LG si porta avanti col lavoro, rilasciando il bollettino di sicurezza di gennaio 2017

Andrea Centorrino -

L’avvento di Stagefright, nel bene e nel male, ha fatto bene ad Android: Google ha iniziato un rilascio più regolare per le patch di sicurezza, ed i vari produttori – anche se con qualche difficoltà – si sono adeguati. LG non è sempre stata la più brava in quanto a tempismo, ma sembra che la società abbia formulato buoni propositi per il nuovo anno: battendo Google sul tempo, ha infatti rilasciato il bollettino di sicurezza di gennaio 2017.

Degli 81 bug in elenco, solo 8 sono relativi esclusivamente a dispositivi LG: tutti gli altri, di cui trovate la descrizione alla fonte e (in parte) a fine articolo, sono generici e comuni a tutti gli Android. Alcuni sono già noti, e per i più gravi si va dall’esecuzione di codice arbitrario all’ottenimento dei permessi di root, mentre, fra quelli propri dei dispositivi LG, il più critico si presenta su quelli con SoC MediaTek, dove i dati dell’utente potrebbero essere a rischio.

LEGGI ANCHE: Tutte le nostre recensioni dei prodotti LG

Il bollettino fa riferimento a vari dispositivi LG, fra cui G3, G4, G4 Stylus, G5, V10, V20, CK, e G Stylo, ma l’effettivo rilascio della patch di sicurezza varierà da paese a paese, e da operatore ad operatore.

LG Mobile Security Maintenance Release Summary (SMR)

The January Security Bulletin contains the 81 patches for the vulnerabilities from Google and LG. The most severe of these vulnerabilities is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The security patch level is [2017-01-01] and the patches contains the fix for the 73 CVE items and the 8 LVE items. The LG vulnerabilities and exposures (LVE) items are described in detail below.

Security issues Summary

CVE Items from Google patch (Android Bulletin January 2016)
  • critical:
    CVE-2017-0381, CVE-2016-5180, CVE-2016-8411, CVE-2016-4794, CVE-2016-5195, CVE-2015-8966, CVE-2016-9120
  • high:
    CVE-2017-0382, CVE-2017-0383, CVE-2017-0384, CVE-2017-0385, CVE-2017-0386, CVE-2017-0387, CVE-2017-0388, CVE-2016-3911, CVE-2016-6710, CVE-2017-0389, CVE-2017-0390, CVE-2017-0391, CVE-2017-0392, CVE-2017-0393, CVE-2017-0394, CVE-2014-4014, CVE-2015-8967, CVE-2016-6778, CVE-2016-6779, CVE-2016-6780, CVE-2016-6492, CVE-2016-6781, CVE-2016-6782, CVE-2016-6783, CVE-2016-6784, CVE-2016-6785, CVE-2016-6758, CVE-2016-6759, CVE-2016-6760, CVE-2016-6761, CVE-2016-6755, CVE-2016-6786, CVE-2016-6787, CVE-2016-6788, CVE-2016-6791, CVE-2016-8391, CVE-2016-8392, CVE-2015-7872, CVE-2016-8393, CVE-2016-8394, CVE-2014-9909, CVE-2014-9910, CVE-2016-1583, CVE-2016-8396, CVE-2016-5341
  • moderate:
    CVE-2017-0395, CVE-2017-0396, CVE-2017-0397, CVE-2017-0398, CVE-2017-0399, CVE-2017-0400, CVE-2017-0401, CVE-2017-0402, CVE-2016-6720, CVE-2016-8399, CVE-2016-6756, CVE-2016-6757, CVE-2016-8401, CVE-2016-8402, CVE-2016-8403, CVE-2016-8404, CVE-2016-8405, CVE-2016-8406, CVE-2016-8407, CVE-2016-8410
  • low:
    CVE-2016-6690
LG Vulnerabilities and Exposures(LVE) Items from LG
  • critical:
    LVE-SMP-160019
  • high:
    LVE-SMP-160013, LVE-SMP-160014
  • moderate:
    LVE-SMP-160011, LVE-SMP-160015, LVE-SMP-160017, LVE-SMP-160018
  • low:
    LVE-SMP-160012

Security issues Details

You can see the detail information on Google patches from Android Security Bulletin site.There is a description of the security issue, a severity, affected devices information and date reported.

LVE-SMP-160019

  • Severity : Critical
  • Date reported : Nov 17, 2016
  • Affected device Informaion : L(5.0/5.1), M(6.0/6.0.1), N(7.0) devices with MTK chipset
  • Description :
    MTKLogger application that logs personal information to storage without user consent can be started by third-party application without user consent.

LVE-SMP-160013

  • Severity : High
  • Date reported : Nov 15, 2016
  • Affected device Informaion : Devices with LG Touchscreen driver
  • Description :
    An elevation of privilege vulnerability in write_file/write_log of LG touch driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

LVE-SMP-160014

  • Severity : High
  • Date reported : Nov 15, 2016
  • Affected device Informaion : L(5.0.2), M(6.0) device using LG felica driver
  • Description :
    An elevation of privilege vulnerability in the LG felica drivers can be exploited to gain read/write access to kernel memory.

LVE-SMP-160017

  • Severity : Moderate
  • Date reported : Nov 15, 2016
  • Affected device Informaion : Devices with LG Touchscreen driver
  • Description :
    An elevation of privilege vulnerability in touch_synaptics/reg_ctrl of LG touch driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

LVE-SMP-160018

  • Severity : Moderate
  • Date reported : Nov 15, 2016
  • Affected device Informaion : L(5.0/5.1), M(6.0/6.0.1), N(7.0) devices with LG fc8080 tdmb driver
  • Description :
    Elevation of privilege vulnerability in LG fc8080 tdmb driver could enable usermode supplies a kernel address as the ioctl argument, this will result in kernel memory corruption and can likely be exploited to achieve privilege elevation.

LVE-SMP-160012

  • Severity : Moderate
  • Date reported : Nov 15, 2016
  • Affected device Informaion : L(5.0/5.1), M(6.0/6.0.1), N(7.0) devices using snapdragon 801, 808, 820
  • Description :
    Directory traversal vulnerability in lghashstorageserver binder service could enable an app to read and write 0x20 bytes from any files in the context of the lghashstorageserver. It will result in system file compromised and can be likely to be exploited to achieve privilege elevation.
Acknowledgements
We would like to thank the following researchers for their contributions.
  • Mark Brand of Google Project Zero : LVE-SMP-160011,LVE-SMP-160012,LVE-SMP-160013,LVE-SMP-160014,LVE-SMP-160015,LVE-SMP-160017,LVE-SMP-160018

Via: Android PoliceFonte: LG