BlackBerry releases July 2017 Android Security Update for BlackBerry Android devices

Rapid John
Posted on July 05, 2017, 9:51 pm
21 mins

BlackBerry have promised to deliver security patches on a monthly basis for their Android smartphones and so far they are keeping good on that promise.

The company has today rolled out the July 2017 Android Security update to BlackBerry Android devices.

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes.

The following vulnerabilities have been remediated in this update:

Rapid Store BlackBerry releases July 2017 Android Security Update for BlackBerry Android devices
Summary Description CVE
Remote Code Execution in Android Runtime An app using the Java XML parser or which uses the UrlConnection Java class can be sent injected FTP commands to execute on an arbitrary server. CVE-2017-3544
Elevation of Privilege in Android Framework An AccessibilityNodeInfo object inside a Bundle can be constructed such that, when a Parcelable is passed to another process, the second process can unparcel it and reparcel it incorrectly. The Parcelable can then be sent to a third process, possibly bypassing permission checks. CVE-2017-0664
Elevation of Privilege in Android Framework In libs/gui/Surface.cpp, there is no bound on the index used to call gbuf on mSlots[buf].buffer, this can allow an OOB heap write in SurfaceFlinger which can enable a local malicious application to execute arbitrary code in the context of a privileged process. CVE-2017-0665
Elevation of Privilege in Android Framework In libs/ui/Fence.cpp a bad size check in Fence::unflatten can cause an integer underflow which can lead to a OOB write which could enable a local malicious application to execute arbitrary code in the context of a privileged process. CVE-2017-0666
Elevation of Privilege in Android Framework The attachBuffer() call in the camera server does not check that an index is in range before writing to the mSlots array. CVE-2017-0667
Information Disclosure in Android Framework When an app is uninstalled, the download manager does not immediately delete the files owned by that app. If the system is reset before the files are deleted, a newly installed app may gain access to files downloaded by a previously installed app. CVE-2017-0668
Information Disclosure in Android Framework On a device with multiple login users, the generic ContentProvider does not check which user owns files at given paths on the SD card. One user can use the ContentProvider to read media or files owned by other users. CVE-2017-0669
Denial of Service in Android Framework A memory leak in bionic results in a few hundred bytes leaking for every dlopen/dlclose pair. In a process like mediacodec that repeatedly calls dlopen/dlclose the codec libraries, this can result in a substantial memory leak which may eventually lead to a DOS. CVE-2017-0670
Denial of Service in ASN.1 Parsing A bad ASN.1 packet could request allocation of large amounts of memory, causing a remote denial of service by resource exhaustion. CVE-2016-2109
Remote Code Execution in Mediaserver In lihevc in the ihevcd_cabac_decode_bypass_bins_egk function, ps_bitstrm can overflow and several members of ps_bitstrm are passed to BIT_GET which leads to an out-of-bounds write and possible code execution. CVE-2017-0540
Remote Code Execution in Mediaserver There is a heap buffer overflow in decoder/ih264d_parse_pslice.c (of libavc) in the function ih264d_get_mbaff_neighbours that can lead to an out-of-bounds write because the ps_dec->ps_cur_slice->u1_mbaff_frame_flag is updated in ih264d_start_of_pic but the old value is used afterwards. CVE-2017-0673
Elevation of Privilege in Mediaserver In the impeg2_mc_fullx_fully_8x8_sse42 function, there is a missing bounds check on a memory write, leading to a possible escalation of privilege in a privileged process. CVE-2017-0674
Remote Code Execution in Mediaserver There is a possible out-of-bounds write in libhevc, resulting in possible remote arbitrary code execution in mediaserver. CVE-2017-0675
Remote Code Execution in Mediaserver A heap buffer overflow in the ihevcd_parse_pic_init function in libhevc could allow an attacker to write to memory in media.codec. CVE-2017-0676
Remote Code Execution in Mediaserver In decoder/ih264d_process_bslice.c (of libavc), because the first picture in list1 could still be invalid, a use-after-free can occur in ih264d_one_to_one which can lead to remote arbitrary code execution in the context of a privileged process. CVE-2017-0677
Remote Code Execution in Mediaserver In function ih264d_get_implicit_weights there is an OOB write into the pu4_wt_mat buffer which can lead to remote code execution through memory corruption. CVE-2017-0679
Remote Code Execution in Mediaserver In decoder/ih264d_mb_utils.c (of libavc) if there is an odd number of macroblocks in Mbaff frames, the MbParams is miscalculated leading to an OOB write which can lead to remote arbitrary code execution in the context of a privileged process. CVE-2017-0680
Remote Code Execution in Tremolo In the Tremolo library (used for Ogg Vorbis), because char types are treated as signed on some platforms (x86) and unsigned on others (ARM), the sign extension for several checks in mapping_info_unpack can result in checks against negative values, when they were intended to be positive values. CVE-2017-0681
Elevation of Privilege in SoftAVC encoder In the SoftAVC encoder, there is a possible out-of-bounds write if setParameter is called to change the width and height after buffers have been allocated. CVE-2017-0684
Denial of Service in Mediaserver In Android M, there is a race condition in impeg2d_process_video_bit_stream and impeg2d_dec_frm where the number of bytes consumed was not being incremented, leading to an endless loop, causing a remote denial of service in mediaserver. CVE-2017-0685
Denial of Service in Mediaserver In Android M, there is a null pointer dereference in impeg2_mc_fullx_fully_8x8_sse42 leading to a remote denial of service in mediaserver. CVE-2017-0686
Denial of Service in Mediaserver A dead loop resulting from a malformed media file in decoder/ih264d_dpb_mgr.c (of libavc) can result in a remote DoS due to hanging during decoding or eventual segfault. CVE-2017-0688
Denial of Service in Mediaserver In decoder/ihevcd_nal.c (of libhevc) when parsing an invalid pps/slice in an h265 file, an infinite loop can occur which can lead to a remote denial of service. CVE-2017-0689
Denial of Service in Mediaserver A null pointer exception can occur if an attacker can allocate too much memory and cause a new object instantiation to fail. CVE-2017-0690
Denial of Service in Mediaserver In the sonivox library, a media file with its offset value equal to nodeOffset would trigger infinite recursion in TinyCacheSource::readAt, leading to a remote denial of service in mediaserver. CVE-2017-0692
Denial of Service in Mediaserver In decoder/ih264d_api.c (of libavc) an error in the use of the u1_top_bottom_decoded flag causes a null pointer dereference which can lead to a remote denial of service. CVE-2017-0693
Denial of Service in Mediaserver In the sonivox library, a media file that sets the pSize value read by NextChunk to -8 will end up in an infinite loop, resulting in a remote denial of service due to resource exhaustion. CVE-2017-0694
Denial of Service in Mediaserver In libhevc ps_pps_ref is incremented without checking its value, leading to an eventual out-of-bounds read in ihevcd_copy_pps resulting in a denial of service. CVE-2017-0695
Denial of Service in Mediaserver There is an out-of-bounds read in ih264d_deblock_mb_nonmbaff that leads to denial of service. CVE-2017-0696
Denial of Service in Mediaserver In libstagefright/MPEG4Extractor.cpp (of libstagefright) a memory leak can occur if there is an error reading from mDataSource as pssh.data will not be freed, this can eventually lead to a remote denial of service. CVE-2017-0697
Information  Disclosure in Mediaserver The media server uses internal heap pointers as supposedly-opaque handles, and writes them to memory that is shared with the application. An app could use this to break ASLR or otherwise manipulate the media server. CVE-2017-0698
Information  Disclosure in Mediaserver There is a possible out-of-bounds read in the ih264_intra_pred_luma_4x4_mode_diag_dr_ssse3 function in libavc, leading to possible information disclosure in a privileged process. CVE-2017-0699
Elevation of Privilege in System UI Applications are able to declare new account types which results in the settings app sending an intent on that application’s behalf when creating a new account of that type. These intents carry the Settings app’s permissions, and can thus reach receivers which are otherwise restricted to system apps only. CVE-2017-0703
Remote Code Execution in Broadcom Component The vulnerability exists in the function wlc_bss_parse_wme_ie. The specific flaw is a buffer overflow when parsing the WME IE in the Association Response from an access point, allowing a buffer overflow and code execution. CVE-2017-9417
Elevation of Privilege in Broadcom Component The vulnerability is in the function wl_cfgvendor_significant_change_cfg. The specific flaw is that it is missing a boundary check in the handling of GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS. CVE-2017-0705
Elevation of Privilege in Broadcom Component There is a missing bounds check leading to a memcpy in the function wl_cfg80211_mgmt_tx, allowing for kernel memory corruption. CVE-2017-0706
Elevation of Privilege in Kernel Networking Subsystem The vulnerability is in the dccp_rcv_state_process function. The specific flaw is that the function mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, allows for memory corruption by a local application which makes IPV6_RECVPKTINFO setsockopt system call. CVE-2017-6074
Denial of Service in Kernel Networking Subsystem The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options. CVE-2017-5970
Elevation of Privilege in Kernel SCSI Driver There is an integer overflow in the sg_start_req function, potentially leading to kernel memory corruption. CVE-2015-5707
Elevation of Privilege in Kernel TCB A process with CAP_SYS_RESOURCE bypasses the permission check allowing arbitrary ptrace access. CVE-2017-0710
Elevation of Privilege in Kernel Networking Driver There is an incorrect integer overflow check in AF_PACKET handling code causing kernel heap corruption. CVE-2017-7308
Information Disclosure in Kernel File System The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target’s name along with a trailing \0 character, which allows local users to obtain sensitive information via a crafted filesystem image. CVE-2014-9731
Elevation of Privilege in Camera Driver In msm_cci_i2c_read in the camera driver, there is a missing bounds check that allows for an out-of-bounds write in the kernel. CVE-2017-8253
Elevation of Privilege in GPU Driver In the code handling ioctl cmd IOCTL_KGSL_GPUOBJ_ALLOC and IOCTL_KGSL_GPUOBJ_FREE there is a race condition which can lead to UAF and corrupt the kernel heap. CVE-2017-8262
Elevation of Privilege in Ashmem There is a missing bound check in ashmem ASHMEM_CACHE_FLUSH_RANGE handling which can cause elevation of privilege. CVE-2017-8263
Elevation of Privilege in Ashmem There is a TOCTOU issue in ashmem_cache_op of ashmem driver leading to OOB read/write of kernel memory. CVE-2017-8267
Elevation of Privilege in Bootloader While processing fastboot boot command when verified boot feature is disabled, with length greater than boot image buffer, a buffer overflow could occur. CVE-2017-8273
Elevation of Privilege in USB HID driver In hiddev_ioctl_usage, if the condition uref->report_id == HID_REPORT_ID_UNKNOWN is true, several checks in the else block are not performed, allowing for a heap buffer overflow. CVE-2016-5863
Elevation of Privilege in SoC Driver There is a missing bound check issue in function pil_mss_reset_load_mba can cause kernel heap buffer overflow. CVE-2017-8243
Elevation of Privilege in Sound Driver The vulnerability is in the memory management of certain audio streams. The specific flaw is that a field was not set to NULL after being freed, resulting in a dangling pointer that could later be used. CVE-2017-8246
Elevation of Privilege in Wi-Fi Driver The vulnerability is in the hdd_set_rx_filter function. The specific flaw is that the hdd_driver_rxfilter_command_handler function can pass more multicast addresses than the hdd_set_rx_filter can handle, resulting in heap memory corruption. CVE-2017-8256
Elevation of Privilege in SoC Driver The domain_list variable is allocated based on a user controlled size but bound checked with another size. Inconsistency in those two sizes leads to kernel heap corruption. CVE-2017-8259
Elevation of Privilege in Camera Driver The vulnerability is in the handling of user provided ispif commands. The specific flaw is that a user provided enum was being provided to a verification function that took a uint_8, allowing for integer truncation and the subsequent use of an illegal value, resulting in memory corruption. CVE-2017-8260
Elevation of Privilege in Camera Driver Failure of clock enabling in msm_csiphy_init can can cause OOB issue in kernel memory. CVE-2017-8264
Elevation of Privilege in Video Driver There is a double free issue in venus_hfi.c when multiple instances trying to reallocate the vote_data memory CVE-2017-8265
Elevation of Privilege in Video Driver There is a race condition in /mdss_debug.c can cause UAF of the file->private_data->buf buffer and lead to kernel heap corruption. CVE-2017-8266
Elevation of Privilege in Camera Driver The vulnerability is in in the function msm_cpp_cfg_frame. The specific flaw is that the new_frame->last_stripe_index and new_frame->first_stripe_index fields are user provided, but used without any verification, resulting in memory corruption. CVE-2017-8268
Elevation of Privilege in Wi-Fi Driver Due to insufficient locking, there is a race condition between pktlog_enable and pktlog_setsize that results in a potential use after free, leading to memory corruption in the kernel. CVE-2017-8270
Elevation of Privilege in Video Driver In the mdss_rotator_ioctl ioctl handler, there is a possible out-of-bounds write when writing to the msmfb_data planes variable on the stack, in mdss_rotator_import_buffer, resulting in kernel stack corruption. CVE-2017-8271
Elevation of Privilege in Video Driver There is an out-of-bounds write to the kernel stack in mdss_mdp_wfd_import_data, when copying to msmfb_data planes, resulting in kernel stack corruption. CVE-2017-8272
Information Disclosure in Camera Driver The vulnerability is in the function msm_isp_set_dual_HW_master_slave_mode. The specific flaw is that the dual_hw_ms_cmd->num_src is not validated, allowing for out-of-bounds access to kernel memory. CVE-2017-8258
Information Disclosure in IPA Driver In the RMNET_IOCTL_ADD_MUX_CHANNEL ioctl handler, if the vchannel_name string passed in is too long, it ends up not being null terminated in the driver, which leads to possible information disclosure. CVE-2017-8269

If you own an Android device from BlackBerry and are not seeing the system update message, you can check manually by heading into Settings -> About phone -> System updates and checking manually. Look for the following Android security patch level July 1st, 2017 or later.

Updated software builds may also be available from other retailers or carriers, dependent on their deployment schedules.

Rapid John
Rapid John has a quarter of a century in programming for Government and Corporate bodies and is proficient in most major programming languages.  He is constantly running around showing us his latest bit of code and telling us how fantastic it is. (John we know). He is responsible for carrying out presentations to corporate and business customers and is a BlackBerry Elite.

Leave a Reply

You must be logged in to post a comment.