SMR-DEC-2016

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin - December 2016 package.

The Bulletin (December 2016) contains the following CVE items:
CVE-2016-3841(C), CVE-2016-3850(H), CVE-2016-4470(C), CVE-2013-7446(C), CVE-2016-3868(H), CVE-2016-1583(H), CVE-2016-3892(M), CVE-2016-3893(M), CVE-2016-3894(M), CVE-2016-0758(C), CVE-2016-3928(C), CVE-2016-3901(H), CVE-2016-3935(H), CVE-2016-3936(H), CVE-2016-3937(H), CVE-2016-3940(H), CVE-2016-6672(H), CVE-2016-6674(H), CVE-2015-8955(H), CVE-2015-8950(H), CVE-2016-6680(M), CVE-2016-6683(M), CVE-2016-6684(M), CVE-2016-6689(M), CVE-2016-5696(M), CVE-2016-6690(L), CVE-2016-6692(H), CVE-2016-6725(C), CVE-2016-6728(C), CVE-2016-6828(C), CVE-2016-7910(C), CVE-2016-7911(C), CVE-2015-8962(C), CVE-2016-7912(C), CVE-2016-6737(C), CVE-2013-7446(C), CVE-2016-6136(H), CVE-2016-6739(H), CVE-2016-6740(H), CVE-2016-6741(H), CVE-2015-8963(H), CVE-2014-9874(H), CVE-2016-3850(H), CVE-2016-7914(H), CVE-2015-8964(H), CVE-2016-7915(H), CVE-2016-7916(H), CVE-2016-6750(M), CVE-2016-3906(M), CVE-2016-3907(M), CVE-2016-6698(M), CVE-2016-6751(M), CVE-2016-6752(M), CVE-2016-6753(M), CVE-2016-8411(C), CVE-2016-4794(C), CVE-2016-1583(H), CVE-2016-6710(H), CVE-2016-6720(M), CVE-2016-0718(H), CVE-2012-6702(M), CVE-2016-5300(M), CVE-2015-1283(L), CVE-2016-3862(C), CVE-2016-5419(H), CVE-2016-5420(H), CVE-2016-5421(H), CVE-2016-6762(H), CVE-2015-6621(H), CVE-2016-6704(H), CVE-2016-6763(H), CVE-2016-6766(H), CVE-2016-6765(H), CVE-2016-6764(H), CVE-2016-6767(H), CVE-2016-6768(H), CVE-2016-6770(M), CVE-2016-6771(M), CVE-2016-6772(M), CVE-2016-6773(M), and CVE-2016-6774(M).
* Severity : (C)-Critical, (H)-High, (M)-Moderate, (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.

Along with Google patches, Samsung Mobile provides 15 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer's confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.

SVE-2016-6978, SVE-2016-7661, and SVE-2016-7662: OMACP Security Issue

Severity: Medium
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: June 17, 2016
Disclosure status: Privately disclosed.
Lack of authentication verification in OMACP enables unauthorized configuration of certain network settings. Another vulnerability regarding integer overflow causes heap corruption resulting in possible remote code execution.
An authentication routine is added to filter out unauthorized messages and the patch verifies the range of integer value to prevent integer overflow. Additional patches were applied to accommodate custom use of OMACP by certain carriers.

SVE-2016-7114: Heap overflow in "OTP" service

Severity: Low
Affected versions: All devices which use Exynos AP chipset
Reported on: September 13, 2016
Disclosure status: Privately disclosed.
A code flaw in memcpy() function can lead to buffer overflow.
The patch prevents a buffer overflow by using a verified size.

SVE-2016-7118: BootReceiver security issue patch

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: September 11, 2016
Disclosure status: Privately disclosed.
Lack of appropriate exception handling in BootReceiver allows attackers to make a system crash easily resulting in a possible DoS attack.
The patch prevents system crashes by handling unexpected exceptions.

SVE-2016-7119, SVE-2016-7120, and SVE-2016-7121: Possible Privilege Escalation in telecom

Severity: Low
Affected versions: L(5.0/5.1), M(6.0), N(7.0)
Reported on: September 13, 2016
Disclosure status: Privately disclosed.
Lack of appropriate exception handling in some receivers of the Telecom application allows attackers crash the system easily resulting in a possible DoS attack.
The patch prevents system crashes by handling unexpected exceptions.

SVE-2016-7132: Notification Display Error of Shade Locked State

Severity: Medium
Affected versions: M(6.0)
Reported on: September 14, 2016
Disclosure status: Privately disclosed.
This vulnerability shows notifications intended to be hidden on lock screen and it can disclose the unwanted private information.
The patch fixes it not to show notifications on lock screen according to the user configuration.

SVE-2016-7173 and SVE-2016-7174: Stack buffer overflow in OTP TrustZone trustlet

Severity: Low
Affected versions: All devices which use Exynos AP chipset
Reported on: September 13, 2016
Disclosure status: Privately disclosed.
Stack overflow vulnerabilities exist in OTP TrustZone trustlet.
The patch prevents buffer overflow.

SVE-2016-7301: Mobile Hotspot vulnerability by unprotected intent

Severity: Low
Affected versions: L(5.0/5.1), M(6.0), N(7.0)
Reported on: October 4, 2016
Disclosure status: Privately disclosed.
Once receiving a targeted intent, the Mobile hotspot is activated without user interaction and the password of the hotspot is exposed in the log.
The patch protects receivers by permission and removes the password in the log.

SVE-2016-7341: Heap overflow in sensor driver

Severity: Medium
Affected versions: KK(4.4), L(5.0/5.1), M(6.0) devices supporting Hrm sensor
Reported on: October 10, 2016
Disclosure status: Privately disclosed.
There is no mechanism to prevent concurrent access to sysfs of the MAX86902 sensor driver, which can result in kernel memory corruption by race conditions.
The fix avoids race condition by using locking mechanism.

¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Tom Court of Context : SVE-2016-6978, SVE-2016-7661, SVE-2016-7662
- Gal Beniamini of Google Project Zero : SVE-2016-7114, SVE-2016-7173, SVE-2016-7174, SVE-2016-7341
- Qing Zhangof Qihoo 360 and Guangdong Bai of Singapore Institute of Technology (SIT) : SVE-2016-7118, SVE-2016-7301
- Quhe of Ant-financial Light-Year Security Lab : SVE-2016-7119, SVE-2016-7120, SVE-2016-7121
- Saheer Naduthodi : SVE-2016-7132