernel Networking Driver
There is an incorrect integer overflow check in AF_PACKET handling code
causing kernel heap corruption.
CVE-2017-7308
Information Disclosure in Kernel File System
The UDF filesystem implementation in the Linux kernel before 3.18.2 does not
ensure that space is available for storing a symlink target's name along with
a trailing \0 character, which allows local users to obtain sensitive
information via a crafted filesystem image.
CVE-2014-9731
Elevation of Privilege in Camera Driver
In msm_cci_i2c_read in the camera driver, there is a missing bounds check that
allows for an out-of-bounds write in the kernel.
CVE-2017-8253
Elevation of Privilege in GPU Driver
In the code handling ioctl cmd IOCTL_KGSL_GPUOBJ_ALLOC and
IOCTL_KGSL_GPUOBJ_FREE there is a race condition which can lead to UAF and
corrupt the kernel heap.
CVE-2017-8262
Elevation of Privilege in Ashmem
There is a missing bound check in ashmem ASHMEM_CACHE_FLUSH_RANGE handling
which can cause elevation of privilege.
CVE-2017-8263
Elevation of Privilege in Ashmem
There is a TOCTOU issue in ashmem_cache_op of ashmem driver leading to OOB
read/write of kernel memory.
CVE-2017-8267
Elevation of Privilege in Bootloader
While processing fastboot boot command when verified boot feature is disabled,
with length greater than boot image buffer, a buffer overflow could occur.
CVE-2017-8273
Elevation of Privilege in USB HID driver
In hiddev_ioctl_usage, if the condition uref->report_id ==
HID_REPORT_ID_UNKNOWN is true, several checks in the else block are not
performed, allowing for a heap buffer overflow.
CVE-2016-5863
Elevation of Privilege in SoC Driver
There is a missing bound check issue in function pil_mss_reset_load_mba can
cause kernel heap buffer overflow.
CVE-2017-8243
Elevation of Privilege in Sound Driver
The vulnerability is in the memory management of certain audio streams. The
specific flaw is that a field was not set to NULL after being freed, resulting
in a dangling pointer that could later be used.
CVE-2017-8246
Elevation of Privilege in Wi-Fi Driver
The vulnerability is in the hdd_set_rx_filter function. The specific flaw is
that the hdd_driver_rxfilter_command_handler function can pass more multicast
addresses than the hdd_set_rx_filter can handle, resulting in heap memory
corruption.
CVE-2017-8256
Elevation of Privilege in SoC Driver
The domain_list variable is allocated based on a user controlled size but
bound checked with another size. Inconsistency in those two sizes leads to
kernel heap corruption.
CVE-2017-8259
Elevation of Privilege in Camera Driver
The vulnerability is in the handling of user provided ispif commands. The
specific flaw is that a user provided enum was being provided to a
verification function that took a uint_8, allowing for integer truncation and
the subsequent use of an illegal value, resulting in memory corruption.
CVE-2017-8260
Elevation of Privilege in Camera Driver
Failure of clock enabling in msm_csiphy_init can can cause OOB issue in kernel
memory.
CVE-2017-8264
Elevation of Privilege in Video Driver
There is a double free issue in venus_hfi.c when multiple instances trying to
reallocate the vote_data memory
CVE-2017-8265
Elevation of Privilege in Video Driver
There is a race condition in /mdss_debug.c can cause UAF of the
file->private_data->buf buffer and lead to kernel heap corruption.
CVE-2017-8266
Elevation of Privilege in Camera Driver
The vulnerability is in in the function msm_cpp_cfg_frame. The specific flaw
is that the new_frame->last_stripe_index and new_frame->first_stripe_index
fields are user provided, but used without any verification, resulting in
memory corruption.
CVE-2017-8268
Elevation of Privilege in Wi-Fi Driver
Due to insufficient locking, there is a race condition between pktlog_enable
and pktlog_setsize that results in a potential use after free, leading to
memory corruption in the kernel.
CVE-2017-8270
Elevation of Privilege in Video Driver
In the mdss_rotator_ioctl ioctl handler, there is a possible out-of-bounds
write when writing to the msmfb_data planes variable on the stack, in
mdss_rotator_import_buffer, resulting in kernel stack corruption.
CVE-2017-8271
Elevation of Privilege in Video Driver
There is an out-of-bounds write to the kernel stack in
mdss_mdp_wfd_import_data, when copying to msmfb_data planes, resulting in
kernel stack corruption.
CVE-2017-8272
Information Disclosure in Camera Driver
The vulnerability is in the function msm_isp_set_dual_HW_master_slave_mode.
The specific flaw is that the dual_hw_ms_cmd->num_src is not validated,
allowing for out-of-bounds access to kernel memory.
CVE-2017-8258
Information Disclosure in IPA Driver
In the RMNET_IOCTL_ADD_MUX_CHANNEL ioctl handler, if the vchannel_name string
passed in is too long, it ends up not being null terminated in the driver,
which leads to possible information disclosure.
CVE-2017-8269
Back to top
Available Updates
BlackBerry is making an updated software version available for BlackBerry
powered by Android smartphones that have been purchased from
ShopBlackBerry.com. Updated software builds may also be available from other
retailers or carriers, dependent on their deployment schedules.
To identify an up to date software build, navigate to the Settings>About Phone
menu. Look for the following Android security patch level:
July 1st, 2017 or later
If your BlackBerry powered by Android smartphone does not have an up-to-date
software build available, please contact your retailer or carrier directly for
security maintenance release availability information.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWV2N4Ix+lLeg9Ub1AQh1Zg//dMG0Sm7MFqqMW7BdL6yqIoM/lw0Sa8H6
89Lgm+cty8+2PImKCNScKIMhvW4ix3Fsd4jLPhu9LWZoqlEiMLoqwSPy9H1gC7Qk
DrFNjcCCHChTBc2vRIE3gbNMpObEv2VsHfQcrLDY1jOSgm4dwMv7RYyptCTSAXr5
KNneYAwxwNa6VRq/MoZtA0+7VejeuTHmQDHRoiAAlqEvCTwt+F4Sz/ZejUcxUwo4
xFAhXIWPqEhxR2sKYTpS7Ub78RxJLrlrrR3N5boDRYylp6ib7QC8+qFQ8EyaaOSE
0/DGj84Iqgc2tRUSQjRYDKhSXvKrl0JEK7ueHtfWidZW4vDIL9phhajnMvxHliVY
yzWoavPYBZxVjM85TOxM0zWhsmhG/EGqo59BAAo2BYpMi5UPu/cMsHyigNnwoYwt
ya3mBS/q7uYeStxnuj/lR8Geeqoi77a17u8IKIqXWVi1iNMX7SqK4Shx/bv64uWE
ePHJRqfJz3ZDUGvWndVfev7+aCEl82CP2iPLj+cpiEjaxuHmg+NmjcfrVp4xFa0e
SIWv4OYOUHT/jzF8nAxYLnR0i60xd6h3lPbz006dICppvSgS6u1Sxf5JvimbFvY/
5VDSdiSoDc3pid9RAuXnGfYjIbysRkuaMfFTJ7t495Y/+356CMw6XLRgN5WcfeFe
gs2+OgzVu7s=
=6Wxu
-----END PGP SIGNATURE-----