Samsung ha reso pubblici i dettagli dell'aggiornamento Security Maintenance Release (SMR) relativo al mese di ottobre, che la società intende iniziare a distribuire a partire dai prossimi giorni sui propri smartphone basati sul sistema operativo Android.
Le patch alla sicurezza per il mese di ottobre di Samsung pongono rimedio ad 11 vulnerabilità, scoperte nelle ultime settimane. I primi smartphone a ricevere gli aggiornamenti alla sicurezza saranno i top di gamma
Galaxy S9,
Galaxy S9+ e
Galaxy Note 9, seguiti nel corso del mese da altri smartphone Samsung di recente commercializzazione.
SMR-OCT-2018
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
Google patches include patches up to Android Security Bulletin - Oct 2018 package. The Bulletin (Oct 2018) contains the following CVE items:
Critical
CVE-2016-10394, CVE-2018-11950, CVE-2018-5866, CVE-2018-11824, CVE-2018-9490, CVE-2018-9473, CVE-2018-9496, CVE-2018-9497, CVE-2018-9498, CVE-2017-13283, CVE-2018-9476, CVE-2018-9504
High
CVE-2017-5754, CVE-2018-11816, CVE-2018-11898, CVE-2018-11842, CVE-2018-11836, CVE-2018-11261, CVE-2016-10408, CVE-2017-18313, CVE-2017-18312, CVE-2017-18124, CVE-2018-3588, CVE-2018-11951, CVE-2018-11952, CVE-2018-5871, CVE-2018-5914, CVE-2018-11288, CVE-2018-11292, CVE-2018-11846, CVE-2018-9491, CVE-2018-9492, CVE-2018-9493, CVE-2018-9499, CVE-2018-9501, CVE-2018-9502, CVE-2018-9503, CVE-2018-9505, CVE-2018-9506, CVE-2018-9507, CVE-2018-9508, CVE-2018-9509, CVE-2018-9510, CVE-2018-9511
Moderate
CVE-2018-5832, CVE-2018-11270, CVE-2018-9452, CVE-2018-5390, CVE-2018-5391
Low
None
NSI
None
Already included in previous updates
CVE-2018-9384, CVE-2017-18314, CVE-2017-18311, CVE-2018-11290, CVE-2018-11287, CVE-2018-11855
Not applicable to Samsung devices
CVE-2017-15825, CVE-2018-11285, CVE-2018-11857, CVE-2018-11858, CVE-2018-11866, CVE-2018-11865
※ Please see Android Security Bulletin for detailed information on Google patches.
Along with Google patches, Samsung Mobile provides 11 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in 'Security software version', SMR Oct-2018 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
SVE-2018-12852: Buffer overflow in the Trustlet
Severity: Critical
Affected Versions: N(7.x), O(8.X) devices with Exynos chipsets
Reported on: August 15, 2018
Disclosure status: Privately disclosed.
A buffer overflow vulnerability in esecomm trustlet allows an attacker to perform arbitrary code execution.
The patch adds proper validation of buffer length to prevent buffer overflow.
SVE-2018-12853: Invalid free in the Trustlet
Severity: Critical
Affected Versions: N(7.x), O(8.x) devices with Exynos chipsets
Reported on: August 15, 2018
Disclosure status: Privately disclosed.
An invalid free vulnerability in fingerprint trustlet allows an attacker to perform arbitrary code execution.
The patches deallocate the right pointer to prevent invalid free.
SVE-2018-12855: Incorrect usage of shared memory in the Trustlet
Severity: Critical
Affected Versions: N(7.x), O(8.X) devices with Exynos chipsets
Reported on: August 15, 2018
Disclosure status: Privately disclosed.
A vulnerability in vaultkeeper trustlet leaks shared memory address allowing an attacker to perform arbitrary code execution.
The patch adds proper validation of shared memory address.
SVE-2018-12881: Arbitrary memory write with the Trustlet
Severity: Critical
Affected Versions: N(7.x), O(8.X) devices with Exynos chipsets
Reported on: August 20, 2018
Disclosure status: This issue is publicly known.
A vulnerability in access control of secure driver allows arbitrary memory write in trustlets.
The patch restricts access control of memory access via secure APIs.
SVE-2018-12684: Clipoboard access in lockscreen
Severity: Moderate
Affected Versions: N(7.x), O(8.x), P(9.0)
Reported on: July 26, 2018
Disclosure status: Privately disclosed.
The clipboard content can be leaked without authorization when using physical keyboard.
The patch adds protection to hide clipboard contents immediately when device is locked.
Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.
Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.
- Eloi Sanfelix: SVE-2018-12852, SVE-2018-12853, SVE-2018-12855, SVE-2018-12881
- Andr. Heß: SVE-2018-12684