BlackBerry KEYone Sicherheitsupdate – Build AAO472

Das BlackBerry KEYone Sicherheitsupdate – Build AAO472 hat nun auch unsere Testgerät erreicht. Was sich alles geändert hat, findet ihr in diesem Beitrag.

Mit dem neuesten BlackBerry KEYone Sicherheitsupdate – Build AAO472 – schließt BlackBerry diesmal wieder ganze 58 Sicherheitslücken.

Die Build Version des Updates ist AAO472 und die Kernel-Version ist MPSS.TA.2.3.c1-00333-8953_GEN_PACK-1.107751.2.108406.1. Der Stand des Sicherheitsupdates ist der 5. September 2017.

BlackBerry KEYone Sicherheitsupdate – Build AAO472 Changelog

Mit diesem Sicherheitsupdate wurden folgende Lücken geschlossen:

SummaryDescriptionCVE
Elevation of Privilege in WindowManagerThe handling of the TYPE_TOAST window allowed for an attacker to overlay the screen, including permissions dialogs.CVE-2017-0752
Elevation of Privilege in LibminikinA malformed font could cause memory corruption by providing unsorted cmap entries.CVE-2017-0755
Remote Code Execution in Mediaserver
In SoftAACEncoder2.cpp in SoftAACEncoder2::onQueueFilled, the allocation is of a previously set size but a memcpy follows that is of an attacker-controlled size.
CVE-2017-0756
Remote Code Execution in Mediaserver
In decoder/ih264d_api.c in ih264d_fmt_conv_420sp_to_420sp, there is no bounds check before the memcpy, which can lead to an OOB write that could result in arbitrary remote code execution in a privileged process.
CVE-2017-0757
Remote Code Execution in Mediaservern ihevcd_fmt_conv.c in ihevcd_fmt_conv, a memcpy is called in a loop without checking the size of the destination buffer, which can lead to an OOB write that could result in arbitrary remote code execution in a privileged process.CVE-2017-0758
Remote Code Execution in MediaserverIn SoftMPEG2.cpp, in SoftMPEG2::deInitDecoder, ps_mem_rec->pv_base is freed; but it is later used in impeg2d_api_main.c resulting in a use-after-free, which could result in arbitrary remote code execution in a privileged process.CVE-2017-0759
Remote Code Execution in Mediaserver
A badly initialized decoder can lead to memory corruption, which could result in arbitrary remote code execution in a privileged process.
CVE-2017-0760
Remote Code Execution in MediaserverIn decoder/ih264d_process_pslice.c in ih264d_init_ref_idx_lx_b, u1_max_lt_index and u1_min_lt_index can be > 255, which can lead to an overflow in reference list creation, leading to an OOB write occurs which could result in arbitrary remote code execution in a privileged process.CVE-2017-0761
Remote Code Execution in Mediaserver
In decoder/ihevcd_parse_headers.c in ihevcd_fmt_conv, pu1_y_dst is too small due to an invalid crop, which can lead to an OOB write that could result in remote arbitrary code execution in a privileged process.
CVE-2017-0762
Remote Code Execution in MediaserverIn common/arm/ihevc_intra_pred_filters_luma_mode_11_to_17.s, in ihevc_intra_pred_luma_mode_11_to_17_a9q, the idx can go OOB, leading to an OOB write, which could result in remote arbitrary code execution in a privileged process.CVE-2017-0763
Remote Code Execution in MediaserverIn Tremolo/res012.c in res_inverse alloca is used with a direct multiplication which could result in an integer overflow. Thus a small stack buffer is allocated but an OOB write occurs which can result in an RCE in privileged process.CVE-2017-0764
Remote Code Execution in Mediaserver
In mpeg2dec/SoftMPEG2.cpp in getMinTimestampIdx, a timeStampIdx of -1 ends up corrupting mFlushOutBuffer, which is then freed and could result in arbitrary remote code execution in a privileged process.
CVE-2017-0765
Remote Code Execution in Mediaserver
In jpgfile.c in ReadJpegSections, an OOB write occurs into the Sections[SectionsRead].Type field which could result in arbitrary remote code execution in an unprivileged process
CVE-2017-0766
Elevation of Privilege in Mediaserver
In lvm/wrapper/Bundle/EffectBundle.cpp in Equalizer_getParameter, an integer overflow can occur if pValueSize == 0, which can later lead to an OOB write that could result in arbitrary remote code execution in a privileged process.
CVE-2017-0767
Elevation of Privilege in Mediaserver
In lvm/wrapper/Reverb/EffectReverb.cpp in Reverb_command, there is no check of the size of pReplyData. Thus if replySize is set to 4, it can return a 4-byte OOB write, which could result in local arbitrary code execution in a privileged process.
CVE-2017-0768
Elevation of Privilege in Mediaserver
In libmediaplayerservice/MediaPlayerService.cpp in several functions, 2 threads can access the sp pointer without locks.
CVE-2017-0770
Denial of Service in MediaserverIn decoder/ih264d_parse_slice.c in ih264d_frm_to_fld, pu1_col_zero_flag_start can be NULL which can lead to a remote denial of service.CVE-2017-0772
Denial of Service in Mediaserver
In decoder/ihevcd_parse_slice.c in ihevcd_parse_slice_data, PU sizes do not account for skipped error clips.
CVE-2017-0773
Denial of Service in Mediaserver
In libstagefright/MPEG4Extractor.cpp, if readAt fails to find the next moof box, the chuck_size read will be 0 and the offset will never increase.
CVE-2017-0774
Denial of Service in MediaserverIn mpeg2ts/ESQueue.cpp in ElementaryStreamQueue::dequeueAccessUnitAAC, aac_frame_length can be set to 0 resulting in a infinite loop, which can lead to a remote denial of service.CVE-2017-0775
Denial of Service in MediaserverIn decoder/ih264d_parse_bslice.c (and several other files) in ih264d_fill_bs1_16x16mb_bslice, ppv_map_ref_idx_to_poc_l1 is not always initialized.CVE-2017-0776
Denial of Service in Mediaserver
In arm-wt-22k/lib_src/eas_wtsynth.c in WT_Interpolate, pSamples can increment past the end of the actual buffer leading to an OOB read, which could lead to a remote denial of service.
CVE-2017-0777
Denial of Service in MediaserverIn MPEG4Extractor.cpp in MPEG4Extractor::parse3GPPMetaData, in the yrrc box, an OOB read can occur, which can lead to a remote denial of service.CVE-2017-0778
Information Disclosure in Mediaserver
In BufferProviders.cpp in ReformatBufferProvider::copyFrames, there is no check of the size of the copy compared to the src buffer.
CVE-2017-0779
Elevation of Privilege in NFCThe BeamShareActivity was not verifying that an application had been granted the READ_EXTERNAL_STORAGE permission when processing a File URI intent.CVE-2017-0784
Elevation of Privilege in Broadcom Wi-Fi DriverThe wl_escan_handler() function of the Broadcom wireless driver has insufficient checks for integer overflows. A bad request from the wireless firmware could cause insufficient memory allocation, memory overflows, and arbitrary code execution.CVE-2017-0786
Elevation of Privilege in Broadcom Wi-Fi DriverThe dhd_pno_process_epno_result() function of the Broadcom wireless driver multiplies an unsigned count value by sizeof(dhd_epno_results_t) to get the size of a memory allocation. If the count sent by the wireless firmware is too large and the multiplication overflows, it will copy elements past the end of the allocated buffer, leading to memory corruption and potential arbitrary code execution.CVE-2017-0787
Elevation of Privilege in Broadcom Wi-Fi DriverThe dhd_handle_swc_evt() function of the Broadcom wireless driver allocates memory before checking for some failure cases. In those failure cases, the allocated memory is preserved, but the required size can be changed before calling the function again, but the old allocation is used. If the new size is larger, the allocated buffer might overflow, leading to kernel memory corruption and potential arbitrary code execution.CVE-2017-0789
Elevation of Privilege in Broadcom Wi-Fi DriverThe dhd_process_full_gscan_result() function of the Broadcom wireless driver does not check for integer overflow when using the bi_length parameter. An overflow in this parameter may lead to kernel memory corruption and potential arbitrary code execution.CVE-2017-0790
Elevation of Privilege in Broadcom Wi-Fi Driver
The wl_notify_rx_mgmt_frame() function of the Broadcom wireless driver does not check for integer underflow in data lengths of incoming events. A bad event from the wireless firmware could cause a very large copy, leading to memory corruption in the kernel and arbitrary code execution.
CVE-2017-0791
Information Disclosure in Broadcom Wi-Fi DriverThe dhd_rtt_event_handler() function of the Broadcom wireless driver does not properly check the tlvs_len parameter of incoming event data. A bad event from the wireless firmware could cause an out-of-bounds read in mapped kernel memory.CVE-2017-0792
Remote Code Execution in KernelThe inet_csk_clone_lock() function has a double-free vulnerability that can be triggered by a remote attacker.CVE-2017-8890
Elevation of Privilege in KernelThe dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause memory corruption that might lead to arbitrary code execution.CVE-2017-9076
Information Disclosure in KernelThe do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1 does not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allows local users to obtain sensitive address information via crafted bpf system calls.CVE-2017-9150
Elevation of Privilege in Kernel IPX protocol DriverThe ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause use-after-free errors or other memory corruption.CVE-2017-7487
Denial of Service in KernelThe tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.CVE-2017-6214
Elevation of Privilege in KernelThe fanout_add() function does not have sufficient mutex locking around using shared packet_rollover objects. Concurrent use could lead to use-after-free errors or other kernel memory corruption, enabling arbitrary code execution.CVE-2017-6346
Information Disclosure in KernelThe ip6gre_err() function does not properly account for the length of the IPv6 header, and reads kernel memory outside the bounds of incoming data.CVE-2017-5897
Information Disclosure in Kernel File SystemIn the ext4 filesystem implementation, a crash can interrupt the journal write after the data itself is written. An attacker that creates a new file after a crash may gain access to that data.CVE-2017-7495
Information Disclosure in Kernel
Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation
CVE-2017-7616
Elevation of Privilege in Kernel SCSI DriverThe sg_ioctl() function does not have sufficient mutex protection around global data writes. Concurrent access to this ioctl can cause use-after-free errors, double-free errors, and other memory corruption issues in the kernel that could lead to arbitrary code execution.CVE-2017-0794
Elevation of Privilege in Qualcomm Memory subSystem
Passing in too large a value into the ION memory allocator results in the integer being truncated, leading to memory corruption.
CVE-2017-9725
Elevation of Privilege in Qualcomm
The ION driver allows the user to specify an address (possibly in kernel space) to write a NULL to.
CVE-2017-9724
Elevation of Privilege in Qualcomm Audio Driver
There is a possible out-of-bounds write in omx_aac_aenc::fill_this_buffer_proxy
CVE-2017-9720
Elevation of Privilege in Qualcomm GPU Driver
There is a possible integer overflow in the GPU driver that could lead to an out-of-bounds write.
CVE-2017-8250
Elevation of Privilege in Qualcomm Audio Driver
In function msm_compr_ioctl_shared, variable ddp->params_length could be accessed and modified by multiple threads, while it is not protected with locks, allowing a race condition that could result in an out-of-bounds write.
CVE-2017-9677
Information Disclosure in Qualcomm File SystemThere is possible information disclosure when reading from debugfs drivers for msm_bus, due to a race condition and a use-after-free.CVE-2017-9676
Elevation of Privilege in Qualcomm WLAN DriverDuring wlan calibration data store and retrieve operations, there is a race condition that could lead to arbitrary code execution.CVE-2017-8280
Elevation of Privilege in Qualcomm Camera Driver
In the camera driver, the num_streams value passed to msm_isp_check_stream_cfg_cmd and msm_isp_stats_update_cgc_override wasn't bounds checked, resulting in a possible out-of-bounds write.
CVE-2017-8251
Elevation of Privilege in Qualcomm Camera DriverThe reference count on the camera driver has some operations that aren't sufficiently atomic.CVE-2017-8247
Elevation of Privilege in Qualcomm Camera DriverIn the msm_isp_update_stats_stream function in the camera driver, there is a possible out-of-bounds write due to an incorrect bounds check.CVE-2017-9720
Elevation of Privilege in Qualcomm Video DriverIn the function msm_dba_register_client, if the client registration failed, it would be freed. However, the client was not removed from the list. Use-after-free would occur when traversing the list next time.CVE-2017-8277
Information Disclosure in Qualcomm Automotive multimediaA query function in the DCI driver lacked the same locking as the the rest of the driver, so a query could interrupt the teardown function and read from freed memory.CVE-2017-8281
Remote Code Execution in Mediaserver
A logical error in the bnep_data_ind function results in a copy operation overflowing the buffer by 8 bytes, using remotely provided data.
CVE-2017-0781
Remote Code Execution in MediaserverThe vulnerability is a heap buffer overflow in bnep_process_control_packet in which unvalidated data is used in calculating the length of a copy operation. This allows for a remote attacker to overflow the allocated buffer.CVE-2017-0782
Information Disclosure in Mediaserver
An attacker could initiate a PAN connection to an Android phone, allowing them to initiate a reverse tether and act as a man-in-the-middle for network traffic
CVE-2017-0783
Information Disclosure in MediaserverThe process_service_search function allowed for a remote attacker to leak stack information from the Bluetooth network code through the use of deliberately malformed continuation requests.CVE-2017-0785

BlackBerry KEYone Sicherheitsupdate - Build AAO472BlackBerry empfiehlt auf die neueste Version upzudaten.

We recommend users update to the latest available software build.

BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes; see BlackBerry.com/bbsirt for a complete list of monthly bulletins. This advisory is in response to the Android Security Bulletin (September 2017) and addresses issues in that bulletin that affect BlackBerry powered by Android smartphones.”

Das BlackBerry KEYone Update ist 118,2 MB groß und kommt per OTA auf eure BlackBerry KEYone Geräte. Um das Update zu erhalten, geht in eure “Aktualisierungen” App und sucht dort nach dem Update.

Hat Dir dieser Artikel gefallen, dann teile ihn doch mit Deinen Freunden …

Hat Dir dieser Artikel gefallen? Dann teile ihn doch mit Deinen Freunden …

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert