Samsung confirm the 2017-11-06 KRACK WPA2 Android security fix is coming in the next few weeks
Samsung have confirmed that the security patch for the fix of the KRACK WPA2 vulnerability will be rolled out in the next few weeks (see below)
I wrote about the issue this morning and reached out to Samsung for their comment which you can see above. It’s good to see Samsung acknowledging the issue and keeping us up to date, it’s a shame it isn’t being released a bit sooner however.
Further details on the Samsung Android Security website make an interesting read as you can also see what other fixes will be included.
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung.The following CVE items from November 2017 Android Security Bulletin are included in this Security Update package:
Critical
CVE-2017-11053, CVE-2017-9714, CVE-2017-0832, CVE-2017-0833, CVE-2017-0834, CVE-2017-0835, CVE-2017-0836, CVE-2017-0841High
CVE-2017-9075, CVE-2017-11063, CVE-2017-0830, CVE-2017-0831, CVE-2017-0839, CVE-2017-0840, CVE-2017-0842, CVE-2017-0852, CVE-2017-0853(M 6.x), CVE-2017-0854(M 6.x), CVE-2017-0857(M 6.x), CVE-2017-0858(M 6.x), CVE-2017-0859(M 6.x), CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088Moderate
CVE-2017-0824, CVE-2017-0825, CVE-2017-7187, CVE-2017-9686, CVE-2017-11050, CVE-2017-11067, CVE-2017-11056, CVE-2017-11046, CVE-2017-9706, CVE-2017-11048, CVE-2017-9697, CVE-2017-11051, CVE-2017-9715, CVE-2017-9717, CVE-2017-11054, CVE-2017-11055, CVE-2017-0845, CVE-2017-0847, CVE-2017-0848, CVE-2017-0849, CVE-2017-0850, CVE-2017-0851, CVE-2017-0853(N 7.x, O 8.0), CVE-2017-0854(N 7.x, O 8.0), CVE-2016-2105, CVE-2016-2106, CVE-2017-3731, CVE-2017-0860Low
NoneNSI
CVE-2017-0857(N 7.x, O 8.0), CVE-2017-0858(N 7.x, O 8.0), CVE-2017-0859(N 7.x)Already included in previous updates
NoneNot applicable to Samsung devices
CVE-2017-7374, CVE-2017-0827, CVE-2017-9683, CVE-2017-0826, CVE-2017-0828, CVE-2017-0829, CVE-2017-11062, CVE-2017-9687※ Please see Android Security Bulletin for detailed information on Google patches.
Along with Google patches, Samsung Mobile provides 6 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
SVE-2017-8973, SVE-2017-8974, SVE-2017-8975: TA Scrypto v1.0 Vulnerability
Severity: Low
Affected versions: M(6,x), N(7.0)
Reported on: April 17, 2017
Disclosure status: Privately disclosed.
A race condition may occur in Secure Driver resulting in potential buffer overflow vulnerability.
The patch prevents race condition and buffer overflow by checking boundary of a buffer.SVE-2017-10086: Arbitrary file read/write in locked device via mtp
Severity: High
Affected versions: KK(4.4.x), L(5.x), M(6.x), N(7.x)
Reported on: August 17, 2017
Disclosure status: Privately disclosed.
Device responds from malicious MTP command on the locked state.
The patch prevents the device from responding from a malicious MTP command when it receives MTP command on the locked state.SVE-2017-10465: Bug in MSM8998 chipset’s bootloader that checks integrity of system image (SamFAIL)
Severity: High
Affected versions: N(7.x)
Reported on: October 08, 2017
Disclosure status: Privately disclosed.
A vulnerability in verification logic within the bootloader in Qualcomm MSM8998 chipset allows an attacker to successfully boot the Samsung Galaxy Note8 device with root privilege.
The patch prevents an Attacker from booting Note8 successfully by checking an integrity of system image.Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.
Acknowledgements
We truely appreciate the following researchers for helping Samsung to improve the security of our products.
– Salvatore Mesoraca : SVE-2017-10086
– Daniel Komaromy : SVE-2017-8973, SVE-2017-8974, SVE-2017-8975
I wrote a post that gives a way for people to figure out if their phone is vulnerable. See: https://www.zachpfeffer.com/single-post/2018/01/05/Spectre-and-Meltdown—Is-my-phone-vulnerable.