ESB-2017.2855 - [BlackBerry] BlackBerry: Multiple vulnerabilities 2017-11-09

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2855
      BlackBerry powered by Android Security Bulletin - November 2017
                              9 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BlackBerry
Publisher:         BlackBerry
Operating System:  BlackBerry Device
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-11093 CVE-2017-11092 CVE-2017-11091
                   CVE-2017-11090 CVE-2017-11089 CVE-2017-11085
                   CVE-2017-11073 CVE-2017-11058 CVE-2017-11038
                   CVE-2017-11035 CVE-2017-11032 CVE-2017-11029
                   CVE-2017-11028 CVE-2017-11027 CVE-2017-11026
                   CVE-2017-11025 CVE-2017-11024 CVE-2017-11023
                   CVE-2017-11022 CVE-2017-11017 CVE-2017-11015
                   CVE-2017-11013 CVE-2017-9721 CVE-2017-9719
                   CVE-2017-9702 CVE-2017-9701 CVE-2017-9696
                   CVE-2017-9690 CVE-2017-8279 CVE-2017-6001
                   CVE-2017-1160 CVE-2017-0862 CVE-2017-0861
                   CVE-2017-0860 CVE-2017-0858 CVE-2017-0857
                   CVE-2017-0854 CVE-2017-0853 CVE-2017-0851
                   CVE-2017-0850 CVE-2017-0849 CVE-2017-0848
                   CVE-2017-0845 CVE-2017-0842 CVE-2017-0841
                   CVE-2017-0840 CVE-2017-0839 CVE-2017-0838
                   CVE-2017-0836 CVE-2017-0835 CVE-2017-0834
                   CVE-2017-0833 CVE-2017-0832 CVE-2017-0830
                   CVE-2017-0427  

Reference:         ASB-2017.0190
                   ESB-2017.2233
                   ESB-2017.1208
                   ESB-2017.0405

Original Bulletin: 
   http://support.blackberry.com/kb/articleDetail?articleNumber=000046592

- --------------------------BEGIN INCLUDED TEXT--------------------

BlackBerry powered by Android Security Bulletin - November 2017

Article Number: 000046592 First Published: November 08, 2017 Last
Modified: November 08, 2017 Type: Security Bulletin

Purpose of this Bulletin

BlackBerry has released a security update to address multiple vulnerabilities
in BlackBerry powered by Android smartphones. We recommend users update to the
latest available software build.

BlackBerry releases security bulletins to notify users of its Android
smartphones about available security fixes; see BlackBerry.com/bbsirt for a
complete list of monthly bulletins. This advisory is in response to the Android
Security Bulletin (November 2017) and addresses issues in that bulletin that
affect BlackBerry powered by Android smartphones.

Back to top ?

Vulnerabilities Fixed in this Update

The following vulnerabilities have been remediated in this update:

Summary                                                      CVE
Elevation of Privilege in Device Check-in                    CVE-2017-0830

Remote Code Execution in Media Framework                     CVE-2017-0832

Remote Code Execution in Media Framework                     CVE-2017-0833

Remote Code Execution in Media Framework                     CVE-2017-0834

Remote Code Execution in Media Framework                     CVE-2017-0835

Remote Code Execution in Media Framework                     CVE-2017-0836

Elevation of Privilege in Media Framework                    CVE-2017-0838

Information Disclosure in Media Framework                    CVE-2017-0839

Information Disclosure in Media Framework                    CVE-2017-0840

Remote Code Execution in Libutils                            CVE-2017-0841

Elevation of Privilege in Bluetooth                          CVE-2017-0842

Remote Code Execution in Qualcomm WLAN                       CVE-2017-11013

Remote Code Execution in Qualcomm WLAN                       CVE-2017-11015

Elevation of Privilege in Qualcomm GPU Driver                CVE-2017-11092

Elevation of Privilege in Qualcomm QBT1000 Driver            CVE-2017-9690

Elevation of Privilege in Qualcomm Linux Boot                CVE-2017-11017

Information Disclosure in Qualcomm Camera                    CVE-2017-11028

Elevation of Privilege in Update: General kernel             CVE-2017-0427

Denial of Service in SyncStorageEngine                       CVE-2017-0845

Information Disclosure in Media Framework                    CVE-2017-0848

Information Disclosure in Media Framework                    CVE-2017-0849

Information Disclosure in Media Framework                    CVE-2017-0850

Information Disclosure in Media Framework                    CVE-2017-0851

Denial of Service in Media Framework                         CVE-2017-0853

Denial of Service in Media Framework                         CVE-2017-0854

Denial of Service in Media Framework                         CVE-2017-0857

Denial of Service in Media Framework                         CVE-2017-0858

Elevation of Privilege in InputDispatcher                    CVE-2017-0860

Elevation of Privilege in Core Kernel                        CVE-2017-6001

Elevation of Privilege in Kernel Audio Driver                CVE-2017-0861

Elevation of Privilege in Kernel                             CVE-2017-0862

Elevation of Privilege in Kernel Networking Subsystem        CVE-2017-1160

Elevation of Privilege in Qualcomm Networking                CVE-2017-11073
Subsystem

Elevation of Privilege in Qualcomm WLAN                      CVE-2017-11035

Elevation of Privilege in Qualcomm Audio                     CVE-2017-11085

Elevation of Privilege in Qualcomm Video Driver              CVE-2017-11091

Elevation of Privilege in Qualcomm Linux Boot                CVE-2017-11026

Elevation of Privilege in Qualcomm Memory Subsystem          CVE-2017-11038

Elevation of Privilege in Qualcomm Linux Kernel              CVE-2017-11032

Elevation of Privilege in Qualcomm Display                   CVE-2017-9719

Elevation of Privilege in Qualcomm Wired connectivity        CVE-2017-11024

Elevation of Privilege in Qualcomm ASDL                      CVE-2017-11025

Elevation of Privilege in Qualcomm Services                  CVE-2017-11023

Elevation of Privilege in Qualcomm Camera                    CVE-2017-11029

Elevation of Privilege in Qualcomm Display                   CVE-2017-9721

Elevation of Privilege in Qualcomm Camera                    CVE-2017-9702

Information Disclosure in Qualcomm WLAN                      CVE-2017-11089

Information Disclosure in Qualcomm WLAN                      CVE-2017-11090

Information Disclosure in Qualcomm HDMI                      CVE-2017-11093

Information Disclosure in Qualcomm Services                  CVE-2017-8279

Information Disclosure in Qualcomm Kernel                    CVE-2017-9696

Information Disclosure in Qualcomm WLAN                      CVE-2017-11058

Information Disclosure in Qualcomm WLAN                      CVE-2017-11022

Information Disclosure in Qualcomm Linux Boot                CVE-2017-9701

Information Disclosure in Qualcomm Linux Boot                CVE-2017-11027

Available Updates

BlackBerry is making an updated software version available for BlackBerry
powered by Android smartphones that have been purchased from ShopBlackBerry.com
. Updated software builds may also be available from other retailers or
carriers, dependent on their deployment schedules.

To identify an up to date software build, navigate to the Settings>About Phone
menu. Look for the following Android security patch level:

  o November 6, 2017 or later

If your BlackBerry powered by Android smartphone does not have an up-to-date
software build available, please contact your retailer or carrier directly for
security maintenance release availability information.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWgPB8ox+lLeg9Ub1AQiJrQ//U/7xURpEalt+Crgoq269Q8wHcl8/4HzX
1YE8GVA6ziwdyQWZQWnNZ9AxT69d1mbPk+3UBOwu53KbGmCGJJqY6HV2s302tpLV
uu7Wn5EEnfTBmbNlYGawyOkq3S63wVR1DU3hXGVrq0vlziHvUGi6iDyyj7jUBPQX
CRoo6Z0Vgq1JVYM06E6DiPQty7TTURzBohD6YYz01eFcOXyxEDyDSriOmQveZKWn
HeyrD3pjpco0brWiW2+SiGK77Ae/oyb/b6Ep6c3BhjmEP/nGRSoCX1eDlkEg1Nky
5FqzOihjvNWLyUFQGBO2OKuFQmgJ2473RQ1A84R2KODvlTOG5aOoPjAv5vL5gI1w
fz3s7KSz2PWm9w1Eu8oIqlzcfZ5mHRrkeYA6yPHmit43CcHp6Bv61F2lsLld2iDi
mIb9xzMijxlhA2CF4fC4W16GIgBQHNQyuvBIKyTAM+m4VuPijk+EaSlpilHZKPA8
5YQV65inJDsLDqrmhwU10CHogS2KbJMOsVdKm4JDQSEw9Peri1adAlWEtg4OVEL4
nEMZ+a//vVVpbzg7X9o+QZcJYz549Rx/1qOckrTWRbT2jRrkmEednT4Xt5gCd6P5
B2h8OK1+di6gG8FzDBdXHdFAIVTIDEk8P0o18mK83ALksDaO9Cfcv9E8s7+y3kq+
nh0ImPutJ2A=
=i1IX
-----END PGP SIGNATURE-----

« Back to bulletins