Samsung confirm the 2017-11-06 KRACK WPA2 Android security fix is coming in the next few weeks

Samsung have confirmed that the security patch for the fix of the KRACK WPA2 vulnerability will be rolled out in the next few weeks (see below)

KRACK WPA2 Samsung Reply

 

I wrote about the issue this morning and reached out to Samsung for their comment which you can see above. It’s good to see Samsung acknowledging the issue and keeping us up to date, it’s a shame it isn’t being released a bit sooner however.

Further details on the Samsung Android Security website make an interesting read as you can also see what other fixes will be included.

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.

The following CVE items from November 2017 Android Security Bulletin are included in this Security Update package:

Critical
CVE-2017-11053, CVE-2017-9714, CVE-2017-0832, CVE-2017-0833, CVE-2017-0834, CVE-2017-0835, CVE-2017-0836, CVE-2017-0841

High
CVE-2017-9075, CVE-2017-11063, CVE-2017-0830, CVE-2017-0831, CVE-2017-0839, CVE-2017-0840, CVE-2017-0842, CVE-2017-0852, CVE-2017-0853(M 6.x), CVE-2017-0854(M 6.x), CVE-2017-0857(M 6.x), CVE-2017-0858(M 6.x), CVE-2017-0859(M 6.x), CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088

Moderate
CVE-2017-0824, CVE-2017-0825, CVE-2017-7187, CVE-2017-9686, CVE-2017-11050, CVE-2017-11067, CVE-2017-11056, CVE-2017-11046, CVE-2017-9706, CVE-2017-11048, CVE-2017-9697, CVE-2017-11051, CVE-2017-9715, CVE-2017-9717, CVE-2017-11054, CVE-2017-11055, CVE-2017-0845, CVE-2017-0847, CVE-2017-0848, CVE-2017-0849, CVE-2017-0850, CVE-2017-0851, CVE-2017-0853(N 7.x, O 8.0), CVE-2017-0854(N 7.x, O 8.0), CVE-2016-2105, CVE-2016-2106, CVE-2017-3731, CVE-2017-0860

Low
None

NSI
CVE-2017-0857(N 7.x, O 8.0), CVE-2017-0858(N 7.x, O 8.0), CVE-2017-0859(N 7.x)

Already included in previous updates
None

Not applicable to Samsung devices
CVE-2017-7374, CVE-2017-0827, CVE-2017-9683, CVE-2017-0826, CVE-2017-0828, CVE-2017-0829, CVE-2017-11062, CVE-2017-9687

※ Please see Android Security Bulletin for detailed information on Google patches.

Along with Google patches, Samsung Mobile provides 6 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.

SVE-2017-8973, SVE-2017-8974, SVE-2017-8975: TA Scrypto v1.0 Vulnerability

Severity: Low
Affected versions: M(6,x), N(7.0)
Reported on: April 17, 2017
Disclosure status: Privately disclosed.
A race condition may occur in Secure Driver resulting in potential buffer overflow vulnerability.
The patch prevents race condition and buffer overflow by checking boundary of a buffer.

SVE-2017-10086: Arbitrary file read/write in locked device via mtp

Severity: High
Affected versions: KK(4.4.x), L(5.x), M(6.x), N(7.x)
Reported on: August 17, 2017
Disclosure status: Privately disclosed.
Device responds from malicious MTP command on the locked state.
The patch prevents the device from responding from a malicious MTP command when it receives MTP command on the locked state.

SVE-2017-10465: Bug in MSM8998 chipset’s bootloader that checks integrity of system image (SamFAIL)

Severity: High
Affected versions: N(7.x)
Reported on: October 08, 2017
Disclosure status: Privately disclosed.
A vulnerability in verification logic within the bootloader in Qualcomm MSM8998 chipset allows an attacker to successfully boot the Samsung Galaxy Note8 device with root privilege.
The patch prevents an Attacker from booting Note8 successfully by checking an integrity of system image.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements

We truely appreciate the following researchers for helping Samsung to improve the security of our products.

– Salvatore Mesoraca : SVE-2017-10086
– Daniel Komaromy : SVE-2017-8973, SVE-2017-8974, SVE-2017-8975