Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.3214 December 2017 security updates for BlackBerry Powered by Android 18 December 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry Powered by Android Publisher: BlackBerry Operating System: BlackBerry Device Android Impact/Access: Root Compromise -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-1000380 CVE-2017-14914 CVE-2017-14903 CVE-2017-14897 CVE-2017-13174 CVE-2017-13169 CVE-2017-13168 CVE-2017-13167 CVE-2017-13166 CVE-2017-13165 CVE-2017-13163 CVE-2017-13160 CVE-2017-13159 CVE-2017-13158 CVE-2017-13157 CVE-2017-13156 CVE-2017-13154 CVE-2017-13152 CVE-2017-13151 CVE-2017-13150 CVE-2017-13149 CVE-2017-13148 CVE-2017-11049 CVE-2017-11047 CVE-2017-11045 CVE-2017-11044 CVE-2017-11043 CVE-2017-11033 CVE-2017-11031 CVE-2017-11030 CVE-2017-11019 CVE-2017-11016 CVE-2017-9722 CVE-2017-9718 CVE-2017-9716 CVE-2017-9710 CVE-2017-9708 CVE-2017-9703 CVE-2017-9700 CVE-2017-9698 CVE-2017-8244 CVE-2017-7533 CVE-2017-0880 CVE-2017-0879 CVE-2017-0874 CVE-2017-0873 CVE-2017-0872 CVE-2017-0870 CVE-2017-0837 CVE-2017-0807 CVE-2017-0564 Reference: ASB-2017.0032 Original Bulletin: http://support.blackberry.com/kb/articleDetail?articleNumber=000047154 - --------------------------BEGIN INCLUDED TEXT-------------------- BlackBerry Powered by Android Security Bulletin - December 2017 Article Number: 000047154 First Published: December 15, 2017 Last Modified: December 15, 2017 Type: Security Bulletin Purpose of this Bulletin BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes; see BlackBerry.com/bbsirt for a complete list of monthly bulletins. This advisory is in response to the Android Security Bulletin (December 2017) and addresses issues in that bulletin that affect BlackBerry powered by Android smartphones. Vulnerabilities Fixed in this Update The following vulnerabilities have been remediated in this update: Summary CVE Elevation of Privilege in Framework CVE-2017-0807 Elevation of Privilege in Framework CVE-2017-0870 Remote Code Execution in Media Framework CVE-2017-0872 Remote Code Execution in Media Framework CVE-2017-13151 Elevation of Privilege in Media Framework CVE-2017-0837 Elevation of Privilege in Media Framework CVE-2017-13154 Denial of Service in Media Framework CVE-2017-0873 Denial of Service in Media Framework CVE-2017-0874 Denial of Service in Media Framework CVE-2017-0880 Denial of Service in Media Framework CVE-2017-13148 Remote Code Execution in System CVE-2017-13160 Elevation of Privilege in System CVE-2017-13156 Information Disclosure in System CVE-2017-13157 Information Disclosure in System CVE-2017-13158 Information Disclosure in System CVE-2017-13159 Elevation of Privilege in Kernel ION CVE-2017-0564 Elevation of Privilege in Kernel File Handling CVE-2017-7533 Elevation of Privilege in Kernel EDL CVE-2017-13174 Elevation of Privilege in Kernel Sound Timer CVE-2017-13167 Remote Code Execution in Qualcomm WLAN CVE-2017-11043 Elevation of Privilege in Qualcomm Qbt1000 Driver CVE-2017-9716 Elevation of Privilege in Qualcomm RPMB Driver CVE-2017-14897 Vulnerability in Qualcomm Storage CVE-2017-14914 Denial of Service in Media Framework CVE-2017-0879 Denial of Service in Media Framework CVE-2017-13149 Denial of Service in Media Framework CVE-2017-13150 Information Disclosure in Media Framework CVE-2017-13152 Elevation of Privilege in Kernel MTP USB Driver CVE-2017-13163 Elevation of Privilege in Kernel File System CVE-2017-13165 Elevation of Privilege in Kernel V4L2 Video Driver CVE-2017-13166 Elevation of Privilege in Kernel Sound Timer Driver CVE-2017-1000380 Elevation of Privilege in Kernel SCSI Driver CVE-2017-13168 Information Disclosure in Kernel Camera Server CVE-2017-13169 Elevation of Privilege in Qualcomm Kernel CVE-2017-9708 Elevation of Privilege in Qualcomm Display CVE-2017-11030 Elevation of Privilege in Qualcomm Video Driver CVE-2017-9703 Elevation of Privilege in Qualcomm Debugfs Driver CVE-2017-8244 Elevation of Privilege in Qualcomm Kernel CVE-2017-9718 Elevation of Privilege in Qualcomm Graphics CVE-2017-9698 Elevation of Privilege in Qualcomm Audio CVE-2017-9700 Elevation of Privilege in Qualcomm Display CVE-2017-9722 Elevation of Privilege in Qualcomm Display CVE-2017-11049 Elevation of Privilege in Qualcomm Display CVE-2017-11047 Elevation of Privilege in Qualcomm Graphics CVE-2017-11044 Elevation of Privilege in Qualcomm Camera CVE-2017-11045 Elevation of Privilege in Qualcomm Data HLOS CVE-2017-9710 Elevation of Privilege in Qualcomm Display CVE-2017-11019 Elevation of Privilege in Qualcomm Audio CVE-2017-11016 Elevation of Privilege in Qualcomm Kernel CVE-2017-11033 Information Disclosure in Qualcomm WLAN CVE-2017-14903 Information Disclosure in Qualcomm Display CVE-2017-11031 Available Updates BlackBerry is making an updated software version available for BlackBerry powered by Android smartphones that have been purchased from ShopBlackBerry.com . Updated software builds may also be available from other retailers or carriers, dependent on their deployment schedules. To identify an up to date software build, navigate to the Settings>About Phone menu. Look for the following Android security patch level: * December 1, 2017 or later or later If your BlackBerry powered by Android smartphone does not have an up-to-date software build available, please contact your retailer or carrier directly for security maintenance release availability information. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWjdCfox+lLeg9Ub1AQj3phAAqqobqWHSP/Pv2aiA2N+fgguoNLEqm9gv K0de5KT0btITAji1sRZ2DN49G6Ehmc1GsfyZopf/Xv+A9WW+c9moVMfdTbk+PJto pqTcA6EcxiuLuCYh/gQA7HUzN/YUtkPu8e9h+M2JDiD/gxOJNB2aVz1dgW/gB+K4 Uyv1jGiDEdFabRbbM9lubWD3VX9GPtw08o42HSMBJbkQRz9G1Dygb2QDKNyVHk5X ZkBsYq5+OaGgIxyFGEPee2pqPSv67onctgpN/SYS6MY7sUMjo6s5Oi775THteB+U AtFCyZSOBoqFjQ2RHk7YqpYKloEsMjcxkgL4pMlRN6riUy1YUjuqHa1Gfj4+D61+ J3ZxYc7kj3KX/mXHfMjrS0rmkT3oYONbkikNDGCK6yffpMCyP8m+GqF2HVdE0zJn 6QU5KlUBjQfRTfJbBoUjqQWybey4rGvJpgoDR6OiMEpnQ8J8PVJNx+0Pc+UCwDDx ptGuiUBvNSUaKQidRSoLlyAZF519fzYSLCHyDZtmI4GoGHzROssqkVS+c54Krtun Us0nJoBOnnQB1QYCpN9Z7UX5bqoOKNhPV4ZUlIA7gZ94+YTjT1ecMhrwnaQIKLaX AB2XD1PM9qM/w88pRLCpSapwwQWTwGA8/VzrYq+0/a7tGydONypkJLa6En8YIytm VuppQp1BtzU= =pIjG -----END PGP SIGNATURE-----