Samsung Mobile Android Security Updates

Samsung Mobile Android Security Updates

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin - Dec 2018 package. The Bulletin (Dec 2018) contains the following CVE items:

Critical
CVE-2018-5912, CVE-2018-9549, CVE-2018-9550, CVE-2018-9551, CVE-2018-9552, CVE-2018-9555

High
CVE-2018-5916, CVE-2018-11996, CVE-2018-11905, CVE-2017-15818, CVE-2018-9547, CVE-2018-9548, CVE-2018-9553, CVE-2018-9538, CVE-2018-9554, CVE-2018-9557, CVE-2018-9558, CVE-2018-9559, CVE-2018-9560, CVE-2018-9562, CVE-2018-9566

Moderate
None

Low
None

NSI
None

Already included in previous updates
CVE-2017-18317, CVE-2018-5917, CVE-2018-5877, CVE-2018-5870, CVE-2018-11994, CVE-2018-11269, CVE-2017-18318, CVE-2017-18316, CVE-2016-10502, CVE-2018-9543(O8.1)

Not applicable to Samsung devices
CVE-2018-11264, CVE-2018-9556, CVE-2017-18315, CVE-2018-11995, CVE-2018-9543(N7.x, O8.0)


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 40 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Dec-2018 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2018-11628: Improper access to Secure Folder

Severity: Moderate
Affected Versions: N(7.x)
Reported on: March 28, 2018
Disclosure status: Privately disclosed.
A vulnerability in Secure Folder app allow access without authentication.
The patch modifies the startup logic of the Secure Folder app to enforce authentication.


SVE-2018-12053: Malicious permission grant by Quick Tools

Severity: Moderate
Affected versions: N(7.0)
Reported on: May 25, 2018
Disclosure status: Privately disclosed.
A vulnerability allows location permission to bypass lockscreen when using the compass function in QuickTools.
The patch allows the lock state before allowing permission.


SVE-2018-12959: Race condition vulnerability in g2d driver

Severity: Moderate
Affected Versions: O(8.x), P(9.0) devices with Exynos 9810 chipset
Reported on: September 6, 2018
Disclosure status: Privately disclosed.
A vulnerability in g2d driver causes use after free race condition between threads.
The patches prevent use after free by applying synchronization mechanism.


SVE-2018-13057: Improper access to Secure Folder

Severity: Moderate
Affected Versions: O(8.x)
Reported on: September 24, 2018
Disclosure status: Privately disclosed.
A vulnerability in Secure Folder results in exposure of gallery app without authentication.
The patch fixes Secure Folder to enforce authentication when creating task of gallery.


SVE-2018-13299: Privileged code execution by Dual Messenger

Severity: High
Affected Versions: N(7.x), O(8.x), P(9.0)
Reported on: October 22, 2018
Disclosure status: Privately disclosed.
A vulnerability allows installation of arbitrary apk to invoke unauthorized activity to Dual Messenger.
The patch restricts privilege of the app that calls Dual Messenger.


SVE-2018-13035: Information disclosure in the g2d_drv driver

Severity: Low
Affected Versions: O(8.x), P(9.0) devices with Exynos 9810 chipset
Reported on: September 17, 2018
Disclosure status: Privately disclosed.
A kernel pointer vulnerability in g2d driver allows information disclosure.
The patch fixes incorrect implementation of kernel logging.


SVE-2018-13188: Stack overflow in baseband

Severity: Critical
Affected Versions: O(8.0) devices with Exynos 9810, 8895 chipsets
Reported on: October 15, 2018
Disclosure status: Privately disclosed.
A possible stack overflow vulnerability in baseband allows arbitrary code execution.
The patch adds length check code in the baseband.


SVE-2018-13187: Heap overflow in the baseband

Severity: Critical
Affected Versions: O(8.0) devices with Exynos 9810, 8895 chipsets
Reported on: October 15, 2018
Disclosure status: Privately disclosed.
A possible heap overflow vulnerability in baseband may cause memory issues.
The patch adds length check code in the baseband.


SVE-2018-13381: Clipboard access in lockscreen

Severity: Moderate
Affected Versions: N(7.x), O(8.x)
Reported on: November 2, 2018
Disclosure status: Privately disclosed.
A vulnerability allows access to clipboard information via copy & paste in the locked state.
The patch blocks access clipboard contents in the copy & paste popup in the lock screen.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


 

Leave a comment