Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release(SMR) process. This SMR package includes patches from Google and Samsung.
Google patches include patches up to Android Security Bulletin – November 2019 package. The Bulletin (November 2019) contains the following CVE items:
Critical
CVE-2018-13916, CVE-2019-2315, CVE-2019-2271(A-129766175), CVE-2019-2289, CVE-2019-2336, CVE-2019-2339, CVE-2019-2204, CVE-2019-2205, CVE-2019-2206
High
CVE-2019-2295, CVE-2019-2303, CVE-2019-10490, CVE-2019-2271(A-129765571), CVE-2019-2335, CVE-2019-2318, CVE-2018-19824, CVE-2018-11902, CVE-2019-10535, CVE-2019-2268, CVE-2019-2192, CVE-2019-2193, CVE-2019-2195, CVE-2019-2199, CVE-2019-2211, CVE-2019-2197, CVE-2019-2201, CVE-2019-2202, CVE-2019-2203, CVE-2019-2233, CVE-2019-2207, CVE-2019-2212, CVE-2019-2208, CVE-2019-2209, CVE-2019-2117, CVE-2019-2215
Moderate
None
Already included in previous updates
Not applicable to Samsung devices
CVE-2019-2251, CVE-2019-2329
※ Please see Android Security Bulletin for detailed information on Google patches.
Along with Google patches, Samsung Mobile provides 39 Samsung Vulnerabilities and Exposures (SVE) items described below,in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in“Security software version”, SMR November-2019 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
SVE-2019-14299: Insecure PermissionWhiteLists restriction on Firewall Application
Severity: Moderate
Affected Versions: N(7.1), O(8.x), P(9.0) devices released in China
Reported on: April 8, 2019
Disclosure status: Privately disclosed.
An invalid caller check in Firewall application, which is included in devices released in China, allows access withoutauthentication.
The patch adds signature check logic in Firewall application.
SVE-2019-14651, SVE-2019-14666: Arbitrary memory overwrite and stack overflow in SEM Trustlet
Severity: Critical
Affected Versions: Selected P(9.0) Qualcomm and TEEGRIS devices
Reported on: May 24, 2019
Disclosure status: Privately disclosed.
A possible arbitrary memory overwrite and stack overflow in SEM Trustlet allows arbitrary code execution.
The patch adds size check logic of wsm data in SEM Trustlet.
SVE-2019-14857: Heap Overflow in KNOX KAP Driver
Severity: Low
Affected Versions: P(9.0)
Reported on: June 18, 2019
Disclosure status: Privately disclosed.
A possible heap overflow vulnerability exists in knox_kap driver.
The patch adds proper size check to prevent heap overflow.
SVE-2019-14869: OOB Read in WiFi vendor command
Severity: Low
Affected Versions: N(7.x), O(8.x), P(9.0) devices with Broadcom chipsets
Reported on: June 19, 2019
Disclosure status: Privately disclosed.
A possible out-of-bounds read vulnerability exist in WiFi vendor command resulting in information leak.
The patch code adds proper size check to prevent OOB read.
SVE-2019-14942: OOB Read and Information Leak in a function in Kernel driver
Severity: Low
Affected Versions: N(7.x), O(8.x), P(9.0) devices with selected Exynos chipsets
Reported on: July 25, 2019
Disclosure status: Privately disclosed.
A possible buffer over-read and possible information leak vulnerability exist in core touch screen driver.
The patch code checks null byte of buffer in core touch screen driver.
SVE-2019-14965, SVE-2019-14966, SVE-2019-14968, SVE-2019-14969, SVE-2019-14970, SVE-2019-14980, SVE-2019-14981, SVE-2019-14982, SVE-2019-14983, SVE-2019-14984, SVE-2019-15122, SVE-2019-15123: Stack overflow and OOBRead in Kernel drivers
Severity: Low
Affected Versions: P(9.0) devices with selected Exynos chipsets
Reported on: June 18, 2019
Disclosure status: Privately disclosed.
A possible buffer overflow and out-of-bounds read vulnerabilities exists in kernel drivers related to Wi-Fi module.
The patch adds the proper validation of the buffer length to prevent buffer overflow and out-of-bounds read.
SVE-2019-15034: Stack overflow in kernel driver
Severity: Low
Affected Versions: N(7.1), O(8.x), P(9.0) devices with selected Exynos chipsets
Reported on: July 6, 2019
Disclosure status: Privately disclosed.
A possible stack overflow vulnerability exists in kernel driver.
The patch adds the proper validation of the buffer.
SVE-2019-15090: FRP bypass using SamsungPay mini
Severity: Moderate
Affected Versions: P(9.0)
Reported on: July 15, 2019
Disclosure status: Publicly disclosed.
A vulnerability allows FRP bypass with SamsungPay mini app.
The patch addressed the issue.
SVE-2019-15274: OOB write in ICCC Trustlet
Severity: High
Affected Versions: O(8.x), P(9.0) devices with Selected Exynos chipsets
Reported on: August 14, 2019
Disclosure status: Privately disclosed.
An invalid size check vulnerability exists in ICCC Trustlet.
The patch adds size check logic in the Trustlet.
SVE-2019-15283: Arbitrary memory write in TEEGRIS
Severity: Critical
Affected Versions: O(8.x), P(9.0) devices with Exynos chipset
Reported on: August 18, 2019
Disclosure status: Privately disclosed.
A buffer overflow vulnerability in HDCP Trustlet allows arbitrary memory write in secure memory within TEEGRIS.
The patch adds proper validation of the buffer length in trustlet and adds blocks access to unnecessary memory region.
SVE-2019-15350: Bluetooth firmware allows coexistence with WiFi
Severity: Low
Affected Versions: N(7.x), O(8.x), P(9.0) devices with Broadcom WiFi chipsets
Reported on: August 21, 2019
Disclosure status: Privately disclosed.
A vulnerability in Broadcom Bluetooth firmware enables DoS attack to Broadcom Wi-Fi through common interface sharedbetween them.
The patch addressed the issue.
SVE-2019-15398: Data leakage through Bluetooth debug command
Severity: Low
Affected Versions: O(8.x), P(9.0)
Reported on: August 29, 2019
Disclosure status: Privately disclosed.
A vulnerability allows access to some data through Bluetooth debug command.
The patch blocks access to data through Bluetooth debug command.
SVE-2019-15399: Potential buffer overflow in Bootloader
Severity: Low
Affected Versions: P(9.0) devices with Qualcomm chipset
Reported on: August 29, 2019
Disclosure status: Privately disclosed.
A possible buffer overflow vulnerability exists in the bootloader of factory binary.
The patch adds proper validation of the buffer length.
SVE-2019-15724: Heap OOB in LE Packet reception
Severity: Critical
Affected Versions: N(7.x), O(8.x), P(9.0) devices with Broadcom chipsets
Reported on: September 13, 2019
Disclosure status: Privately disclosed.
A heap overflow vulnerability in Broadcom Bluetooth can lead to remote code execution.
The patch addressed the issue.
SVE-2019-16009: Ultrasonic fingerprint scanner issue
Severity: High
Affected Versions: Galaxy S10/S10+/S10 5G and Note10/10+ devices
Reported on: October 17, 2019
Disclosure status: Publicly disclosed.
Inside surface textures of certain silicone covers may be recognized as a fingerprint resulting in unlocking of device.
The patch fixes the fingerprint issue.
Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.
Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.
- Thomas Julien: SVE-2019-14299
- Hung Chi Su: SVE-2019-14651, SVE-2019-14666
- Salerno, Steven: SVE-2019-14857, SVE-2019-14869, SVE-2019-14942, SVE-2019-14965, SVE-2019-14966, SVE-2019-14968, SVE-2019-14969, SVE-2019-14970, SVE-2019-14980, SVE-2019-14981, SVE-2019-14982, SVE-2019-14983, SVE-2019-14984, SVE-2019-15122, SVE-2019-15123, SVE-2019-15034
- MIRCEA PASCA: SVE-2019-15090
- Aleksndr Tarasikov: SVE-2019-15274
- Menarini, Federico: SVE-2019-15283
- Jiska Classen: SVE-2019-15350
- Karim, Imtiaz: SVE-2019-15398
- Thomas Huntington: SVE-2019-15399
- Jan Ruge: SVE-2019-15724