November 2017 Security Bulletin

By November 28, 2017Security Bulletin

This document describes security vulnerabilities that were addressed through software changes until October 2017. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects.  Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-9683

@derrekr6 (https://twitter.com/derrekr6)

CVE-2016-8417, CVE-2016-8479, CVE-2017-11000, CVE-2017-11041, CVE-2017-11053, CVE-2017-8271, CVE-2017-9691

Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.

CVE-2016-5856, CVE-2017-9714

Scott Bauer

CVE-2016-5346

Seven Shen from Trend Micro Mobile Threat Research Team

Table of vulnerabilities

Public ID

Security Rating

Technology Area

Date Reported

CVE-2016-5346

Medium

Audio

12/6/2016

CVE-2016-5856

Medium

Trusted Execution Environment

11/24/2016

CVE-2016-8417

Medium

Camera

11/11/2016

CVE-2016-8479

High

Graphics_Linux

11/23/2016

CVE-2017-11000

Medium

Camera

4/11/2017

CVE-2017-11041

High

Video

5/26/2017

CVE-2017-11053 

High

WLAN HOST

6/15/2017

CVE-2017-8271

Medium

Display

4/4/2017

CVE-2017-9683

High

Boot

4/20/2017

CVE-2017-9691

Medium

Trusted Execution Environment

1/26/2017

CVE-2017-9714

High

WLAN HOST

5/12/2017

CVE-2016-5346

Title:

Information Exposure in Audio

Description

While processing IOCTL_GET_AVTIMER_TICK, the uninitialized value of avtimer_tick is copied to user space.

Technology Area

Audio

Vulnerability Type

CWE-200 Information Exposure

Access Vector

Local

Security Rating

Medium

Date Reported

12/6/2016

Customer Notified Date

1/10/2017

Patch

CVE-2016-5856

Title:

Integer Overflow to Buffer Overflow in Core

Description

In function spcom_handle_send_command(), an out of bounds access and an integer overflow to heap buffer overflow may potentially occur.

Technology Area

Trusted Execution Environment

Vulnerability Type

CWE-680 Integer Overflow to Buffer Overflow

Access Vector

Local

Security Rating

Medium

Date Reported

11/24/2016

Customer Notified Date

1/10/2017

Patch

CVE-2016-8417

Title:

Improper Input Validation in Camera

Description

Memory over-read/overwrite possible in Camera driver due to improper bounds checking in function msm_jpeg_hw_exec_cmds.

Technology Area

Camera

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

Medium

Date Reported

11/11/2016

Customer Notified Date

1/10/2017

Patch

CVE-2016-8479

Title:

Use of Uninitialized Variable in Graphics

Description

A KGSL function allocates a context from the heap but another function de-references the context before it is initialized.

Technology Area

Graphics_Linux

Vulnerability Type

CWE-457 Use of Uninitialized Variable

Access Vector

Local

Security Rating

High

Date Reported

11/23/2016

Customer Notified Date

1/10/2017

Patch

CVE-2017-11000

Title:

Improper Input Validation in Camera

Description

In an ISP Camera kernel driver function, an incorrect bounds check may potentially lead to an out-of-bounds write.

Technology Area

Camera

Vulnerability Type

CWE-129 Improper Validation of Array Index

Access Vector

Local

Security Rating

Medium

Date Reported

4/11/2017

Customer Notified Date

9/1/2017

Patch

CVE-2017-11041

Title:

Use After Free in Video

Description

An output buffer is accessed in one thread and can be potentially freed in another.

Technology Area

Video

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

5/26/2017

Customer Notified Date

9/1/2017

Patch

CVE-2017-11053

Title:

Improper Validation of Array Index in WLAN

Description

When qos map set IE of length less than 16 is received in association response or in qos map configure action frame, a buffer overflow can potentially occur in ConvertQosMapsetFrame().

Technology Area

WLAN HOST

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

High

Date Reported

6/15/2017

Customer Notified Date

9/1/2017

Patch

CVE-2017-8271

Title:

Buffer overflow in video driver

Description

Out of bound memory write can happen in the MDSS Rotator driver by an unsanitized userspace-controlled parameter

Technology Area

Display

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)

Access Vector

Local

Security Rating

Medium

Date Reported

4/4/2017

Customer Notified Date

9/1/2017

Patch

CVE-2017-9683

Title:

Integer Overflow or Wraparound in Boot

Description

While flashing meta image integer overflow can occur, if user-defined image offset and size values are too large.

Technology Area

Boot

Vulnerability Type

CWE-190 Integer Overflow or Wraparound

Access Vector

Local

Security Rating

High

Date Reported

4/20/2017

Customer Notified Date

6/5/2017

Patch

CVE-2017-9691

Title:

Time-of-check Time-of-use (TOCTOU) Race Condition in Core

Description

There is a race condition that allows to access to already free’d memory in the debug message output functionality contained within the mobicore driver.

Technology Area

Trusted Execution Environment

Vulnerability Type

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Access Vector

Local

Security Rating

Medium

Date Reported

1/26/2017

Customer Notified Date

7/3/2017

Patch

CVE-2017-9714

Title:

Improper Validation of Array Index in WLAN

Description

Out of bound memory access may happen in limCheckRxRSNIeMatch in case incorrect RSNIE is received from the client in assoc request.

Technology Area

WLAN HOST

Vulnerability Type

CWE-129 Improper Validation of Array Index

Access Vector

AdjacentNetwork

Security Rating

High

Date Reported

5/12/2017

Customer Notified Date

7/3/2017

Patch

Industry Coordination 

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History 

Version

Date

Comments

1.0

November 20, 2017

Bulletin Published