Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2026 BlackBerry powered by Android Security Bulletin - August 2017 15 August 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Blackberry Publisher: Blackberry Operating System: BlackBerry Device Impact/Access: Root Compromise -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-9694 CVE-2017-9693 CVE-2017-9691 CVE-2017-9684 CVE-2017-9682 CVE-2017-9681 CVE-2017-9680 CVE-2017-9679 CVE-2017-9678 CVE-2017-0751 CVE-2017-0750 CVE-2017-0749 CVE-2017-0748 CVE-2017-0747 CVE-2017-0746 CVE-2017-0745 CVE-2017-0740 CVE-2017-0739 CVE-2017-0738 CVE-2017-0737 CVE-2017-0736 CVE-2017-0735 CVE-2017-0734 CVE-2017-0733 CVE-2017-0732 CVE-2017-0731 CVE-2017-0730 CVE-2017-0729 CVE-2017-0728 CVE-2017-0726 CVE-2017-0724 CVE-2017-0723 CVE-2017-0722 CVE-2017-0721 CVE-2017-0720 CVE-2017-0719 CVE-2017-0718 CVE-2017-0716 CVE-2017-0715 CVE-2017-0714 CVE-2017-0713 CVE-2017-0712 CVE-2017-0687 CVE-2016-0802 Reference: ASB-2017.0127 ESB-2016.0746 ESB-2016.0742 ESB-2016.0741 Original Bulletin: http://support.blackberry.com/kb/articleDetail?articleNumber=000045309 - --------------------------BEGIN INCLUDED TEXT-------------------- BlackBerry powered by Android Security Bulletin - August 2017 Article Number: 000045309 First Published: August 14, 2017 Last Modified: August 14, 2017 Type: Security Bulletin Purpose of this Bulletin BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes; see BlackBerry.com/bbsirt for a complete list of monthly bulletins. This advisory is in response to the Android Security Bulletin (August 2017) and addresses issues in that bulletin that affect BlackBerry powered by Android smartphones. Vulnerabilities Fixed in this Update The following vulnerabilities have been remediated in this update: Summary Description CVE Elevation of Privilege in In the Wi-Fi service, a copy into a stack structure is not checked for length before the operation CVE-2017-0712 WiFi is performed. Remote Code Execution in In the sfntly library used by libskia, a malformed font file could achieve privilege escalation due CVE-2017-0713 Sfntly to an out-of-bounds read and probable write. Remote Code Execution in There is a missing bounds check in the GetMBHeader() function of the h263 decoder, that could lead Mediaserver to a heap memory overflow. Exploitation of this by a malicious MP4 file could lead to memory CVE-2017-0714 corruption and code execution in a privileged process. Remote Code Execution in In decoder/ih264d_utils.c in ih264d_allocate_dynamic_bufs (of libavc), there is an out-of-bounds CVE-2017-0715 Mediaserver write issue, which could lead to remote arbitrary code execution. Remote Code Execution in In decoder/impeg2d_vld.c in impeg2d_vld_decode (of libmpeg2), a missing bounds check can cause a CVE-2017-0716 Mediaserver head buffer overflow that could lead to remote arbitrary code execution in privileged process. Remote Code Execution in In the mpeg2 decoder, reading a different vertical slice than the one at the current decode CVE-2017-0718 Mediaserver position could result in an invalid calculation of the amount of data remaining. Remote Code Execution in In the mpeg2 decoder, an invalid picture structure could cause an out-of-bounds write, which could CVE-2017-0719 Mediaserver lead to memory corruption and code execution in a privileged process. Remote Code Execution in In decoder/ihevcd_parse_slice.c (of libhevc) a potential memory corruption could occur leading to CVE-2017-0720 Mediaserver remote arbitrary code execution. Remote Code Execution in In decoder/impeg2d_dec_hdr.c in impeg2d_dec_seq_hdr (of libmpeg2), there is no check for a 0 value Mediaserver of u2_width or u2_height. Parsing a malicious media file could lead to a clip dimension change CVE-2017-0721 which could lead to an out-of-bounds write leading to a remote arbitrary code execution. Remote Code Execution in In the h263 decoder, a malformed mpeg4 file could lead to an out-of-bounds write in a privileged CVE-2017-0722 Mediaserver process due to a size mismatch between the frame header and the frame body. Remote Code Execution in In decoder/ih264d_format_conv.c in ih264d_fmt_conv_420sp_to_420sp (of libavc), a heap buffer Mediaserver overflow could occur due to an unchecked num_rows in the memcpy, which could lead to remote CVE-2017-0723 arbitrary code execution in privileged process. Remote Code Execution in In m4v_h263/dec/src/vop.cpp in DecodeShortHeader (of libstagefright), there is no check that the CVE-2017-0745 Mediaserver height and width are less than the total video size. Denial of Service in In decoder/impeg2d_dec_hdr.c in impeg2d_dec_seq_hdr (of libmpeg2), there is no check for a 0 value CVE-2017-0724 Mediaserver of u2_width or u2_height. Denial of Service in In libstagefright/MPEG4Extractor.cpp in MPEG4Extractor::parseMetaData (of libstagefright) a memory Mediaserver leak could lead to resouRemote Code Execution exhaustion which could lead to a remote temporary CVE-2017-0726 denial of service. Denial of Service in In the hevc software decoder, a malformed mpeg4 file could result in a null pointer dereference. CVE-2017-0728 Mediaserver Elevation of Privilege in There is a possible integer overflow in the clearkey plugin for the MediaDrmServer process. CVE-2017-0729 MediaDrmServer Denial of Service in In the h264 decoder, a malformed mpeg4 file could cause a crash. CVE-2017-0730 Mediaserver Elevation of Privilege in In the mpeg4 encoder, an app could set a zero width or height parameter causing a bad allocation, Mediaserver but change the width or height later. When the encoder is cleaned up, the wrong address is freed, CVE-2017-0731 which could to memory corruption and code execution. There is a vulnerability in mediaserver where an application could cause a hang in a mediaserver Elevation of Privilege in thread creating a graphics buffer. Another thread attempting to use that buffer could cause the CVE-2017-0732 Mediaserver reference count to be decremented and the buffer freed. When the creating thread resumes, it uses the buffer that has already been freed, which could lead to memory corruption and code execution. Denial of Service in In NuPlayerDecoder (of libmediaplayerservice), when processing bad input data, a CHECK abort could CVE-2017-0733 Mediaserver lead to a remote temporary denial of service. Denial of Service in In decoder/ih264d_dpb_mgr.c in ih264d_delete_st_node_or_make_lt (of libavc), a null pointer CVE-2017-0734 Mediaserver dereference could lead to a remote temporary denial of service. Denial of Service in In decoder/ih264d_parse_headers.c in ih264d_parse_sps (of libavc) a crafted media could cause an Mediaserver infinite loop due to improper input validation when changing resolutions which could lead to a CVE-2017-0735 remote temporary denial of service. Denial of Service in In decoder/ih264d_parse_headers.c in ih264d_parse_nal_unit (of libavc) a crafted media could lead Mediaserver to an infinite loop due to missing input validation which could lead to a remote temporary denial CVE-2017-0736 of service. Denial of Service in In decoder/ih264d_parse_headers.c in ih264d_parse_sps (of libavc), improper input validation could CVE-2017-0687 Mediaserver lead to remote temporary denial of service when the media stream changes resolution. Elevation of Privilege in In libgui.so, a missing bounds check could lead to an arbitrary write in a privileged process which CVE-2017-0737 Mediaserver could lead to an elevation of privilege. Information Disclosure in Inside audioserver the parameters of equalizer Effect_command is not properly checked and could CVE-2017-0738 Mediaserver cause an out-of-bounds read leading to information disclosure. Information Disclosure in In decoder/ihevcd_nal.c in ihevcd_nal_remv_emuln_bytes (of libhevc), an out-of-bounds read could CVE-2017-0739 Mediaserver lead to information disclosure. Remote Code Execution in After the patch for CVE-2016-0802 (ANDROID-25306181), if a device had updated the kernel but not Broadcom WiFi the bcm4354 firmware, there were still possible out-of-bounds memory writes if the chip sent a CVE-2017-0740 ETHER_TYPE_BRCM packet to the host with a malformed length. Elevation of Privilege in Unvalidated input parameters In the F2FS module could allow for kernel memory corruption, which CVE-2017-0750 Kernel File System could result in arbitrary code execution in the TCB. Elevation of Privilege in In msm/kernel/trace/trace.c, there is insufficient locking when accessing savedcmd that could CVE-2017-0749 Kernel result in a use after free, leading to escalation of privilege. Elevation of Privilege in An integer overflow in the reference counter variables in the ipa driver could cause a potential CVE-2017-0746 Qualcomm IPA Driver use after free leading to elevation of privilege. Elevation of Privilege Elevation of Privilege in The qseecomd process has CAP_SYS_ADMIN and CAP_NET_RAW capabilities which are not necessary. CVE-2017-0747 Qualcomm Component Elevation of Privilege In the /dev/graphics/fb0 driver when running a 32-bit kernel, there is an out-of-bounds write that Elevation of Privilege in could lead to escalation of privilege. CVE-2017-9678 Qualcomm Video Driver Elevation of Privilege Reading from /sys/kernel/debug/trustonic_tee/info, on devices where it exists, could lead to an Elevation of Privilege in escalation of privilege, due to insufficient locking. CVE-2017-9691 Qualcomm MobiCore Driver Elevation of Privilege in In rndis_qc_bind_config_vendor and related functions, access to the _rndis_qc variable is not Qualcomm USB Driver protected by a lock. There is a possible use after free vulnerability that could lead to escalation CVE-2017-9684 of privilege. Information Disclosure in There is an improper locking causing use after free issue in kgsl device which could lead to CVE-2017-9682 Qualcomm GPU Driver information disclosure. Information Disclosure in In the qbt1000 driver, a user space string is copied into local buffer without ensuring that it is CVE-2017-9679 Qualcomm SoC Driver properly NULL terminated. Information Disclosure in Uninitialized variables in the qbt1000 driver could lead to information disclosure. CVE-2017-9680 Qualcomm SoC Driver Information Disclosure in In the audio driver, a missing return value check together with an uninitialized local variable CVE-2017-0748 Qualcomm Audio Driver could lead to information disclosure. Information Disclosure in The function iris_vidioc_s_ext_ctrls directly dereferences a user-passed pointer as a string, which CVE-2017-9681 Qualcomm Radio Driver could lead to information disclosure. Information Disclosure in In __wlan_hdd_change_station, the length of params->ext_capab has insufficient checks, which could CVE-2017-9693 Qualcomm Networking Driver lead to information disclosure due to an out-of-bounds read. In __wlan_hdd_cfg80211_extscan_set_bssid_hotlist, the policy used to enfoRemote Code Execution the Information Disclosure in size of the attributes for nla_parse does not include an entry for CVE-2017-9694 Qualcomm Networking Driver QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE, which could lead to a possible out-of-bounds read and information disclosure. Elevation of Privilege in Multiple IOCTLs within the QCE driver use a non-validated field provided by the user. CVE-2017-0751 Qualcomm QCE Driver Available Updates BlackBerry is making an updated software version available for BlackBerry powered by Android smartphones that have been purchased from ShopBlackBerry.com. Updated software builds may also be available from other retailers or carriers, dependent on their deployment schedules. To identify an up to date software build, navigate to the Settings > About Phone menu. Look for the following Android security patch level: August 5, 2017 or later If your BlackBerry powered by Android smartphone does not have an up-to-date software build available, please contact your retailer or carrier directly for security maintenance release availability information. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWZJdH4x+lLeg9Ub1AQgKXw//YupLNAFJYwlbIEnvXnyJ00UCTWyeIWrs e2wyY3IwLYnFeI4imNxYBy7AW8DtfZxR33dIDjb50yElLWPc+z8fkvGApak/ec2Q vyOAaoQBCeENxIlRolF6PziGvox75EAlPBIJNK4PddpgypyQjYXZ00TTFcAPYeej xSjr4nNrmID4YVbUzXNNWen3NEAzutWLRKH9jNCcdrPOyV2fgRj/zUILqHvhjX8z P9bJFk7+ahmrA8WfK7DutNpIvFDu44lA1CFZP/EfYkygz2rsjzk+HLgGcsTcUbs8 th0BVSeKbNwYXqKSe5hg4RkrQfEiCWY42zqN/ykNMCloupC41013nOwPCbGOP2qL Y3Rluj8P6yn/r/raECqYDEOqXQ8epu4yiuNKq6Asus8X4L8b2kFuIjYSOEGNOipY 8TDCLHmCOe24aafN0z324dTqp4D+Zv4ZBdr34VVqjHvjTL5sWHRPYs9zvS877JdK /3iXKbAaYpeB2nv9QtkUCpegj3/+ZHDv25p7hTxtz0p6QZb2byooPkh8OsmWceyd h4EOD3b9+ejRd6XS1oAKk3DpYw5U1GAnzjmMwGRdhBjY9psUeMO2X52pHQGk8X+S OdDMuubl7oANM3TXddv+9YSiznrglvS8p9k5k1fLiOih3Y4Rrgw4SGUkjzMvFuTe E9oH2p2MNYU= =CM8o -----END PGP SIGNATURE-----