Samsung Android Security Updates

Update List

2016

January     Febuary     March     April     May     June     July     August     September    

2015

October    November    December   

Disclaimer

  • Please note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include all up-to-date security patches when delivered.
  • While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.

SMR-SEP-2016


Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – September 2016 package.

The Bulletin (September 2016) contains the following CVE items:
CVE-2016-3861(C), CVE-2016-3862(C), CVE-2016-2429(C), CVE-2016-3863(H), CVE-2016-3822(H), CVE-2016-3870(H), CVE-2016-3871(H), CVE-2016-3872(H), CVE-2016-3875(H), CVE-2016-3876(H), CVE-2016-3823(H), CVE-2016-3899(H), CVE-2016-3878(H), CVE-2016-3879(H), CVE-2016-3880(H), CVE-2016-3881(H), CVE-2016-2495(H), CVE-2016-3883(M), CVE-2016-3884(M), CVE-2016-3885(M), CVE-2016-3888(M), CVE-2016-3889(M), CVE-2016-3890(M), CVE-2016-3833(M), CVE-2016-3895(M), CVE-2016-3896(M), CVE-2016-3897(M), CVE-2016-3898(M), CVE-2016-2427(M), CVE-2016-2503(C), CVE-2014-9790(H), CVE-2016-2501(H), CVE-2014-9902(C), CVE-2014-9863(H), CVE-2014-9864(H), CVE-2014-9865(H), CVE-2014-9867(H), CVE-2014-9869(H), CVE-2014-9870(H), CVE-2014-9874(H), CVE-2014-9876(H), CVE-2014-9877(H), CVE-2014-9881(H), CVE-2014-9882(H), CVE-2014-9884(H), CVE-2014-9887(H), CVE-2014-9890(H), CVE-2014-9891(H), CVE-2015-8940(H), CVE-2015-2686(C), CVE-2016-2474(C), CVE-2016-2546(H), CVE-2014-9904(H), CVE-2014-9892(H), CVE-2014-9894(H), CVE-2014-9896(H), CVE-2014-9900(H), CVE-2015-8944(H), CVE-2014-9901(H), CVE-2016-4578(M), CVE-2016-4569(M), CVE-2016-2504(C), CVE-2016-3842(C), CVE-2016-3854(H), CVE-2016-3855(H), and CVE-2016-2544(H).
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 9 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-6248: SystemUI Security issue

Severity: Medium
Affected versions: L(5.0/5.1), M(6.0) devices with Exynos7420 chipset
Reported on: June 7, 2016
Disclosure status: Privately disclosed.
The vulnerability exists due to a null pointer dereference on fimg2d driver.
The patch verifies if the object is null before dereferencing it.


In addition, the following CVEs are included as part of Samsung security patches:
CVE-2016-2059(H), CVE-2016-5340(H)
* Severity : (C)-Critical,   (H)-High,   (M)-Medium,   (L)-Low

※ Some of the CVE items in certain models were already included in previous maintenance release(s) such that they may not be included in this package.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Zhaozhanpeng of Cheetah Mobile : SVE-2016-6248

SMR-AUG-2016


Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – August 2016 package.

The Bulletin (August 2016) contains the following CVE items:
CVE-2016-3819(C), CVE-2016-3820(C), CVE-2016-3821(C), CVE-2016-3822(H), CVE-2016-3823(H), CVE-2016-3824(H), CVE-2016-3825(H), CVE-2016-3826(H), CVE-2016-3827(H), CVE-2016-3828(H), CVE-2016-3829(H), CVE-2016-3830(H), CVE-2016-3831(H), CVE-2016-3832(M), CVE-2016-3833(M), CVE-2016-3761(M), CVE-2016-2842(M), CVE-2016-3834(M), CVE-2016-3835(M), CVE-2016-3836(M), CVE-2016-3837(M), CVE-2016-3838(M), CVE-2016-3839(M), CVE-2016-3840(C), CVE-2016-3853(M), CVE-2016-2497(M), CVE-2016-3751(H), CVE-2016-3746(H), CVE-2016-3747(H), CVE-2016-2107(H), CVE-2016-2503(C), CVE-2016-2067(C), CVE-2016-3775(C), CVE-2014-9781(H), CVE-2015-8890(H), CVE-2016-3792(H), CVE-2016-3797(H), CVE-2016-3803(H), CVE-2016-2068(H), CVE-2016-3809(H), CVE-2016-0723(M), CVE-2015-3847(M), CVE-2016-2468(C), CVE-2016-2475(H), CVE-2016-2066(H), CVE-2016-2469(H), CVE-2016-2472(H), CVE-2016-2480(H), CVE-2016-2493(H), CVE-2016-2431(C), CVE-2015-6639(C), CVE-2015-6647(C), CVE-2016-2438(H), CVE-2016-2443(H), CVE-2015-6626(H), and CVE-2015-3872(C).
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 8 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-6008: SideSync Security Issue

Severity: High
Affected versions: M(6.0)
Reported on: April 20, 2016
Disclosure status: This issue is publicly known.
Activating the SideSync application before finishing Setup Wizard stage enables bypass of FRP by installing malicious applications.
The patch blocks activation of the SideSync application before finishing Setup Wizard stage.


SVE-2016-6242: Possible Privilege Escalation in telecom

Severity: Medium
Affected versions: L(5.0/5.1), M(6.0)
Reported on: May 11, 2016
Disclosure status: Privately disclosed.
A vulnerability in SpamCall Activity components of Telecom application can make crash and reboot a device when the malformed serializable object is passed.
The patch complements the exception handling routine to prevent crash.


SVE-2016-6244: Possible Privilege Escalation in telecom

Severity: Medium
Affected versions: L(5.0/5.1), M(6.0)
Reported on: May 11, 2016
Disclosure status: Privately disclosed.
The vulnerability in SmartCall Activity components of Telecom application can make crash and reboot a device when the malformed serializable object is passed.
The patch complements the exception handling routine to prevent crash.


SVE-2016-6382: fimg2d NULL Pointer Dereference

Severity: Medium
Affected versions: L(5.0/5.1), M(6.0) devices with Exynos7420 chipset
Reported on: June 7, 2016
Disclosure status: Privately disclosed.
The vulnerability exists due to a null pointer dereference on fimg2d driver.
The patch verifies if the object is null before dereferencing it.


SVE-2016-6542: OMACP message parsing vulnerabilities

Severity: Medium
Affected versions: KK(4.4), L(5.0/5.1), and M(6.0)
Reported on: June 21, 2016
Disclosure status: Privately disclosed.
The lack of exception handling for the OMACP message which has an empty field of WIFI profile, throws an exception error and leads to device reboot by Android Runtime Crash.
The patch applied an exception handling routine for an empty field of WIFI profile.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Zhaozhanpeng of Cheetah Mobile : SVE-2016-6242 (CVE-2016-6526), SVE-2016-6244 (CVE-2016-6527)
- James Fang and Anthony LAOU HINE TSUEI of Tencent Keen Lab : SVE-2016-6382
- Tom Court of Context : SVE-2016-6542

SMR-JUL-2016


Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – July 2016 package.

The Bulletin (July 2016) contains the following CVE items:
CVE-2016-2506(C), CVE-2016-2505(C), CVE-2016-2507(C), CVE-2016-2508(C), CVE-2016-3741(C), CVE-2016-3742(C), CVE-2016-3743(C), CVE-2016-2108(C), CVE-2016-3744(H), CVE-2016-3751(H), CVE-2016-3745(H), CVE-2016-3746(H), CVE-2016-3747(H), CVE-2016-3748(H), CVE-2016-3749(H), CVE-2016-3750(H), CVE-2016-3752(H), CVE-2016-3753(H), CVE-2016-2107(H), CVE-2016-3754(H), CVE-2016-3755(H), CVE-2016-3756(H), CVE-2016-3818(H), CVE-2016-3757(M), CVE-2016-3758(M), CVE-2016-3759(M), CVE-2016-3760(M), CVE-2016-3761(M), CVE-2016-3762(M), CVE-2016-3763(M), CVE-2016-3764(M), CVE-2016-3765(M), CVE-2016-3766(M), CVE-2016-2476(H), CVE-2016-2495(H), CVE-2016-2496(H), CVE-2016-2465(C), CVE-2016-2475(H), CVE-2016-2493(H), CVE-2016-2489(H), CVE-2016-2066(H), CVE-2016-2469(H), CVE-2016-2474(C), CVE-2016-2471(H), CVE-2016-2472(H), and CVE-2015-0571(H)
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 4 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-5953: Vulnerability in audio service

Severity: High
Affected versions: All devices supporting Samsung Professional Audio SDK
Reported on: April 5, 2016
Disclosure status: Privately disclosed.
The Jack audio service doesn’t have access control mechanism for shared memory and the vulnerability enables malicious application to access or modify values in shared memory, resulting in arbitrary code execution or privilege escalation.
The patch mitigates the risk by checking the values stored in shared memory and demoting the privilege of the service.


SVE-2016-5980: Null pointer dereference issue with socket

Severity: Medium
Affected versions: KK(4.4), L(5.0/5.1), M(6.0) devices which have following combinations: AP + CP MDM9x35, or Qualcomm Onechip (MSM8909, MSM8996, MSM8916, and so on)
Reported on: April 12, 2016
Disclosure status: Privately disclosed.
IPC socket code does not check null objects properly and a null deference would cause a system crash. A malicious attacker may exploit this vulnerability to crash the system.
The patch introduces a routine to filter out null objects to prevent null pointer dereference.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Mark Brand of Google Project Zero : SVE-2016-5953
- Tim Xia of Baidu : SVE-2016-5980

SMR-JUN-2016


Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – June 2016 package.

The Bulletin (June 2016) contains the following CVE items:
CVE-2016-2463(C), CVE-2016-2464(C), CVE-2016-2428(C), CVE-2016-2477(H), CVE-2016-2478(H), CVE-2016-2479(H), CVE-2016-2480(H), CVE-2016-2481(H), CVE-2016-2482(H), CVE-2016-2483(H), CVE-2016-2484(H), CVE-2016-2485(H), CVE-2016-2486(H), CVE-2016-2487(H), CVE-2016-0847(H), CVE-2016-2495(H), CVE-2016-0830(H), CVE-2016-2496(M), CVE-2015-3847(M), CVE-2016-2499(M), CVE-2016-2500(M), CVE-2016-2062(C), CVE-2016-2488(H), CVE-2016-2441(H), CVE-2016-2442(H), CVE-2016-0774(L), CVE-2016-2410(H) and CVE-2016-0819(C)
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 9 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2015-5068: FRP Unlock by connecting external storage via OTG

Severity: High
Affected versions: Galaxy Devices in L(5.0/5.1) supporting USB OTG and involving MyFile2014_L_ESS
Reported on: October 22, 2015
Disclosure status: This issue is publicly known.
The vulnerability enables to launch MyFiles and to install malicious applications during setup wizard status via USB OTG. Ultimately it is possible to bypass the FRP.
The patch prevents access to MyFiles before completion of setup wizard status.


SVE-2015-5301: Disable AT Command via USB with secured lockscreen

Severity: Medium
Affected versions: KK(4.4)
Reported on: December 11, 2015
Disclosure status: Privately disclosed.
The vulnerability allows device controls in spite of secured lock screen via AT command(USB).
The patch prevents AT command on secured lock screen.


SVE-2016-5381: SIM Lock bypass Issue

Severity: Low
Affected versions: L(5.0/5.1), M(6.0)
Reported on: January 4, 2016
Disclosure status: Privately disclosed.
There is a difference between SIM Lock guidance and its actual operation.
The patch updates the description correctly.


SVE-2016-5871: EAS SMIME algorithm security patch

Severity: Medium
Affected versions: M(6.0)
Reported on: March 21, 2016
Disclosure status: Privately disclosed.
Although Email client sends message of encrypted SMIME with 3DES, it doesn’t send it with 3DES but with DES.
The fix modifies the misconfigured encryption type into the correct one.


SVE-2016-5923: Application signature check bypass

Severity: High
Affected versions: L(5.0/5.1), M(6.0) supporting Fingerprint among previous devices than GS6
Reported on: March 16, 2016
Disclosure status: Privately disclosed.
Error contained certification enables to bypass the signature check while installation of certain applications.
The fix resolves proper exception handling of signature check.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Roberto Paleari: SVE-2015-5301
- Stephen Ledger: SVE-2016-5381
- Mattias Gröndahl: SVE-2016-5871

SMR-MAY-2016


Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – May 2016 package.

The Bulletin (May 2016) contains the following CVE items:
CVE-2016-2428(C), CVE-2016-2429(C), CVE-2016-2430(C), CVE-2016-2439(H), CVE-2016-2440(H), CVE-2016-2447(H), CVE-2016-2448(H), CVE-2016-2449(H), CVE-2016-2450(H), CVE-2016-2451(H), CVE-2016-2452(H), CVE-2016-2461(M), CVE-2016-2462(M), CVE-2016-0705(M), CVE-2016-2457(M), CVE-2016-2458(M), CVE-2016-2459(M), CVE-2016-2460(M), CVE-2016-0801(C), CVE-2015-0569(C), CVE-2015-0570(C), CVE-2015-1805(C), CVE-2015-6642(H), CVE-2016-0830(H), CVE-2016-0823(H), CVE-2016-2423(M), CVE-2016-0847(H), CVE-2016-0843(C), CVE-2016-0844(C), CVE-2016-2410(H), CVE-2016-2411(H), and CVE-2016-0821(H).
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 4 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-5317: Crash on Samsung Gallery with Malformed Input Files

Severity: High
Affected versions: L(5.0/5.1)
Reported on: December 16, 2015
Disclosure status: Privately disclosed.
The vulnerability of the Gallery library makes memory corruption during scanning malformed images which is possible to change the PC into an intended value.
The newly release 3rd-party library includes a defense code for prevention of memory corruption.


SVE-2016-5733: Arbitrary interactions with the radio layer (RILD)

Severity: Medium
Affected versions: JBP(4.3), KK(4.4), L(5.0/5.1)
Reported on: February 23, 2016
Disclosure status: Privately disclosed.
The vulnerability of the misused whitelist allows unauthorized processes to contact RIL and issue radio-related commands like sending SMS or placing calls.
The patch prevents unauthorized processes from access to RIL by removing misused lists from the whitelist.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Roberto Paleari: SVE-2016-5733

SMR-APR-2016


Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – April 2016 package.

The Bulletin (April 2016) has 41 items, which also contain the following 35 CVE items:
CVE-2016-1503(C), CVE-2014-6060(C), CVE-2016-0835(C), CVE-2016-0836(C), CVE-2016-0837(C), CVE-2016-0838(C), CVE-2016-0839(C), CVE-2016-0840(C), CVE-2016-0841(C), CVE-2016-0842(C), CVE-2016-0846(H), CVE-2016-0847(H), CVE-2016-0848(H), CVE-2016-0849(H), CVE-2016-0850(H), CVE-2016-2412(H), CVE-2016-2413(H), CVE-2016-2414(H), CVE-2016-2415(H), CVE-2016-2416(H), CVE-2016-2417(H), CVE-2016-2418(H), CVE-2016-2419(H), CVE-2016-2420(M), CVE-2016-2421(M), CVE-2016-2422(M), CVE-2016-2423(M), CVE-2016-2424(M), CVE-2016-2425(M), CVE-2016-2426(M), CVE-2016-2427(M), CVE-2016-1621(C), CVE-2016-0832(M), CVE-2016-0805(C), and CVE-2016-0806(C).
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 4 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-5393: ACIPC-MSOCKET driver local privilege escalation Vulnerability

Severity: Critical
Affected versions: JBP(4.2) or KK(4.4) with Marvell chipset
Reported on: January 7, 2016
Disclosure status: Privately disclosed.
The vulnerability of ACIPC_MSOCKET driver enables an attacker to get privilege escalation through making a stack overflow.
The fix prevents stack overflow by restricting the access to the file and changing the vulnerable code into the proper.


SVE-2016-5534: Non-existent Notification Listener App Vulnerability

Severity: High
Affected versions: Galaxy S6 Edge
Reported on: January 17, 2016
Disclosure status: Privately disclosed.
The vulnerability allows any application which having a specific component name to receive notifications even though the corresponding application is not installed on the device.
The fix prevents the component from receiving any notification by removing the component explicitly from “enabled notification listeners”.


SVE-2016-5544: Clipboard Vulnerability

Severity: Medium
Affected versions: All devices using Samsung clipboard
Reported on: December 9, 2015
Disclosure status: Privately disclosed.
The vulnerability is a race condition that allows access to clipboard data.
The fix introduces synchronization points to avoid all possibility of a race condition.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Chiachih Wu and Xuxian Jiang of C0RE Team: SVE-2016-5393
- Ryan Johnson of Kryptowire: SVE-2016-5534
- Uri Kanonov and Avishai Wool of Tel Aviv University: SVE-2016-5544

SMR-MAR-2016


Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – March 2016 package.

The Bulletin (March 2016) has 16 items except 6 items only for Nexus, which also contain the following 18 CVE items:
CVE-2016-0815(C), CVE-2016-0816(C), CVE-2016-1621(C), CVE-2016-0818(C), CVE-2016-0824(H), CVE-2016-0826(H), CVE-2016-0827(H), CVE-2016-0828(H), CVE-2016-0829(H), CVE-2016-0830(H), CVE-2015-6611(H), CVE-2016-0831(M), CVE-2016-0832(M), CVE-2015-3847(M), CVE-2016-0728(C), CVE-2015-6640(C), CVE-2016-0801(C), and CVE-2016-0802(C).
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 5 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-5301: Modem interface exposed via USB on Secure

Severity: Medium
Affected versions: All devices
Reported on: December 11, 2015
Disclosure status: This issue is publicly known.
This vulnerability allows attackers to use modem interface in spite of secure lockscreen status.
The supplied patch prevents attackers from access to modem interface on condition of secure lockscreen.


SVE-2016-5421: FRP unlock using by Z3X tool

Severity: Critical
Affected versions: L(5.0/5.1) with Spreadtrum or Marvell chipset
Reported on: November 14, 2015
Disclosure status: This issue is publicly known.
A vulnerability manipulating downloaded partitions of a binary is able to bypass FRP(or RL).
The supplied patch blocks flashing a binary if having suspect partition structure.


SVE-2016-5435: Prevent IMEI modification

Severity: High
Affected versions: All devices with Shannon333/308/310 chipset
Reported on: January 18, 2016
Disclosure status: This issue is publicly known.
A vulnerability keeping some key information linked to IMEI enables to get and modify IMEI eventually.
The supplied patch maintains the information only during a time whenever it is used.


SVE-2016-5562: Security patch of IMEI write block on RIL

Severity: High
Affected versions: Selected models including S3(KK), Note2(KK), S4(L), Note3(L), and S5(L)
Reported on: October 29, 2015
Disclosure status: This issue is publicly known.
This vulnerability enables attackers to rewrite IMEI by flashing customized firmware.
The supplied patch blocks rewrite of IMEI by write protection.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Roberto Paleari and Aristide: SVE-2016-5301

SMR-FEB-2016


Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – February 2016 package.

The Bulletin (February 2016) has 10, which also contain the following 10 CVE items:
CVE-2016-0803(C), CVE-2016-0804(C), CVE-2016-0807(C), CVE-2016-0808(H), CVE-2016-0809(H), CVE-2016-0810(H), CVE-2016-0811(H), CVE-2016-0812(M), CVE-2016-0813(M), CVE-2015-6614(M).
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 7 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2016-5036: SecNetfilter Security Patch

Severity: Medium
Affected versions: All devices using SecNetfilter driver on KK(4.4) or L(5.0/5.1)
Reported on: October 20, 2015
Disclosure status: This issue is publicly known.
A vulnerability dereferencing Null-pointer during parsing the URL can make a memory corruption and be abused by attackers.
The supplied patch removes the ‘SecNetfilter’ driver.


SVE-2016-5134: TvoutService_C service DoS

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1), M(6.0)
Reported on: October 30, 2015
Disclosure status: This issue is publicly known.
A vulnerability without appropriate exception handling allows attackers to make a system crash easily through such as a DoS attack.
The supplied patch prevents unexpected crashes by confirming the validation of variables.


SVE-2016-5326: Buffer overflow vulnerability in Qualcomm WLAN Driver

Severity: Critical
Affected versions: J(4.2) and above with Qualcomm Wi-Fi chipset
Reported on: December 15, 2015
Disclosure status: This issue is publicly known.
A vulnerability not confirming boundary condition before memory copy can make buffer overflow by an unexpected data size.
The supplied patch prevents buffer overflow by confirming the sizes of source and destination.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Roberto Paleari and Aristide: SVE-2016-5036
- Vinc3nt4H of Alibaba Mobile Security Team : SVE-2016-5134

SMR-JAN-2016


Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – January 2016 package.

The Bulletin (January 2016) has 9, which also contain the following 6 CVE items:
CVE-2015-6636(C), CVE-2015-6617(C), CVE-2015-6643(M), CVE-2015-5310(M), CVE-2015-6644(M), CVE-2015-6645(M).
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 7 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2015-4958: msm_sensor_config security issues

Severity: Medium
Affected versions: KK(4.4) and L with APQ8084, MSM8974, and MSM8974pro chipset
Reported on: September 25, 2015
Disclosure status: This issue is publicly known.
A vulnerability using without checking the boundary of buffers can lead to memory corruption.
The applied patch avoids an illegal access to memory by checking the boundary.


SVE-2015-5081: Exposed provider and SQLi in SecEmailSync

Severity: High
Affected versions: L(5.0/5.1)
Reported on: October 10, 2015
Disclosure status: This issue is publicly known.
The combination of allowing unprivileged local applications to access some providers and having SQL injection (SQLi) vulnerability can enable any application to access all messages from ‘SecEmail.
The supplied patch prevents SQLi vulnerability by changing query code and unprivileged access by restricting the permission.


SVE-2015-5109: Samsung Galaxy S6: android.media.process Face Recognition Memory Corruption (MdConvertLine)

Severity: Critical
Affected versions: KK(4.2/4.3/4.4), L(5.0/5.1)
Reported on: November 7, 2015
Disclosure status: This issue is publicly known.
When a malformed BMP image is scanned by a facial recognition library, it can trigger an arbitrary code execution as overwriting the return address from a stack or a register.
The newly released ‘libfacerecognition’ library includes a defense code for prevention of memory corruption.


SVE-2015-5110: Samsung Galaxy S6: libQjpeg je_free Crash

Severity: Critical
Affected versions: L(5.0/5.1)
Reported on: November 7, 2015
Disclosure status: This issue is publicly known.
A malformed JPEG file can make memory corruption due to a flaw in ‘libQjpeg.so’ and it is possible to be used to exploit vulnerability.
The newly released ‘libQjpeg’ library includes a defense code for prevention of memory corruption.


SVE-2015-5131: FRP/RL Bypass issue by hacking tools

Severity: Critical
Affected versions: All devices supporting FRP/RL
Reported on: November 11, 2015
Disclosure status: This issue is publicly known.
A vulnerability from download mode can reset FRP/RL partition by using ‘Odin’ protocol.
The applied patch is concerned with bootloader which is a confidential part even inside of Samsung.


SVE-2015-5133: IAndroidShm IAPAService service DoS

Severity: Low
Affected versions: KK(4.4), L(5.0/5.1)
Reported on: October 30, 2015
Disclosure status: This issue is publicly known.
A vulnerability without proper exception handling in system services can lead to crash by calling malicious service commands.
The applied patch prevents crash by checking the condition of service commands.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Roberto Paleari and Aristide: SVE-2015-5081
- Natalie Silvanovich of Google Project Zero : SVE-2015-5109 , SVE-2015-5110
- Vinc3nt4H of Alibaba Mobile Security Team : SVE-2015-5133
- Chengjun and Wangyong of Alibaba Mobile Security Team : SVE-2015-4958 (CVE-2016-4038)

SMR-DEC-2015


Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – December 2015 package.

The Bulletin (December 2015) has 24 items, which also contain the following 19 CVE items:
CVE-2015-6616(C), CVE-2015-6617(C), CVE-2015-6619(C), CVE-2015-6633(C), CVE-2015-6634(C), CVE-2015-6618(H), CVE-2015-6620(H), CVE-2015-6621(H), CVE-2015-6622(H), CVE-2015-6623(H), CVE-2015-6624(H), CVE-2015-6625(M), CVE-2015-6626(H), CVE-2015-6627(H), CVE-2015-6628(H), CVE-2015-6629(H), CVE-2015-6630(M), CVE-2015-6631(H), CVE-2015-6632(H).
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 9 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2015-4018: Buffer overflow in datablock_write

Severity: Medium
Affected versions: KK(4.4) and above
Reported on: May 13, 2015
Disclosure status: This issue is publicly known. (CVE-2015-5524)
A vulnerability writing received data without any inspection can lead to buffer overflow.
The supplied patch prevents a buffer overflow by checking if the size of source data is smaller than the destination buffer’s.


SVE-2015-5068: Remove FRP Lock

Severity: High
Affected versions: Selected models including S6(TMO/SPR/USC only), Note5 and later which don’t use Samsung FRP
Reported on: October 22, 2015
Disclosure status: This issue is publicly known.
A vulnerability allowing the access to MyFiles before finishing Setup-Wizard enables to bypass the FRP lock by installing a malicious application.
The fix blocks the practice of Factory Reset before finishing Setup-Wizard.


SVE-2015-5123: Samsung Galaxy Edge baseband process vulnerability

Severity: Critical
Affected versions: Selected models including Galaxy S6/S6 Edge, Galaxy S6 Edge+, and Galaxy Note5 with Shannon333 chipset
Reported on: November 12, 2015
Disclosure status: This issue is publicly known. (CVE-2015-8546)
A vulnerability generating a stack overflow enables an attacker to run remote codes on the vulnerable devices by pushing a malicious code from a fake base station.
The supplied patch prevents a stack overflow problem.


In addition, the following CVEs are included as part of Samsung security patches:
CVE-2014-8173(L), CVE-2015-5697(M), CVE-2015-6252(M)
* Severity : (C)-Critical,   (H)-High,   (M)-Medium,   (L)-Low

※ Some of the CVE items in certain models were already included in previous maintenance release(s) such that they may not be included in this package.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.



¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Yanfeng Wang, Chiachih Wu, and Xuxian Jiang of C0RE Team : SVE-2015-4018 (CVE-2015-5524)
- Daniel Komaromy and Nico Golde : SVE-2015-5123 (CVE-2015-8546)

SMR-NOV-2015


Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Samsung Android Security Update process.
This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – November 2015.

The Bulletin (November 2015) has 24 items, which also contain the following 7 CVE items:
CVE-2015-6608(C), CVE-2015-6609(C), CVE-2015-6611(H), CVE-2015-6610(H), CVE-2015-6612(H), CVE-2015-6613(H), CVE-2015-6614(M)
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 15 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.
Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2015-4363: Inputmethod vulnerability

Severity: Critical
Affected versions: KK(4.4) and above
Reported on: Blackhat London 2015
Disclosure status: This issue is publicly known.
Vulnerabilities using no secure communication ‘HTTP’ and being absence of confirming extracted file path can allow ‘man-in-the-middle’ attack and ‘directory traversal’ attack, respectively.
The respective fixes are using secure communication by ‘HTTPS’ and confirming the file path before extracting archived files.


SVE-2015-4598: FIMG2D_BITBLT_BLIT ioctl concurrency flaw

Severity: Medium
Affected versions: L(5.0/5.1) on selected models including Galaxy S6/S6 Edge, Galaxy S6 Edge+, Galaxy Note5 with Exynos7420 Chipset
Reported on: July 30, 2015
Disclosure status: This issue is publicly known. (CVE-2015-7891)
A locking system working incorrectly can lead to memory error due to race condition.
The fix avoids race condition by adding locking algorithm which is working all the time.


SVE-2015-4642: Samsung Gallery Bitmap Decoding Crash

Severity: Medium
Affected versions: L(5.0/5.1)
Reported on: August 04, 2015
Disclosure status: This issue is publicly known. (CVE-2015-7895)
A vulnerability using wrong sample size in libSecMMCodec.so library can lead to memory crash processing in a particular bitmap file.
The newly released 3rd-party libSecMMCodec.so library includes a defense code for prevention of memory corruption.


SVE-2015-4647: Samsung Gallery GIF Parsing Crash

Severity: Medium
Affected versions: L(5.0/5.1)
Reported on: July 30, 2015
Disclosure status: This issue is publicly known. (CVE-2015-7898)
A vulnerability using wrong sample size in libSecMMCodec.so library can lead to memory crash processing in a particular bitmap file.
The newly released 3rd-party libSecMMCodec.so library includes a defense code for prevention of memory corruption.


SVE-2015-4655: JavaScript Injection Possibility Patch

Severity: Critical
Affected versions: L(5.0/5.1)
Reported on: August 4, 2015
Disclosure status: This issue is publicly known. (CVE-2015-7893)
A vulnerability executing received email script without any inspection can allow an attacker to execute arbitrary JavaScript when a user views a HTML email which contains HTML script tags or other events.
The supplied patch removes JavaScript contained in email.


In addition, the following CVEs are included as part of Samsung security patches:
CVE-2015-7889(M), CVE-2015-4000(H), CVE-2014-9529(C), CVE-2014-8160(C), CVE-2013-2897(C), CVE-2013-2892(C), CVE-2013-2889(C), CVE-2013-2888(C), CVE-2013-2232(H), CVE-2012-6647(H), CVE-2014-8173(L), CVE-2014-1690(L), CVE-2014-7970(M), CVE-2014-4667(M), CVE-2014-4322(M), CVE-2014-4171(M), CVE-2014-3917(M), CVE-2014-3122(M), CVE-2014-2523(M), CVE-2014-2309(M), CVE-2014-0974(M), CVE-2014-0100(M), CVE-2013-7339(M), CVE-2013-4162(M), CVE-2013-2141(M), CVE-2013-1767(M), CVE-2013-0290(M)
* Severity : (C)-Critical,   (H)-High,   (M)-Medium,   (L)-Low

※ Some of the CVE items in certain models were already included in previous maintenance release(s) such that they may not be included in this package.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Natalie Silvanovich of Google Project Zero : SVE-2015-4642, SVE-2015-4647
- Lee Campbell of Google Project Zero : SVE-2015-4598
- James Forshaw and Matt Tait of Google Project Zero : SVE-2015-4655

SMR-OCT-2015


Samsung Mobile is releasing a maintenance release for select models as part of the monthly Samsung Android Security Update process.
This security update package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin - October 2015.

The Bulletin (October 2015) has 48 items, which also contain the following 29 CVE items:
CVE-2015-3873(C), CVE-2015-3872(C), CVE-2015-3871(C), CVE-2015-3868(C), CVE-2015-3867(C), CVE-2015-3869(C), CVE-2015-3870(C), CVE-2015-3823(C), CVE-2015-6598(C), CVE-2015-6599(C), CVE-2015-6600(C), CVE-2015-6603(C), CVE-2015-6601(C), CVE-2015-3876(C), CVE-2015-6604(C), CVE-2015-3874(C), CVE-2015-3875(C), CVE-2015-6602(C), CVE-2015-3877(C), CVE-2015-3863(H), CVE-2015-3879(H), CVE-2015-3865(H), CVE-2015-6596(H), CVE-2015-3878(M), CVE-2015-3847(M), CVE-2015-6605(L), CVE-2015-3862(L), CVE-2015-6606(H), and CVE-2015-6607(M).
* Severity : (C)-Critical,   (H)-High,   (M)-Moderate,   (L)-Low

※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 14 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices¹.


SVE-2015-2846: Information theft and screen theft attack for Galaxy S5

Severity: Critical
Affected versions: JBP(4.3) and above
Reported on: October 12, 2014
Disclosure status: This issue is publicly known. (CVE-2015-4034)
An attacker can craft a Parcelable object specifying arbitrary class files that will be loaded, resulting in remote code execution as the system user.
This comes from absence of restricting the source of the classes to be loaded in the createFromParcel() function.


SVE-2015-2858: Samsung SBeam Image Remote Information Disclosure Vulnerability

Severity: Critical
Affected versions: JBP(4.3) and above
Reported on: July 28, 2015
Disclosure status: This issue is publicly known. (CVE-2015-4033)
A vulnerability in the way that SBeam handles initial connection can allow an attacker to download any or all images in the context of the SBeam service.
This attack is done when a vulnerable device launches HTTP server on port 15000 because this server doesn’t authenticate an opponent.
The patch ensures that the other side is reliable by adding a procedure to confirm the user before sharing contents.


SVE-2015-2885: Resurrecting the READ_LOGS permission

Severity: Critical
Affected versions: JBP(4.3), and KK(4.4.2)
Reported on: July 28, 2015
Disclosure status: This issue is publicly known.
The sensitive information can be disclosed by generating a world-readable copy of the log file in case of following three reasons:
Unhandled exception in Dalvik VM’, ‘Application not responding ANR event’, and ‘Crash on an application’s native code’.
The fix restricts target users by reducing a read permission.


SVE-2015-4593: Seiren Kernel Driver Buffer Overflow

Severity: Medium
Affected versions: L(5.0) and above
Reported on: August 11, 2015
Disclosure status: This issue is publicly known. (CVE-2015-7890)
Missing the upper boundary check of streaming data can have a buffer overflow vulnerability in case of receiving incorrect buffer size from user.
The fix avoids a buffer overflow by checking the size of streaming data before copying it to a local memory.


SVE-2015-4598: FIMG2D_BITBLT_BLIT ioctl Concurrency Flaw

Severity: Medium
Affected versions: L(5.0) and above
Reported on: July 30, 2015
Disclosure status: This issue is publicly known. (CVE-2015-7891)
Inactivation of synchronizing system at /dev/fimg2d device node can bring out race condition and result in memory corruption vulnerability.
The supplied patch always activates the synchronizing system and prevents dereference of illegal memory.


SVE-2015-4602: m2m1shot Kernel Driver Buffer Overflow

Severity: Medium
Affected versions: L(5.0) and above
Reported on: August 12, 2015
Disclosure status: This issue is publicly known. (CVE-2015-7892)
Missing the upper boundary check of data size for reprocessing JPEG like as decoding or scaling can have a buffer overflow vulnerability when passing incorrect buffer size from user.
The fix avoids a buffer overflow by checking the size of passing data.


SVE-2015-4614: libQjpeg Image Decoding Memory Corruption

Severity: High
Affected versions: L(5.0) and above
Reported on: July 30, 2015
Disclosure status: This issue is publicly known. (CVE-2015-7894)
The specific JPEG files (non-header information image) can make memory corruption due to a flaw in libQjpeg.so and it is possible to be used to exploit vulnerability.
The newly released 3rd-party libQjpeg library includes a defense code for prevention of memory corruption.


SVE-2015-4643: libQjpeg DoIntegralUpsample Crash

Severity: Medium
Affected versions: L(5.0) and above
Reported on: August 8, 2015
Disclosure status: This issue is publicly known. (CVE-2015-7896)
The specific JPEG files (non-header information image) can make memory corruption due to a flaw in libQjpeg.so and it is possible to be used to exploit vulnerability.
The newly released 3rd-party libQjpeg library includes a defense code for prevention of memory corruption.


SVE-2015-4645: Face Recognition Memory Corruption

Severity: High
Affected versions: L(5.0) and above
Reported on: August 4, 2015
Disclosure status: This issue is publicly known. (CVE-2015-7897)
The specific files can make memory corruption in the way that they are scanned by the face recognition library in android.media.process due to a flaw in libfacerecognition.so and it is possible to be used to exploit vulnerability.
The newly released 3rd-party libQjpeg library includes a defense code for prevention of memory corruption.


SVE-2015-4649: ZIP Extraction in H20Settings/Settings_ESS

Severity: High
Affected versions: KK(4.4) and above
Reported on: August 4, 2015
Disclosure status: This issue is publicly known. (CVE-2015-7888)
A path traversal vulnerability can allow attackers to write a controlled file to an arbitrary path by using this feature: WifiHS20UtilityService reads any files placed in /sdcard/Download/cred.zip and unzips them into /data/bundle.


SVE-2015-4722: Defects Fix for Code Review Result of Stagefright

Severity: High
Affected versions: JBP(4.3) and above
Reported on: August 18, 2015
Disclosure status: This issue is publicly known.
The absence of checking bounds to allocate memory at Stagefright can lead to heap overflow by dereference of large memory after small memory (0 size) allocation.
This fix can prevent heap overflow by checking the size.


¹ Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

- Mark Brand of Google Project Zero : SVE-2015-4649
- Natalie Silvanovich of Google Project Zero : SVE-2015-4614, SVE-2015-4643, SVE-2015-4645
- Ben Hawkes of Google Project Zero : SVE-2015-4602
- Ian Beer of Google Project Zero : SVE-2015-4593