Android

LG si porta avanti col lavoro, rilasciando il bollettino di sicurezza di gennaio 2017

Andrea Centorrino del 31 dicembre 2016, 11:09, modifica il 10 ottobre 2017, 19:26

L'avvento di Stagefright, nel bene e nel male, ha fatto bene ad Android: Google ha iniziato un rilascio più regolare per le patch di sicurezza, ed i vari produttori – anche se con qualche difficoltà – si sono adeguati. LG non è sempre stata la più brava in quanto a tempismo, ma sembra che la società abbia formulato buoni propositi per il nuovo anno: battendo Google sul tempo, ha infatti rilasciato il bollettino di sicurezza di gennaio 2017.

Degli 81 bug in elenco, solo 8 sono relativi esclusivamente a dispositivi LG: tutti gli altri, di cui trovate la descrizione alla fonte e (in parte) a fine articolo, sono generici e comuni a tutti gli Android. Alcuni sono già noti, e per i più gravi si va dall'esecuzione di codice arbitrario all'ottenimento dei permessi di root, mentre, fra quelli propri dei dispositivi LG, il più critico si presenta su quelli con SoC MediaTek, dove i dati dell'utente potrebbero essere a rischio.

Il bollettino fa riferimento a vari dispositivi LG, fra cui G3, G4, G4 Stylus, G5, V10, V20, CK, e G Stylo, ma l'effettivo rilascio della patch di sicurezza varierà da paese a paese, e da operatore ad operatore.

Bollettino sicurezza gennaio 2017

LG Mobile Security Maintenance Release Summary (SMR)

The January Security Bulletin contains the 81 patches for the vulnerabilities from Google and LG. The most severe of these vulnerabilities is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The security patch level is [2017-01-01] and the patches contains the fix for the 73 CVE items and the 8 LVE items. The LG vulnerabilities and exposures (LVE) items are described in detail below.

Security issues Summary

CVE Items from Google patch (Android Bulletin January 2016)

critical:
CVE-2017-0381, CVE-2016-5180, CVE-2016-8411, CVE-2016-4794, CVE-2016-5195, CVE-2015-8966, CVE-2016-9120
high:
CVE-2017-0382, CVE-2017-0383, CVE-2017-0384, CVE-2017-0385, CVE-2017-0386, CVE-2017-0387, CVE-2017-0388, CVE-2016-3911, CVE-2016-6710, CVE-2017-0389, CVE-2017-0390, CVE-2017-0391, CVE-2017-0392, CVE-2017-0393, CVE-2017-0394, CVE-2014-4014, CVE-2015-8967, CVE-2016-6778, CVE-2016-6779, CVE-2016-6780, CVE-2016-6492, CVE-2016-6781, CVE-2016-6782, CVE-2016-6783, CVE-2016-6784, CVE-2016-6785, CVE-2016-6758, CVE-2016-6759, CVE-2016-6760, CVE-2016-6761, CVE-2016-6755, CVE-2016-6786, CVE-2016-6787, CVE-2016-6788, CVE-2016-6791, CVE-2016-8391, CVE-2016-8392, CVE-2015-7872, CVE-2016-8393, CVE-2016-8394, CVE-2014-9909, CVE-2014-9910, CVE-2016-1583, CVE-2016-8396, CVE-2016-5341
moderate:
CVE-2017-0395, CVE-2017-0396, CVE-2017-0397, CVE-2017-0398, CVE-2017-0399, CVE-2017-0400, CVE-2017-0401, CVE-2017-0402, CVE-2016-6720, CVE-2016-8399, CVE-2016-6756, CVE-2016-6757, CVE-2016-8401, CVE-2016-8402, CVE-2016-8403, CVE-2016-8404, CVE-2016-8405, CVE-2016-8406, CVE-2016-8407, CVE-2016-8410
low:
CVE-2016-6690

LG Vulnerabilities and Exposures(LVE) Items from LG

critical:
LVE-SMP-160019
high:
LVE-SMP-160013, LVE-SMP-160014
moderate:
LVE-SMP-160011, LVE-SMP-160015, LVE-SMP-160017, LVE-SMP-160018
low:
LVE-SMP-160012

Security issues Details

You can see the detail information on Google patches from Android Security Bulletin site.There is a description of the security issue, a severity, affected devices information and date reported.

LVE-SMP-160019

Severity : Critical
Date reported : Nov 17, 2016
Affected device Informaion : L(5.0/5.1), M(6.0/6.0.1), N(7.0) devices with MTK chipset
Description :
MTKLogger application that logs personal information to storage without user consent can be started by third-party application without user consent.

LVE-SMP-160013

Severity : High
Date reported : Nov 15, 2016
Affected device Informaion : Devices with LG Touchscreen driver
Description :
An elevation of privilege vulnerability in write_file/write_log of LG touch driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

LVE-SMP-160014

Severity : High
Date reported : Nov 15, 2016
Affected device Informaion : L(5.0.2), M(6.0) device using LG felica driver
Description :
An elevation of privilege vulnerability in the LG felica drivers can be exploited to gain read/write access to kernel memory.

LVE-SMP-160017

Severity : Moderate
Date reported : Nov 15, 2016
Affected device Informaion : Devices with LG Touchscreen driver
Description :
An elevation of privilege vulnerability in touch_synaptics/reg_ctrl of LG touch driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

LVE-SMP-160018

Severity : Moderate
Date reported : Nov 15, 2016
Affected device Informaion : L(5.0/5.1), M(6.0/6.0.1), N(7.0) devices with LG fc8080 tdmb driver
Description :
Elevation of privilege vulnerability in LG fc8080 tdmb driver could enable usermode supplies a kernel address as the ioctl argument, this will result in kernel memory corruption and can likely be exploited to achieve privilege elevation.

LVE-SMP-160012

Severity : Moderate
Date reported : Nov 15, 2016
Affected device Informaion : L(5.0/5.1), M(6.0/6.0.1), N(7.0) devices using snapdragon 801, 808, 820
Description :
Directory traversal vulnerability in lghashstorageserver binder service could enable an app to read and write 0x20 bytes from any files in the context of the lghashstorageserver. It will result in system file compromised and can be likely to be exploited to achieve privilege elevation.

Acknowledgements
We would like to thank the following researchers for their contributions.