ESB-2017.2261 - [BlackBerry] BlackBerry: Multiple vulnerabilities 2017-09-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2261
     BlackBerry powered by Android Security Bulletin – September 2017
                             7 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BlackBerry
Publisher:         BlackBerry
Operating System:  BlackBerry Device
Impact/Access:     Root Compromise          -- Existing Account      
                   Increased Privileges     -- Existing Account      
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-9725 CVE-2017-9724 CVE-2017-9720
                   CVE-2017-9677 CVE-2017-9676 CVE-2017-9150
                   CVE-2017-9076 CVE-2017-8890 CVE-2017-8281
                   CVE-2017-8280 CVE-2017-8277 CVE-2017-8251
                   CVE-2017-8250 CVE-2017-8247 CVE-2017-7616
                   CVE-2017-7495 CVE-2017-7487 CVE-2017-6346
                   CVE-2017-6214 CVE-2017-5897 CVE-2017-0794
                   CVE-2017-0792 CVE-2017-0791 CVE-2017-0790
                   CVE-2017-0789 CVE-2017-0787 CVE-2017-0786
                   CVE-2017-0784 CVE-2017-0779 CVE-2017-0778
                   CVE-2017-0777 CVE-2017-0776 CVE-2017-0775
                   CVE-2017-0774 CVE-2017-0773 CVE-2017-0772
                   CVE-2017-0770 CVE-2017-0768 CVE-2017-0767
                   CVE-2017-0766 CVE-2017-0765 CVE-2017-0764
                   CVE-2017-0763 CVE-2017-0762 CVE-2017-0761
                   CVE-2017-0760 CVE-2017-0759 CVE-2017-0758
                   CVE-2017-0757 CVE-2017-0756 CVE-2017-0755
                   CVE-2017-0752  

Reference:         ASB-2017.0141
                   ASB-2017.0067
                   ESB-2017.2233
                   ESB-2017.2214

Original Bulletin: 
   http://support.blackberry.com/kb/articleDetail?articleNumber=000045672

- --------------------------BEGIN INCLUDED TEXT--------------------

BlackBerry powered by Android Security Bulletin September 2017

Article Number: 000045672 First Published: September 06, 2017 Last Modified: 
September 06, 2017 Type: Security Bulletin

Purpose of this Bulletin

BlackBerry has released a security update to address multiple vulnerabilities
in BlackBerry powered by Android smartphones. We recommend users update to the
latest available software build.

BlackBerry releases security bulletins to notify users of its Android 
smartphones about available security fixes; see BlackBerry.com/bbsirt for a 
complete list of monthly bulletins. This advisory is in response to the 
Android Security Bulletin (September 2017) and addresses issues in that 
bulletin that affect BlackBerry powered by Android smartphones.

Vulnerabilities Fixed in this Update

The following vulnerabilities have been remediated in this update:

Summary / Description / CVE

Elevation of Privilege in WindowManager		

The handling of the TYPE_TOAST window allowed for an attacker to overlay the 
screen, including permissions dialogs.

CVE-2017-0752

Elevation of Privilege in Libminikin

A malformed font could cause memory corruption by providing unsorted cmap 
entries.

CVE-2017-0755

Remote Code Execution in Mediaserver

In SoftAACEncoder2.cpp in SoftAACEncoder2::onQueueFilled, the allocation is of
a previously set size but a memcpy follows that is of an attacker-controlled 
size.

CVE-2017-0756

Remote Code Execution in Mediaserver

In decoder/ih264d_api.c in ih264d_fmt_conv_420sp_to_420sp, there is no bounds
check before the memcpy, which can lead to an OOB write that could result in 
arbitrary remote code execution in a privileged process.

CVE-2017-0757

Remote Code Execution in Mediaserver

In ihevcd_fmt_conv.c in ihevcd_fmt_conv, a memcpy is called in a loop without
checking the size of the destination buffer, which can lead to an OOB write 
that could result in arbitrary remote code execution in a privileged process.

CVE-2017-0758

Remote Code Execution in Mediaserver

In SoftMPEG2.cpp, in SoftMPEG2::deInitDecoder, ps_mem_rec->pv_base is freed; 
but it is later used in impeg2d_api_main.c resulting in a use-after-free, 
which could result in arbitrary remote code execution in a privileged process.

CVE-2017-0759

Remote Code Execution in Mediaserver

A badly initialized decoder can lead to memory corruption, which could result
in arbitrary remote code execution in a privileged process.

CVE-2017-0760

Remote Code Execution in Mediaserver

In decoder/ih264d_process_pslice.c in ih264d_init_ref_idx_lx_b, 
u1_max_lt_index and u1_min_lt_index can be > 255, which can lead to an 
overflow in reference list creation, leading to an OOB write occurs which 
could result in arbitrary remote code execution in a privileged process.

CVE-2017-0761

Remote Code Execution in Mediaserver

In decoder/ihevcd_parse_headers.c in ihevcd_fmt_conv, pu1_y_dst is too small 
due to an invalid crop, which can lead to an OOB write that could result in 
remote arbitrary code execution in a privileged process.

CVE-2017-0762

Remote Code Execution in Mediaserver

In common/arm/ihevc_intra_pred_filters_luma_mode_11_to_17.s, in 
ihevc_intra_pred_luma_mode_11_to_17_a9q, the idx can go OOB, leading to an OOB
write, which could result in remote arbitrary code execution in a privileged 
process.

CVE-2017-0763

Remote Code Execution in Mediaserver

In Tremolo/res012.c in res_inverse alloca is used with a direct multiplication
which could result in an integer overflow. Thus a small stack buffer is 
allocated but an OOB write occurs which can result in an RCE in privileged 
process.

CVE-2017-0764

Remote Code Execution in Mediaserver

In mpeg2dec/SoftMPEG2.cpp in getMinTimestampIdx, a timeStampIdx of -1 ends up
corrupting mFlushOutBuffer, which is then freed and could result in arbitrary
remote code execution in a privileged process.

CVE-2017-0765

Remote Code Execution in Mediaserver

In jpgfile.c in ReadJpegSections, an OOB write occurs into the 
Sections[SectionsRead].Type field which could result in arbitrary remote code
execution in an unprivileged process

CVE-2017-0766

Elevation of Privilege in Mediaserver

In lvm/wrapper/Bundle/EffectBundle.cpp in Equalizer_getParameter, an integer 
overflow can occur if pValueSize == 0, which can later lead to an OOB write 
that could result in arbitrary remote code execution in a privileged process.

CVE-2017-0767

Elevation of Privilege in Mediaserver

In lvm/wrapper/Reverb/EffectReverb.cpp in Reverb_command, there is no check of
the size of pReplyData. Thus if replySize is set to 4, it can return a 4-byte
OOB write, which could result in local arbitrary code execution in a 
privileged process.

CVE-2017-0768

Elevation of Privilege in Mediaserver

In libmediaplayerservice/MediaPlayerService.cpp in several functions, 2 
threads can access the sp pointer without locks.

CVE-2017-0770

Denial of Service in Mediaserver

In decoder/ih264d_parse_slice.c in ih264d_frm_to_fld, pu1_col_zero_flag_start
can be NULL which can lead to a remote denial of service.

CVE-2017-0772

Denial of Service in Mediaserver

In decoder/ihevcd_parse_slice.c in ihevcd_parse_slice_data, PU sizes do not 
account for skipped error clips.

CVE-2017-0773

Denial of Service in Mediaserver

In libstagefright/MPEG4Extractor.cpp, if readAt fails to find the next moof 
box, the chuck_size read will be 0 and the offset will never increase.

CVE-2017-0774

Denial of Service in Mediaserver

In mpeg2ts/ESQueue.cpp in ElementaryStreamQueue::dequeueAccessUnitAAC, 
aac_frame_length can be set to 0 resulting in a infinite loop, which can lead
to a remote denial of service.

CVE-2017-0775

Denial of Service in Mediaserver

In decoder/ih264d_parse_bslice.c (and several other files) in 
ih264d_fill_bs1_16x16mb_bslice, ppv_map_ref_idx_to_poc_l1 is not always 
initialized.

CVE-2017-0776

Denial of Service in Mediaserver

In arm-wt-22k/lib_src/eas_wtsynth.c in WT_Interpolate, pSamples can increment
past the end of the actual buffer leading to an OOB read, which could lead to
a remote denial of service.

CVE-2017-0777

Denial of Service in Mediaserver

In MPEG4Extractor.cpp in MPEG4Extractor::parse3GPPMetaData, in the yrrc box, 
an OOB read can occur, which can lead to a remote denial of service.

CVE-2017-0778

Information Disclosure in Mediaserver

In BufferProviders.cpp in ReformatBufferProvider::copyFrames, there is no 
check of the size of the copy compared to the src buffer.

CVE-2017-0779

Elevation of Privilege in NFC

The BeamShareActivity was not verifying that an application had been granted 
the READ_EXTERNAL_STORAGE permission when processing a File URI intent.

CVE-2017-0784

Elevation of Privilege in Broadcom Wi-Fi Driver

The wl_escan_handler() function of the Broadcom wireless driver has 
insufficient checks for integer overflows. A bad request from the wireless 
firmware could cause insufficient memory allocation, memory overflows, and 
arbitrary code execution.

CVE-2017-0786

Elevation of Privilege in Broadcom Wi-Fi Driver

The dhd_pno_process_epno_result() function of the Broadcom wireless driver 
multiplies an unsigned count value by sizeof(dhd_epno_results_t) to get the 
size of a memory allocation. If the count sent by the wireless firmware is too
large and the multiplication overflows, it will copy elements past the end of
the allocated buffer, leading to memory corruption and potential arbitrary 
code execution.

CVE-2017-0787

Elevation of Privilege in Broadcom Wi-Fi Driver

The dhd_handle_swc_evt() function of the Broadcom wireless driver allocates 
memory before checking for some failure cases. In those failure cases, the 
allocated memory is preserved, but the required size can be changed before 
calling the function again, but the old allocation is used. If the new size is
larger, the allocated buffer might overflow, leading to kernel memory 
corruption and potential arbitrary code execution.

CVE-2017-0789

Elevation of Privilege in Broadcom Wi-Fi Driver

The dhd_process_full_gscan_result() function of the Broadcom wireless driver 
does not check for integer overflow when using the bi_length parameter. An 
overflow in this parameter may lead to kernel memory corruption and potential
arbitrary code execution.

CVE-2017-0790

Elevation of Privilege in Broadcom Wi-Fi Driver

The wl_notify_rx_mgmt_frame() function of the Broadcom wireless driver does 
not check for integer underflow in data lengths of incoming events. A bad 
event from the wireless firmware could cause a very large copy, leading to 
memory corruption in the kernel and arbitrary code execution.

CVE-2017-0791

Information Disclosure in Broadcom Wi-Fi Driver

The dhd_rtt_event_handler() function of the Broadcom wireless driver does not
properly check the tlvs_len parameter of incoming event data. A bad event from
the wireless firmware could cause an out-of-bounds read in mapped kernel 
memory.

CVE-2017-0792

Remote Code Execution in Kernel

The inet_csk_clone_lock() function has a double-free vulnerability that can be
triggered by a remote attacker.

CVE-2017-8890

Elevation of Privilege in Kernel

The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause 
memory corruption that might lead to arbitrary code execution.

CVE-2017-9076

Information Disclosure in Kernel

The do_check function in kernel/bpf/verifier.c in the Linux kernel before 
4.11.1 does not make the allow_ptr_leaks value available for restricting the 
output of the print_bpf_insn function, which allows local users to obtain 
sensitive address information via crafted bpf system calls.

CVE-2017-9150

Elevation of Privilege in Kernel IPX protocol Driver

The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 
4.11.1 mishandles reference counts, which allows local users to cause 
use-after-free errors or other memory corruption.

CVE-2017-7487

Denial of Service in Kernel

The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 
4.9.11 allows remote attackers to cause a denial of service (infinite loop and
soft lockup) via vectors involving a TCP packet with the URG flag.

CVE-2017-6214

Elevation of Privilege in Kernel

The fanout_add() function does not have sufficient mutex locking around using
shared packet_rollover objects. Concurrent use could lead to use-after-free 
errors or other kernel memory corruption, enabling arbitrary code execution.

CVE-2017-6346

Information Disclosure in Kernel

The ip6gre_err() function does not properly account for the length of the IPv6
header, and reads kernel memory outside the bounds of incoming data.

CVE-2017-5897

Information Disclosure in Kernel File System

In the ext4 filesystem implementation, a crash can interrupt the journal write
after the data itself is written. An attacker that creates a new file after a
crash may gain access to that data.

CVE-2017-7495

Information Disclosure in Kernel

Incorrect error handling in the set_mempolicy and mbind compat syscalls in 
mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to obtain
sensitive information from uninitialized stack data by triggering failure of a
certain bitmap operation.

CVE-2017-7616

Elevation of Privilege in Kernel SCSI Driver

The sg_ioctl() function does not have sufficient mutex protection around 
global data writes. Concurrent access to this ioctl can cause use-after-free 
errors, double-free errors, and other memory corruption issues in the kernel 
that could lead to arbitrary code execution.

CVE-2017-0794

Elevation of Privilege in Qualcomm Memory subSystem

Passing in too large a value into the ION memory allocator results in the 
integer being truncated, leading to memory corruption.

CVE-2017-9725

Elevation of Privilege in Qualcomm

The ION driver allows the user to specify an address (possibly in kernel 
space) to write a NULL to.

CVE-2017-9724

Elevation of Privilege in Qualcomm Audio Driver

There is a possible out-of-bounds write in 
omx_aac_aenc::fill_this_buffer_proxy.

CVE-2017-9720

Elevation of Privilege in Qualcomm GPU Driver

There is a possible integer overflow in the GPU driver that could lead to an 
out-of-bounds write.

CVE-2017-8250

Elevation of Privilege in Qualcomm Audio Driver

In function msm_compr_ioctl_shared, variable ddp->params_length could be 
accessed and modified by multiple threads, while it is not protected with 
locks, allowing a race condition that could result in an out-of-bounds write.

CVE-2017-9677

Information Disclosure in Qualcomm File System

There is possible information disclosure when reading from debugfs drivers for
msm_bus, due to a race condition and a use-after-free.

CVE-2017-9676

Elevation of Privilege in Qualcomm WLAN Driver

During wlan calibration data store and retrieve operations, there is a race 
condition that could lead to arbitrary code execution.

CVE-2017-8280

Elevation of Privilege in Qualcomm Camera Driver

In the camera driver, the num_streams value passed to 
msm_isp_check_stream_cfg_cmd and msm_isp_stats_update_cgc_override wasn't 
bounds checked, resulting in a possible out-of-bounds write.

CVE-2017-8251

Elevation of Privilege in Qualcomm Camera Driver

The reference count on the camera driver has some operations that aren't 
sufficiently atomic.

CVE-2017-8247

Elevation of Privilege in Qualcomm Camera Driver

In the msm_isp_update_stats_stream function in the camera driver, there is a 
possible out-of-bounds write due to an incorrect bounds check.

CVE-2017-9720

Elevation of Privilege in Qualcomm Video Driver

In the function msm_dba_register_client, if the client registration failed, it
would be freed. However, the client was not removed from the list. 
Use-after-free would occur when traversing the list next time.

CVE-2017-8277

Information Disclosure in Qualcomm Automotive multimedia

A query function in the DCI driver lacked the same locking as the the rest of
the driver, so a query could interrupt the teardown function and read from 
freed memory.

CVE-2017-8281

Available Updates

BlackBerry is making an updated software version available for BlackBerry 
powered by Android smartphones that have been purchased from 
ShopBlackBerry.com. Updated software builds may also be available from other 
retailers or carriers, dependent on their deployment schedules.

To identify an up to date software build, navigate to the Settings>About Phone
menu. Look for the following Android security patch level:

September 5, 2017 or later

If your BlackBerry powered by Android smartphone does not have an up-to-date 
software build available, please contact your retailer or carrier directly for
security maintenance release availability information.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWbDc84x+lLeg9Ub1AQjHvA//aOTn4OBXu/xJf9EYfbo7zrRDgt+YqyKn
E8n/TuY5ZvyWx7FZVQ5Zkc0VUUtrrNL8i7LqcX1e1Eqc0KHv8pjiSPlgYCzmvVit
+gre38/f2s+lykR4nMxFf2K86xEG50wEsFfEwaxtS+YfGD3z7p4FcBeVswOQ6Zfx
GPYTBd+m5RdWrqKFAdFKEmQSPV1F9yLtuvQXd4/KgGwCifkUSEaaAznfGkilYktL
29A68e6hOPpDN7p3J7J15CwClAMUcZKN4wMjq077LYlNhvkfJRLwZaBG3zVMH70R
tAsiV7JWGltTC+iCQzQESMA1SrJ0H2z0TGSYJfpUu2cPk0rhgF/zLYHj5Ks+/XrP
HlH0WAdheBA43x/+SOvMM9nwKciSacX8zaXgZSoNONa4FTy7/TtfxdPM3dMG70+8
QituKzLix5252e78hXBLeA7rGwEP348BvvaYr6csf5ZSqJELJBSAyRvz7O8gTXnT
92bPXSyajsymC6+n6JeTV1ZkN8KQpvZEGNdQEhmnGwW/7Db5WNIDEokhUAh/1INB
i4u3BBBH6i5nK90btp8yAiEd7M8oijibid3RpV/8pttO2muoRxHPwVa/0hL68Eud
1YdfHfYUiobGzEmzyYE5O0wyRJD1/8uigFZGAdttMok1a44RLNsNQr1lO/lPzu2r
MLdhLbRRx+k=
=s2Hy
-----END PGP SIGNATURE-----

« Back to bulletins