Go straight to the menu Go straight to the text

Android Security Updates

Disclaimer

  • Please note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include up-to-date security patches when delivered.
  • While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.
  • Some patches to be received from chipset vendors (also known as Device Specific patches) may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.

Acknowledgements

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – September 2020 package. The Bulletin (September 2020) contains the following CVE items:

Critical
CVE-2019-13998, CVE-2019-10615, CVE-2019-10562, CVE-2020-3619, CVE-2020-3667, CVE-2020-11116, CVE-2020-0245(O8.x,P9.0), CVE-2020-0380, CVE-2020-0396

High
CVE-2019-14025, CVE-2019-14056, CVE-2019-14065, CVE-2019-14119, CVE-2019-13999, CVE-2019-14115, CVE-2019-14089, CVE-2020-3643, CVE-2020-3636, CVE-2020-3611, CVE-2020-3624, CVE-2020-3644, CVE-2020-12464, CVE-2018-13903, CVE-2019-14052, CVE-2020-0069, CVE-2020-0260, CVE-2020-0252, CVE-2020-0253, CVE-2020-0251, CVE-2020-0254, CVE-2020-0255, CVE-2020-11128, CVE-2020-3640, CVE-2020-3675, CVE-2020-3668, CVE-2020-11115, CVE-2020-11118, CVE-2020-0074, CVE-2020-0388, CVE-2020-0391, CVE-2020-0401, CVE-2020-0382, CVE-2020-0389, CVE-2020-0390, CVE-2020-0395, CVE-2020-0397, CVE-2020-0399, CVE-2020-0245(Q10.0), CVE-2020-0392, CVE-2020-0381, CVE-2020-0383, CVE-2020-0384, CVE-2020-0385, CVE-2020-0393, CVE-2020-0386, CVE-2020-0394, CVE-2020-0379

Moderate
CVE-2020-0125, CVE-2020-0197, CVE-2020-0127, CVE-2020-0128, CVE-2020-0132, CVE-2020-0134, CVE-2020-0135, CVE-2020-0139, CVE-2020-0140, CVE-2020-0141, CVE-2020-0142, CVE-2020-0143, CVE-2020-0151, CVE-2020-0152, CVE-2020-0156, CVE-2020-0157, CVE-2020-0159, CVE-2020-0167, CVE-2020-0176, CVE-2020-0178, CVE-2020-0180, CVE-2020-0182, CVE-2020-0185, CVE-2020-0187, CVE-2020-0191, CVE-2020-0192, CVE-2020-0193, CVE-2020-0195, CVE-2020-0199, CVE-2020-0207, CVE-2020-0212, CVE-2020-0214

Already included in previous updates
CVE-2020-3666, CVE-2020-3669, CVE-2019-16746

Not applicable to Samsung devices
CVE-2020-11122, CVE-2020-11120, CVE-2020-0259, CVE-2018-5886


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 15 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR September-2020 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2020-16830: Some function of Cameralyzer can be exploited

Severity: High
Affected versions: Q(10.0) Galaxy S9 and Note 9 devices
Reported on: February 11, 2020
Disclosure status: Privately disclosed.
A vulnerability in Cameralyzer allows unauthorized applications to write arbitrary files in SD card area.
The patch prevents unauthorized access to Cameralyzer functions.


SVE-2020-17239: Out of bounds Read in Shannon baseband

Severity: Low
Affected Versions: Galaxy S20, S20+ Devices with S.LSI SMP1500T11 chipset
Reported on: April 2, 2020
Disclosure status: Privately disclosed.
Invalid parameter input check vulnerability in shannon baseband allows heap buffer over-read.
The patch adds the proper input validation to prevent heap buffer over-read.


SVE-2020-18088, SVE-2020-18225, SVE-2020-18301: Memory corruption in Quram library with decoding jpeg

Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: June 17, 2020
Disclosure status: Privately disclosed.
A possible arbitrary memory overwrite vulnerability in Quram image codec library allows arbitrary code execution.
The patches add the proper validation of the buffer length.


SVE-2020-18098: Buffer overflow vulnerability in Baseband with abnormal SETUP message

Severity: Critical
Affected versions: O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets
Reported on: June 19, 2020
Disclosure status: Privately disclosed.
A possible buffer overflow vulnerability in baseband allows arbitrary code execution.
The patch adds the proper validation of the buffer length.


SVE-2020-16979: Potential LTE/5G command exposure by using debugging command

Severity: High
Affected versions: Q(10.0) devices with Exynos and MediaTek chipsets
Reported on: March 6, 2020
Disclosure status: Privately disclosed.
A vulnerability allows to execute LTE/5G commands via the USB connection without user authentication.
The patch allows execution of debugging command only when users enable the option in Developer options.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Gregory DRAPERI of AXA Red Team: SVE-2020-16830
Kira233: SVE-2020-17239
Anonymous: SVE-2020-18088, SVE-2020-18225, SVE-2020-18301
Grant Hernandez of Florida University & Marius Muench of Vrije Universiteit Amsterdam: SVE-2020-18098
Hongil Kim of KAIST: SVE-2020-16979
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – August 2020 package. The Bulletin (August 2020) contains the following CVE items:

Critical
CVE-2020-3699, CVE-2020-3698

High
CVE-2020-0231, CVE-2019-20636, CVE-2019-10580, CVE-2019-18282, CVE-2020-0230, CVE-2019-14130, CVE-2019-14124, CVE-2019-14123, CVE-2020-3700, CVE-2020-0240, CVE-2020-0238, CVE-2020-0257, CVE-2020-0239, CVE-2020-0249, CVE-2020-0258, CVE-2020-0247, CVE-2020-0241, CVE-2020-0242, CVE-2020-0243, CVE-2020-0108, CVE-2020-0256, CVE-2020-0248, CVE-2020-0250

Moderate
CVE-2019-13135, CVE-2019-13136, CVE-2020-0124, CVE-2020-0126, CVE-2020-0129, CVE-2020-0131, CVE-2020-0133, CVE-2020-0136, CVE-2020-0137, CVE-2020-0138, CVE-2020-0150, CVE-2020-0153, CVE-2020-0155, CVE-2020-0164, CVE-2020-0165, CVE-2020-0166, CVE-2020-0168, CVE-2020-0177, CVE-2020-0183, CVE-2020-0186, CVE-2020-0188, CVE-2020-0190, CVE-2020-0194, CVE-2020-0201, CVE-2020-0202, CVE-2020-0203, CVE-2020-0208, CVE-2020-0209, CVE-2020-0210, CVE-2020-0213, CVE-2020-0215, CVE-2020-0216, CVE-2020-0217, CVE-2020-0218, CVE-2020-0219

Already included in previous updates
CVE-2020-3701

Not applicable to Samsung devices
CVE-2019-9501, CVE-2019-9502, CVE-2018-20669, CVE-2020-0228, CVE-2020-3688, CVE-2020-0179


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 39 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR August-2020 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2020-17602, SVE-2020-17603, SVE-2020-17604: Address leak vulnerability in USB driver

Severity: Low
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: May 15, 2020
Disclosure status: Privately disclosed.
A possible information leak vulnerability exists in USB driver.
The patch fixes incorrect implementation of kernel logging.


SVE-2020-16746, SVE-2020-16764: S Secure App Lock vulnerability

Severity: Low
Affected Versions: P(9.0), Q(10.0) devices released in China and India
Reported on: February 3, 2019
Disclosure status: Privately disclosed.
A vulnerability in “S Secure” app, which is only released in China and India, allows users to access the content of “locked” app without password.
The patch addressed the issue.


SVE-2020-17760: File Injection Vulnerability via Quick Share

Severity: Low
Affected versions: Q(10.0) devices using ONEUI 2.1
Reported on: May 25, 2020
Disclosure status: Privately disclosed.
A vulnerability in Lockscreen of Quick Share allows downloading arbitrary files without authentication.
The patch prevents file sharing in Lockscreen.


SVE-2020-17797: Improper access control on StatusBarService

Severity: Moderate
Affected versions: P(9.0), Q(10.0)
Reported on: May 28, 2020
Disclosure status: Privately disclosed.
A vulnerability in StatusBarService allows unauthorized applications to use some function related with DEX.
The patch prevents unauthorized access to StatusBarService.


SVE-2020-17288: Sensitive data disclosure in CMC service

Severity: High
Affected versions: P(9.0), Q(10.0)
Reported on: April 4, 2020
Disclosure status: Privately disclosed.
A possible sensitive data leak vulnerability exists in CMC service.
The patch fixes vulnerable logic in saving data.


SVE-2020-17758: FRP bypass using AppInfo

Severity: Low
Affected versions: P(9.0), Q(10.0)
Reported on: May 25, 2020
Disclosure status: Privately disclosed.
A vulnerability allows FRP bypass with AppInfo function.
The patch addressed the issue.


SVE-2020-17426: Arbitrary code execution in H-Arx

Severity: High
Affected versions: Q(10.0) devices using exynos9830 chipset
Reported on: April 26, 2020
Disclosure status: Privately disclosed.
Multiple invalid input index validation vulnerabilities in H-Arx allow arbitrary address memory corruption.
The patch adds the proper input validation to prevent memory corruption.


SVE-2020-17435: Arbitrary code execution in RKP

Severity: High
Affected versions: Q(10.0) devices using exynos9830 chipset
Reported on: April 26, 2020
Disclosure status: Privately disclosed.
An invalid input address validation vulnerability in RKP allows arbitrary code execution.
The patch adds the proper input validation to prevent arbitrary code execution.


SVE-2020-17239: Out of bounds Read in Shannon baseband

Severity: Low
Affected versions: Devices with select Exynos modem chipsets
Reported on: April 2, 2020
Disclosure status: Privately disclosed.
Invalid parameter input validation vulnerability in shannon baseband allows heap buffer over-read.
The patch adds the proper input validation to prevent heap buffer over-read.


SVE-2020-18133: Bypass KnoxContainer admin restrictions

Severity: High
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: June 23, 2020
Disclosure status: Privately disclosed.
A vulnerability in persona service allows admin restrictions from unprivileged process in SecureFolder.
The patch adds the proper caller check logic.


SVE-2020-16169: S.LSI NFC chipset bootloader vulnerability

Severity: Moderate
Affected versions: Q(10.0) Galaxy S20 devices
Reported on: June 14, 2020
Disclosure status: Privately disclosed.
A lack of version check logic in HAL allows malfunction in NFC operation.
The patch adds the proper version check logic in HAL to prevent malfunction.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Anonymous: SVE-2020-17602, SVE-2020-17603, SVE-2020-17604
Harsh Tyagi: SVE-2020-16746, SVE-2020-16764
조승현(NetKingJ): SVE-2020-17760
CytQ: SVE-2020-17797
Gerald Palfinger: SVE-2020-17288
Ruslan Demidov: SVE-2020-17758
Aleksandr Tarasikov: SVE-2020-17426, SVE-2020-17435
Kira233: SVE-2020-17239
Yousra Aafer: SVE-2020-18133
Christopher Wade: SVE-2020-16169
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – July 2020 package. The Bulletin (July 2020) contains the following CVE items:

Critical
CVE-2019-14080, CVE-2020-9589, CVE-2020-0224, CVE-2020-0225

High
CVE-2019-14076, CVE-2020-3642, CVE-2017-9704, CVE-2019-14047, CVE-2019-10597, CVE-2020-8428, CVE-2020-8647, CVE-2019-14062, CVE-2020-3635, CVE-2020-3676, CVE-2020-3614, CVE-2020-3665, CVE-2020-0122, CVE-2020-0227, CVE-2020-0226, CVE-2020-0107

Moderate
None

Already included in previous updates
CVE-2019-9460(A-66876469), CVE-2019-9460(A-62535446)

Not applicable to Samsung devices
CVE-2019-14073, CVE-2020-8648, CVE-2020-3628, CVE-2020-3626, CVE-2020-3660, CVE-2020-3661, CVE-2020-3662, CVE-2020-3663, CVE-2020-3658


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 14 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR July-2020 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2020-16830: Some functions of Cameralyzer can be exploited

Severity: High
Affected versions: P(9.0), Q(10.0)
Reported on: February 11, 2020
Disclosure status: Privately disclosed.
A vulnerability in Cameralyzer allows unauthorized applications to write arbitrary files in SD card area.
The patch prevents unauthorized access to Cameralyzer functions.


SVE-2020-17270: Runtime permission grant vulnerability in FactoryCamera

Severity: Moderate
Affected versions: O(8.x)
Reported on: April 06, 2020
Disclosure status: Privately disclosed.
A vulnerability in FactoryCamera application allows runtime permission without user consent.
The patch restricts access of FactoryCamera application only to factory binaries.


SVE-2020-17318: FRP Unlock using KNOX API

Severity: Moderate
Affected Versions: O(8.x), P(9.0), Q(10.0)
Reported on: April 10, 2020
Disclosure status: Privately disclosed.
A vulnerability allows FRP bypass through KNOX API.
The patch addressed the issue.


SVE-2020-17328: FRP bypass through enrolling new lock password

Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: April 13, 2020
Disclosure status: Publicly disclosed.
A vulnerability allowing enrollment of new lock password within FRP stage enables FRP bypass.
The patch prevents FRP bypass by blocking new lock password enrollment.


SVE-2020-17605: Virtual address leak vulnerability in shared memory

Severity: Low
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: May 15, 2020
Disclosure status: Privately disclosed.
A possible information leak vulnerability exists in shared memory.
The patch fixes incorrect implementation of kernel logging.


SVE-2020-16870: Vulnerability in Bluetooth Low Energy (BLE) devices

Severity: High
Affected versions: P(9.0), Q(10.0) devices with Exynos 7885 chipset
Reported on: February 17, 2020
Disclosure status: Privately disclosed.
A vulnerability in BLE SoC implementations may allow result in deadlocks, crashes and buffer overflows.
The patch addressed the vulnerability.


SVE-2020-17665: Path traversal vulnerability in StickerProvider

Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: May 19, 2020
Disclosure status: Privately disclosed.
A possible path traversal vulnerability exists in StickerProvider allowing access to certain system file.
The patches prevents arbitrary access in StickerProvider.


SVE-2020-18056: Device reset when setting 4K image as wallpaper

Severity: Moderate
Affected versions: Q(10.0)
Reported on: May 20, 2020
Disclosure status: Publicly disclosed.
An improper boundary check in ImageProcessHelper allows out of bounds memory access resulting in device reset.
The patch addresses the vulnerability.


SVE-2020-17675: Memory corruption in Quram library with decoding qmg

Severity: Critical
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: May 19, 2020
Disclosure status: Privately disclosed.
Additional possible remote arbitrary memory overwrite vulnerabilities in Quram qmg library allow arbitrary code execution.
The patch adds the proper validation of the length to address additional vulnerabilities.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Gregory DRAPERI: SVE-2020-16830
hard_______: SVE-2020-17270
Mikael Halvardsson: SVE-2020-17318
PASCA MIRCEA: SVE-2020-17328
Anonymous: SVE-2020-17605
Orange Labs security team: SVE-2020-17665
Mateusz Jurczyk of Google Project Zero: SVE-2020-17675
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – June 2020 package. The Bulletin (June 2020) contains the following CVE items:

Critical
CVE-2020-0117, CVE-2020-8597

High
CVE-2019-14054, CVE-2019-14067, CVE-2019-14066, CVE-2019-14087, CVE-2020-3616, CVE-2020-3610, CVE-2019-14053, CVE-2020-3680, CVE-2020-0110, CVE-2020-0091, CVE-2019-19536, CVE-2020-3630, CVE-2020-3645, CVE-2020-3615, CVE-2020-0114, CVE-2020-0115, CVE-2020-0121, CVE-2020-0118, CVE-2020-0113, CVE-2020-0116, CVE-2020-0119CVE-2020-3635, CVE-2020-3676

Moderate
None

Already included in previous updates
: None

Not applicable to Samsung devices
CVE-2020-0065, CVE-2019-14078, CVE-2019-14077, CVE-2020-0090, CVE-2020-0064, CVE-2020-3623, CVE-2020-3625, CVE-2020-3633, CVE-2020-3641, CVE-2020-3618


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 29 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR June-2020 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2019-15998: Misconfiguration for SEAndroid in RKP

Severity: High
Affected versions: P(9.0), Q (10.0) devices
Reported on: November 8, 2019
Disclosure status: Publicly disclosed.
A vulnerability in RKP allows disabling SEAndroid policy.
The patch protects SEAndroid related variables in the RKP.


SVE-2019-16382: Personal information disclosure in logging

Severity: Low
Affected versions: P(9.0)
Reported on: December 03, 2019
Disclosure status: Privately disclosed.
A possible information leak vulnerability exists in One UI HOME.
The patch fixes incorrect implementation of logging.


SVE-2019-16665: Update Kinibi for preventing arbitrary memory mapping

Severity: Critical
Affected versions: O(8.x), P(9.0) devices with Exynos 7570 chipset
Reported on: July 24, 2019
Disclosure status: Privately disclosed.
A vulnerability in Kinibi allows arbitrary memory mapping.
The patch restricts arbitrary memory mapping in Kinibi.


SVE-2020-17117, SVE-2020-17118, SVE-2020-17119, and SVE-2020-17161: Arbitrary memory disclosure in Widevine Trustlet

Severity: High
Affected versions: Q(10.0) TEEGRIS devices with Exynos
Reported on: March 23, 2020
Disclosure status: Privately disclosed.
Several memory vulnerabilities in Widevine trustlet disclose memory information and it can lead to arbitrary code execution.
The patches add the proper validation of memory access.


SVE-2020-17183: Possible overwriting arbitrary files via symlink vulnerability

Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0) devices
Reported on: April 9, 2020
Disclosure status: Privately disclosed.
A vulnerability in system area allows overwriting arbitrary files without permission via symlink.
The patch adds the proper file validation to address the vulnerability.


SVE-2020-17369: adb command with Secure Folder

Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0) devices
Reported on: April 17, 2020
Disclosure status: Privately disclosed.
A vulnerability in Secure Folder allows arbitrary installation debugging a command.
The patch blocks the debugging command to install in Secure Folder.


SVE-2020-16908: Possible brute forcing attack in Gatekeeper Trustlet

Severity: High
Affected versions: O(8.x) devices with TEEGRIS
Reported on: February 23, 2020
Disclosure status: Privately disclosed.
An invalid input check vulnerability in Gatekeeper trustlet allows brute forcing attack to user credential.
The patch adds the proper input validation to prevent brute forcing attack.


SVE-2020-16954: Path traversal vulnerability in HWRResProvider

Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: March 3, 2020
Disclosure status: Privately disclosed.
A possible path traversal vulnerability exists in HWRResProvider and it can lead to data exposure.
The patch adds code to check the correct path location in HWRResProvider.


SVE-2020-17145: Inconsistent behavior of Music Share at the QuickPanel

Severity: Low
Affected versions: Q(10.0)
Reported on: March 26, 2020
Disclosure status: Privately disclosed.
A vulnerability in Lockscreen allows access to Music share without authentication.
The patch prevents arbitrary access in Lockscreen.


SVE-2020-17187: Arbitrary access in Lockscreen of DeX

Severity: Moderate
Affected versions: P(9.0), Q(10.0)
Reported on: March 29, 2020
Disclosure status: Privately disclosed.
A vulnerability in Lockscreen of DeX allows access to quick panel and notifications without authentication.
The patch prevents arbitrary access in Lockscreen of DeX.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

유동훈 of SecuriON: SVE-2019-15998
Andr. Ess: SVE-2019-16382, SVE-2020-17145
Maxime Peterlin, Alexandre Adamski, and Joffrey Guilbon of QuarksLab: SVE-2019-16665
Sergei Volokitin: SVE-2020-17117, SVE-2020-17118, SVE-2020-17119, SVE-2020-17161
Yu-Tsung Lee of Pennsylvania State University: SVE-2020-17183
Xuanwu Lab of Tencent Security: SVE-2020-17369
Martijn Bogaard: SVE-2020-16908
Kai Stimpson: SVE-2020-16954
조승현(NetKingJ): SVE-2020-17187
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – May 2020 package. The Bulletin (May 2020) contains the following CVE items:

Critical
CVE-2019-10609, CVE-2019-14112, CVE-2019-14114, CVE-2019-14111, CVE-2019-14113, CVE-2019-14131, CVE-2019-14110, CVE-2020-0096, CVE-2020-0103

High
CVE-2019-14070, CVE-2019-19807, CVE-2019-10483, CVE-2019-10589, CVE-2019-14104, CVE-2019-14105, CVE-2019-14021, CVE-2019-14122, CVE-2019-14011, CVE-2019-14012, CVE-2019-10551, CVE-2019-14020, CVE-2019-14033, CVE-2019-10610, CVE-2019-14022, CVE-2019-14018, CVE-2019-14019, CVE-2019-19532, CVE-2019-19524, CVE-2019-14132, CVE-2019-14134, CVE-2019-14135, CVE-2020-3651(A-148816543 / A-148816872), CVE-2019-2056, CVE-2020-0097, CVE-2020-0098, CVE-2020-0094, CVE-2020-0093, CVE-2020-0100, CVE-2020-0101, CVE-2020-0102, CVE-2020-0109, CVE-2020-0105, CVE-2020-0024, CVE-2020-0092, CVE-2020-0106

Moderate
CVE-2020-0050, CVE-2020-0085, CVE-2020-0046, CVE-2020-0051, CVE-2020-0048, CVE-2020-0049, CVE-2020-0045, CVE-2020-0055, CVE-2020-0056, CVE-2020-0057, CVE-2020-0058, CVE-2020-0059, CVE-2020-0083, CVE-2020-0060, CVE-2020-0084, CVE-2020-0053, CVE-2020-0054, CVE-2020-0066, CVE-2020-0104

Already included in previous updates
CVE-2019-14001, CVE-2020-0087

Not applicable to Samsung devices
CVE-2019-10588, CVE-2019-10575, CVE-2019-14007, CVE-2019-10608, CVE-2019-14009, CVE-2020-0076, CVE-2019-14075, CVE-2019-14127, CVE-2020-0077, CVE-2020-0075, CVE-2020-0052


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 19 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR May-2020 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2019-16556: Clipboard contents are leaked via USSD

Severity: Low
Affected versions: Selected Q(10.0)
Reported on: December 25, 2019
Disclosure status: Privately disclosed.
A vulnerability allows access to clipboard information via USSD in the locked state.
The patch blocks access clipboard contents in dialog on the Lockscreen.


SVE-2020-16712: Arbitrary Code Execution in Secure Bootloader

Severity: Critical
Affected Versions: O(8.X), P(9.0), Q(10.0) devices with Exynos chipsets
Reported on: January 21, 2020
Disclosure status: Privately disclosed.
A possible heap based buffer overflow vulnerability in bootloader allows secure boot bypass.
The patch adds the proper validation to prevent buffer overflow.


SVE-2020-16981, SVE-2020-16991: Heap overflow in Bootloader

Severity: Low
Affected versions: Q(10.0) devices with Exynos980(9630) and Exynos990(9830) chipsets
Reported on: March 6, 2020
Disclosure status: Privately disclosed.
A possible heap overflow vulnerability exists in bootloader when handling specific commands.
The patch adds the proper validation to prevent buffer overflow.


SVE-2020-16594: Unauthorized change of preferred SIM card

Severity: Low
Affected versions: Q(10.0)
Reported on: January 3, 2020
Disclosure status: Privately disclosed.
A vulnerability allows unauthorized change of preferred SIM card in locked state.
The patch blocks changing preferred SIM card while in locked state.


SVE-2020-16747: Memory corruption in Quram library with decoding qmg

Severity: Critical
Affected versions: O(8.X), P(9.0), Q(10.0)
Reported on: January 28, 2020
Disclosure status: Privately disclosed.
A possible memory overwrite vulnerability in Quram qmg library allows possible remote arbitrary code execution.
The patch adds the proper validation to prevent memory overwrite.


SVE-2020-16906: Buffer Overflow in S.LSI Wi-Fi drivers

Severity: Low
Affected versions: Select P(9.0) devices with Exynos chipsets
Reported on: February 24, 2020
Disclosure status: Publicly disclosed.
A possible relative buffer write vulnerability exists in S.LSI Wi-Fi drivers.
The patch adds the proper validation of the buffer length to prevent buffer overflow.


SVE-2020-17019: FRP Bypass using SPEN

Severity: Low
Affected versions: Select Q(10.0) devices
Reported on: March 11, 2020
Disclosure status: Privately disclosed.
A vulnerability allows FRP bypass with SPEN.
The patch addressed the issue.


SVE-2020-16943: Memory corruption in Quram library with decoding jpeg

Severity: High
Affected versions: O(8.X), P(9.0), Q(10.0) devices
Reported on: February 28, 2020
Disclosure status: Privately disclosed.
A possible memory overwrite vulnerability in Quram imagecodec library allows arbitrary code execution.
The patch adds the proper validation to prevent memory overwrite.


SVE-2020-16908: Possible brute forcing attack in Gatekeeper Trustlet

Severity: High
Affected versions: P(9.0), Q(10.0) devices with TEEGRIS
Reported on: February 23, 2020
Disclosure status: Privately disclosed.
An invalid input check vulnerability in Gatekeeper trustlet allows brute forcing attack to user credential.
The patch adds the proper input validation to prevent brute forcing attack.


SVE-2020-16882 (CVE-2020-6616): Broadcom Bluetooth RNG vulnerability

Severity: High
Affected versions: Galaxy S8, S8+, and Note8 devices with BCM4361 chipset
Reported on: February 1, 2020
Disclosure status: Privately disclosed.
A vulnerability in selected Broadcom Bluetooth chipset uses PRNG with low entropy resulting in possible spoofing attack.
The patch enables the use of HRNG within the Bluetooth chipset.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

movrment of Infiniti Team VinCSS: SVE-2019-16556
Chao Cheng Yu of TeamT5: SVE-2020-16712
Aleksandr Tarasikov: SVE-2020-16981, SVE-2020-16991
Yogesh Anil Tantak: SVE-2020-16594
Mateusz Jurczyk of Google Project Zero: SVE-2020-16747
Steven Salerno: SVE-2020-16906
Brian Karmelk: SVE-2020-17019
Anonymous: SVE-2020-16943
Martijn Bogaard: SVE-2020-16908
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – April 2020 package. The Bulletin (April 2020) contains the following CVE items:

Critical
CVE-2019-2317, CVE-2019-10612, CVE-2019-14071, CVE-2019-14030, CVE-2019-14083, CVE-2019-14086, CVE-2019-14031, CVE-2019-10546, CVE-2019-14097, CVE-2019-14098, CVE-2020-0070, CVE-2020-0071, CVE-2020-0072, CVE-2020-0073

High
CVE-2019-10569, CVE-2019-14068, CVE-2019-14032, CVE-2020-0041, CVE-2020-0010, CVE-2020-0011, CVE-2020-0012, CVE-2019-14072, CVE-2019-14029, CVE-2019-10553, CVE-2019-10549, CVE-2019-10550, CVE-2019-10552, CVE-2019-10554, CVE-2019-10603, CVE-2019-10577, CVE-2019-14000, CVE-2019-15239, CVE-2019-10616, CVE-2018-11970, CVE-2019-14079, CVE-2019-19527, CVE-2019-19537, CVE-2019-2300, CVE-2019-14027, CVE-2019-14028, CVE-2019-14026, CVE-2019-14081, CVE-2019-10526, CVE-2018-11838, CVE-2020-0080, CVE-2020-0074, CVE-2020-0081, CVE-2020-0082, CVE-2019-5018, CVE-2019-8457, CVE-2020-0078, CVE-2020-0079, CVE-2019-2194

Moderate
CVE-2020-0042, CVE-2020-0043, CVE-2020-0044, CVE-2019-9936

Already included in previous updates
CVE-2019-14095, CVE-2020-0069, CVE-2019-2311, CVE-2019-14048

Not applicable to Samsung devices
CVE-2019-10587, CVE-2019-10586, CVE-2019-10593, CVE-2019-10594, CVE-2019-14045, CVE-2019-10604, CVE-2019-14050, CVE-2019-14015, CVE-2019-10591, CVE-2019-14061, CVE-2019-14082, CVE-2019-14085


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 34 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR April-2020 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2019-16587, SVE-2019-16588, SVE-2019-16589: Arbitrary code execution in Fingerprint Trustlet

Severity: Critical
Affected versions: Q(10.0)
Reported on: December 31, 2019
Disclosure status: Privately disclosed.
Multiples vulnerabilities in Fingerprint trustlet including a possible arbitrary memory overwrite, buffer non-initialize and leakage of address information allow arbitrary code execution.
The patch adds proper input validation and buffer initialize, and corrects implementation of kernel logging.


SVE-2019-16195: Unauthorized access to applications in Secure Folder

Severity: High
Affected versions: P(9.0), Q(10.0)
Reported on: November 23, 2019
Disclosure status: Privately disclosed.
Certain floating icons allow unauthorized access to applications in Secure Folder.
The patch adds proper check for applications with floating icon.


SVE-2019-16558: Clipboard contents are leaked via Google Assistant

Severity: Moderate
Affected versions: Selected P(9.0), Q(10.0) devices
Reported on: December 26, 2019
Disclosure status: Privately disclosed.
A vulnerability allows access to clipboard contents on a locked device via Google Assistant.
The patch removes options for showing editing text from the keyboard while the device is locked.


SVE-2019-16565: Out of bounds read vulnerability in MLDAP Trustlet

Severity: High
Affected versions: P(9.0), Q(10.0) devices with TEEGRIS
Reported on: December 30, 2019
Disclosure status: Privately disclosed.
An invalid input check vulnerability in MLDAP trustlet with TEEGRIS allows out of bounds read.
The patch adds proper boundary check code to prevent out of bounds read.


SVE-2019-16359: Potential sensitive information exposure from NFC logs

Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: December 2, 2019
Disclosure status: Publicly disclosed.
A vulnerability in NFC allows exposure of potential sensitive information from dumpstate.
The patch addresses the log of transaction from NFC.


SVE-2019-16463: Preview leak of applications in Secure Folder

Severity: Moderate
Affected versions: Q(10.0)
Reported on: December 8, 2019
Disclosure status: Privately disclosed.
A vulnerability in recent task leaks preview of applications in Secure Folder while in locked state.
The patch addressed the issue in Secure Folder.


SVE-2020-16680: Vulnerability of notification exposure in Lockdown mode

Severity: Moderate
Affected versions: P(9.0), Q(10.0)
Reported on: January 13, 2020
Disclosure status: Privately disclosed.
A lack of status check logic for Lockdown mode in Edge Lighting application allows notification exposure.
The patch adds code to check the Lockdown status in Edge Lighting application.


SVE-2020-16937(CVE-2019-15126): Kr00k vulnerability

Severity: Moderate
Affected versions: Select O(8.x), P(9.0), Q(10.0) devices with Broadcom Wi-Fi chipsets
Reported on: February 28, 2020
Disclosure status: Publicly disclosed.
The Kr00k vulnerability may allow an attacker to decrypt some WPA2-Personal/Enterprise traffic by forcing an AP/client to start utilizing an all-zero encryption key.
The patch addressed the issue.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

- Shih-Fong Peng of TeamT5: SVE-2019-16587, SVE-2019-16588, SVE-2019-16589
- Vijay Vignesh Baskaran: SVE-2019-16195
- Andr. Ess: SVE-2019-16558, SVE-2020-16680
- Sergei Volokitin: SVE-2019-16565
- David McGregor: SVE-2019-16359
- Bogdan: SVE-2019-16463
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – March 2020 package. The Bulletin (March 2020) contains the following CVE items:

Critical
CVE-2020-0032

High
CVE-2019-11599, CVE-2019-10567, CVE-2019-10538, CVE-2019-14063, CVE-2019-14055, CVE-2019-14044, CVE-2019-14049, CVE-2020-0030, CVE-2020-0031, CVE-2020-0033, CVE-2020-0034, CVE-2020-0036, CVE-2019-2194, CVE-2020-0035, CVE-2020-0029, CVE-2020-0037, CVE-2020-0038, CVE-2020-0039, CVE-2020-0021

Moderate
CVE-2019-14040, CVE-2019-14041, CVE-2019-14088

Already included in previous updates
CVE-2019-14046

Not applicable to Samsung devices
CVE-2019-14051, CVE-2019-14057, CVE-2019-14060, CVE-2019-10590


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 25 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR March-2020 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2019-15880: Heap overflow vulnerability in Kernel driver

Severity: High
Affected Versions: Selected O(8.0), P(9.0), Q(10.0) devices with Broadcom chipsets
Reported on: October 12, 2019
Disclosure status: Privately disclosed.
A possible heap overflow vulnerability in kernel driver allows arbitrary code execution.
The patch adds the proper validation of the buffer length.


SVE-2019-16590: Lockdown Mode exposes notifications when pin entry limit is exceeded

Severity: Moderate
Affected Versions: P(9.0), Q(10.0)
Reported on: December 31, 2019
Disclosure status: Privately disclosed.
A vulnerability in Lockdown mode allows exposure of notifications when pin entry limit is exceeded.
The patch addressed notification exposure in Lockdown mode.


SVE-2019-16013: Update arbitrary touch screen firmware

Severity: Moderate
Affected Versions: O(8.x), P(9.0), Q(10.0)
Reported on: October 28, 2019
Disclosure status: Privately disclosed.
An improper verification logic in touch screen firmware update process allows an attacker to load malicious firmware.
The patch adds the proper validation logic in firmware update process.


SVE-2019-16125, SVE-2019-16134, SVE-2019-16158, SVE-2019-16159, SVE-2019-16319, SVE-2019-16320, SVE-2019-16337, SVE-2019-16464, SVE-2019-16465, SVE-2019-16467: Buffer overflow and Out-of-bounds Read/Write in Kernel drivers

Severity: Low
Affected Versions: P(9.0) devices with selected Exynos chipsets
Reported on: November 11, 2019
Disclosure status: Privately disclosed.
A possible buffer overflow and out-of-bounds read/write vulnerabilities exists in kernel drivers related to Wi-Fi module.
The patch adds the proper validation of the buffer length to prevent buffer overflow and out-of-bounds read/write.


SVE-2019-16532: Arbitrary access in Lockscreen of DeX

Severity: Moderate
Affected Versions: Q(10.0)
Reported on: December 18, 2019
Disclosure status: Privately disclosed.
A vulnerability in Lockscreen of DeX allows access to quick panel and notifications without authentication.
The patch prevents access to quick panel and notifications in Lockscreen of DeX.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

- Anonymous: SVE-2019-15880
- Zach: SVE-2019-16590
- Nir Duan: SVE-2019-16013
- Steven Salerno: SVE-2019-16125, SVE-2019-16134, SVE-2019-16158, SVE-2019-16159, SVE-2019-16319, SVE-2019-16320, SVE-2019-16337, SVE-2019-16464, SVE-2019-16465, SVE-2019-16467
- inDeX of KITRI BoB: SVE-2019-16532
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – February 2020 package. The Bulletin (February 2020) contains the following CVE items:

Critical
CVE-2020-0022(O8.x,P9.0), CVE-2020-0023

High
CVE-2020-0009, CVE-2019-10581, CVE-2019-14010, CVE-2019-14034, CVE-2019-10602, CVE-2018-20856, CVE-2019-10558, CVE-2019-10582, CVE-2019-10585, CVE-2019-10606, CVE-2019-14023, CVE-2019-10583, CVE-2019-15214, CVE-2018-11843, CVE-2020-0014, CVE-2020-0015, CVE-2019-2200, CVE-2020-0017, CVE-2020-0018, CVE-2020-0020, CVE-2020-0021, CVE-2020-0005, CVE-2020-0024, CVE-2020-0026, CVE-2020-0027, CVE-2020-0028, CVE-2019-2116

Moderate
CVE-2020-0022(Q10.0)

Already included in previous updates
CVE-2019-14008, CVE-2019-14024, CVE-2019-14036

Not applicable to Samsung devices
CVE-2019-17666, CVE-2019-2267, CVE-2019-10548, CVE-2019-14002, CVE-2019-10532, CVE-2019-10578, CVE-2019-10579, CVE-2019-10611, CVE-2019-14003, CVE-2019-14004, CVE-2019-14005, CVE-2019-14006, CVE-2019-14013, CVE-2019-14014, CVE-2019-14016, CVE-2019-14017


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 30 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR February-2020 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2019-15074: Notification on lock screen via Routines

Severity: Low
Affected Versions: P(9.0)
Reported on: July 11, 2019
Disclosure status: Privately disclosed.
Notification contents are shown on the lock screen via Routines.
While it is working as intended, the patch adds detailed explanation of how notification works in Routines.


SVE-2019-15816 and SVE-2019-15817: Buffer overflow in CP message decoding

Severity: Critical
Affected Versions: All devices with select Exynos modem chipsets
Reported on: October 2, 2019
Disclosure status: Privately disclosed.
A possible buffer overflow vulnerability in baseband allows arbitrary code execution.
The patch adds proper boundary check to prevent buffer overflow.


SVE-2019-15873: Arbitrary memory read/write vulnerability in Widevine Trustlet

Severity: High
Affected Versions: O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets
Reported on: October 11, 2019
Disclosure status: Privately disclosed.
A vulnerability caused by missing checks of memory address accessin Widevine trustlet allows arbitrary memory read and write from non-secure memory.
The patch adds proper range check of accessible memory.


SVE-2019-15984: Stack overflow vulnerability in Esecomm Trustlet

Severity: Critical
Affected Versions: Selected P(9.0), Q(10.0) TEEGRIS devices
Reported on: October 23, 2019
Disclosure status: Privately disclosed.
A possible stack overflow vulnerability in Esecomm trustlet allows arbitrary code execution.
The patch adds the proper validation of the buffer length.


SVE-2019-16132: Use after free and double free in PROCA

Severity: Moderate
Affected Versions: Selected P(9.0), Q(10.0) devices
Reported on: November 12, 2019
Disclosure status: Privately disclosed.
Use-after-free and double-free vulnerabilities in PROCA allows possible arbitrary code execution.
The patch addresses the vulnerabilities in PROCA.


SVE-2019-16193: FRP Bypass through SIM card

Severity: Moderate
Affected Versions: O(8.x), P(9.0), Q(10.0)
Reported on: November 24, 2019
Disclosure status: Publicly disclosed.
A vulnerability allows FRP bypass with SIM card.
The patch addressed the issue.


SVE-2019-16265: Arbitrary memory write in RKP

Severity: Moderate
Affected Versions: O(8.0) , P(9.0) devices with Exynos 8895 chipset
Reported on: November 25, 2019
Disclosure status: Privately disclosed.
A possible arbitrary memory write vulnerability exists in RKP.
The patch removes the vulnerable API in RKP.


SVE-2019-16293: Kernel pointer leak in vipx driver

Severity: Moderate
Affected Versions: P(9.0), Q(10.0) devices with Exynos 9610 chipset
Reported on: November 27, 2019
Disclosure status: Privately disclosed.
A kernel pointer leak vulnerability exists in vipx driver.
The patch restricts triggering of vipx driver.


SVE-2019-16294: Arbitrary kfree() in vipx and vertex driver

Severity: Moderate
Affected Versions: P(9.0), Q(10.0) devices with Exynos 9610 chipset
Reported on: November 27, 2019
Disclosure status: Privately disclosed.
A possible arbitrary kfree() vulnerability exists in vipx and vertex driver.
The patch restricts triggering of vipx and vertex driver.


SVE-2019-16295: Heap OOB write in tsmux driver

Severity: Moderate
Affected Versions: O(8.x), P(9.0), Q(10.0) devices with select S.LSI chipset
Reported on: November 27, 2019
Disclosure status: Privately disclosed.
A possible heap OOB write vulnerability exists in tsmux driver.
The patch adds proper boundary check in tsmux driver.


SVE-2019-16296: Race conditions in hdcp2 driver

Severity: Moderate
Affected Versions: O(8.x), P(9.0), Q(10.0) devices with specified S.LSI chipset
Reported on: November 27, 2019
Disclosure status: Privately disclosed.
A possible race condition vulnerability exists in hdcp2 driver.
The patch fixes incorrect implementation of hdcp2 driver to address race condition vulnerability.


SVE-2019-16333: OOB read vulnerability in media.audio_policy

Severity: Low
Affected Versions: O(8.x), P(9.x) Q(10.0)
Reported on: November 29, 2019
Disclosure status: Privately disclosed.
A possible OOB read vulnerability exists in media.audio_policy.
The patch adds the proper validation of the input value.


SVE-2019-16520: UAF in MTP

Severity: Moderate
Affected Versions: O(8.x), P(9.0), Q(10.0)
Reported on: December 14, 2019
Disclosure status: Privately disclosed.
A vulnerability caused by missing synchronization in MTP handler allows use-after-free via race condition.
The patch adds proper synchronization points to avoid all possibility of a race condition.


SVE-2019-16554: OEM unlocked in KG enrolled device

Severity: High
Affected Versions: Selected P(9.x), Q(10.x) devices
Reported on: July 26, 2019
Disclosure status: Publicly disclosed.
A vulnerability allows turning on OEM unlock feature for KG enrolled devices in certain conditions and it enables unauthorized downloading of customized binaries.
The patch fixes the verification logic for OEM unlock features in KG enrolled devices.


SVE-2019-16614: Weakness in facial recognition

Severity: High
Affected Versions: P(9.0) Galaxy S8 and Note8 devices
Reported on: October 2, 2019
Disclosure status: Privately disclosed.
Weakness in facial recognition in specific devices result in possible false authentication.
The patch enhances facial recognition accuracy with closed eye detection and improved detection logic.


SVE-2019-16665: Update TEE to prevent arbitrary memory mapping

Severity: Critical
Affected Versions: O(8.x), P(9.0), Q(10.0) devices with Exynos 9810 chipset
Reported on: July 24, 2019
Disclosure status: Privately disclosed.
A vulnerability in TEE allows arbitrary memory mapping.
The patch restricts arbitrary memory mapping in TEE.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

- Andr. Ess: SVE-2019-15074
- Anonymous: SVE-2019-15816, SVE-2019-15817
- Federico Menarini: SVE-2019-15873
- Aleksandr Tarasikov: SVE-2019-15984
- Jann Horn of Google Project Zero: SVE-2019-16132
- Pasca Ioan Mircea: SVE-2019-16193
- Aristeidis Thallas of CENSUS S.A.: SVE-2019-16265
- Brandon Azad of Google Project Zero: SVE-2019-16293, SVE-2019-16294, SVE-2019-16296
- Ian Beer of Google Project Zero: SVE-2019-16295
- Jann Horn of Google Project Zero: SVE-2019-16520
- Andrea Possemato, Security Researcher @ IDEMIA: SVE-2019-16333
- Alexandre Adamski, Joffrey Guilbon, and Maxime Peterlin from Quarkslab: SVE-2019-16665
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – January 2020 package. The Bulletin (January 2020) contains the following CVE items:

Critical
CVE-2019-2242, CVE-2019-10500, CVE-2019-10525, CVE-2019-2204, CVE-2020-0002(O8.x, P9.0)

High
CVE-2019-10513, CVE-2019-10517, CVE-2017-0510, CVE-2017-0648, CVE-2019-10487, CVE-2019-10516, CVE-2019-10607, CVE-2019-15239, CVE-2018-20961, CVE-2018-11980, CVE-2019-10480, CVE-2019-10536, CVE-2019-10537, CVE-2019-10557, CVE-2019-10595, CVE-2019-10598, CVE-2019-10600, CVE-2019-10601, CVE-2019-10605, CVE-2019-2231, CVE-2020-0001(O8.x, P9.0), CVE-2020-0003, CVE-2020-0004, CVE-2020-0006, CVE-2020-0007, CVE-2020-0008, CVE-2019-2218, CVE-2019-2208

Moderate
CVE-2020-0001(Q10.0), CVE-2020-0002(Q10.0)

Already included in previous updates
CVE-2019-2274, CVE-2019-10481, CVE-2019-2304

Not applicable to Samsung devices
CVE-2019-10482, CVE-2019-15220


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 17 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR January-2020 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2019-14575: Brute force attack on screen lock password

Severity: High
Affected Versions: O(8.x), P(9.0), Q(10.0) devices with Exynos7885, Exynos8895, Exynos9810 chipsets
Reported on: May 17, 2019
Disclosure status: Privately disclosed
A vulnerable design in Gatekeeper trustlet allows brute force attack on screen lock password. And previous patch caused unexpected side effects that required a fix.
The patch adds exception handling to prevent unexpected close of Gatekeeper trustlet.


SVE-2019-15872: Improper aligned size check leads buffer overflow in secure bootloader

Severity: Critical
Affected Versions: O(8.x), P(9.0), Q(10.0) devices with Exynos chipset
Reported on: October 11, 2019
Disclosure status: Privately disclosed.
An invalid check of usb buffer size in Secure Bootloader allows arbitrary code execution.
The patch adds proper size check logic of usb buffer.


SVE-2019-15876: Stack overflow in the kperfmon driver

Severity: Low
Affected Versions: P(9.0), Q(10.0)
Reported on: October 11, 2019
Disclosure status: Privately disclosed.
A possible stack overflow vulnerability exists in kperfmon driver.
The patch adds proper boundary check logic of kernel buffer length.


SVE-2019-15877: Stack overflow in display driver

Severity: Low
Affected Versions: Selected O(8.x), P(9.0), Q(10.0) devices
Reported on: October 11, 2019
Disclosure status: Privately disclosed.
A possible stack overflow vulnerability in display driver allows arbitrary code execution.
The patch adds the proper validation of the buffer length.


SVE-2019-16010, SVE-2019-16011, SVE-2019-16012: Leakage of cached data in Gallery

Severity: Moderate
Affected Versions: P(9.0)
Reported on: October 25, 2019
Disclosure status: Privately disclosed.
A vulnerability in Gallery allows leakage of cached contents.
The patch moves the cache file to the application's sandbox.


SVE-2019-16088: Stack overflow in Baseband

Severity: Critical
Affected Versions: O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets
Reported on: November 7, 2019
Disclosure status: Privately disclosed.
A possible stack overflow vulnerability in baseband allows arbitrary code execution.
The patch adds the proper validation of the buffer length.


SVE-2019-16161: Kernel stack address leak

Severity: Moderate
Affected Versions: O(8.x), P(9.0), Q(10.0)
Reported on: November 18, 2019
Disclosure status: Privately disclosed.
A vulnerability exposes kernel stack address to userspace.
The patch restricts the capability of the interface to prevent address exposure.


SVE-2019-16192: FRP Bypass using AppTray

Severity: Moderate
Affected Versions: P(9.0)
Reported on: November 25, 2019
Disclosure status: Publicly disclosed.
A vulnerability allows FRP bypass with AppTray.
The patch addressed the issue.


SVE-2019-15816 and SVE-2019-15817: Buffer overflow in CP message decoding

Severity: Critical
Affected Versions: All devices with select Exynos modem chipsets
Reported on: October 2, 2019
Disclosure status: Privately disclosed.
A possible buffer overflow vulnerability in baseband allows arbitrary code execution.
The patch adds proper boundary check to prevent buffer overflow.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

- Chao Cheng Yu of TeamT5: SVE-2019-14575, SVE-2019-15872
- Jianqiang Zhao: SVE-2019-15876, SVE-2019-15877
- Andr. Ess: SVE-2019-16010, SVE-2019-16011, SVE-2019-16012
- Fluoroacetate working with Zero Day Initiative: SVE-2019-16088 (CVE-2020-8860)
- Dong-Hoon Yoo: SVE-2019-16161
- Pasca Ioan Mircea: SVE-2019-16192
- Anonymous: SVE-2019-15816, SVE-2019-15817