Samsung have confirmed that the security patch for the fix of the KRACK WPA2 vulnerability will be rolled out in the next few weeks (see below) I wrote about the issue this morning and reached out to Samsung for their comment which you can see above. It’s good to see Samsung acknowledging the issue and keeping us up to date, it’s a shame it isn’t being released a bit sooner however. Further details on the Samsung Android Security website make an interesting read as you can also see what other fixes will be included.
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This Security Update package includes patches from Google and Samsung. The following CVE items from November 2017 Android Security Bulletin are included in this Security Update package: Critical CVE-2017-11053, CVE-2017-9714, CVE-2017-0832, CVE-2017-0833, CVE-2017-0834, CVE-2017-0835, CVE-2017-0836, CVE-2017-0841 High CVE-2017-9075, CVE-2017-11063, CVE-2017-0830, CVE-2017-0831, CVE-2017-0839, CVE-2017-0840, CVE-2017-0842, CVE-2017-0852, CVE-2017-0853(M 6.x), CVE-2017-0854(M 6.x), CVE-2017-0857(M 6.x), CVE-2017-0858(M 6.x), CVE-2017-0859(M 6.x), CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 Moderate CVE-2017-0824, CVE-2017-0825, CVE-2017-7187, CVE-2017-9686, CVE-2017-11050, CVE-2017-11067, CVE-2017-11056, CVE-2017-11046, CVE-2017-9706, CVE-2017-11048, CVE-2017-9697, CVE-2017-11051, CVE-2017-9715, CVE-2017-9717, CVE-2017-11054, CVE-2017-11055, CVE-2017-0845, CVE-2017-0847, CVE-2017-0848, CVE-2017-0849, CVE-2017-0850, CVE-2017-0851, CVE-2017-0853(N 7.x, O 8.0), CVE-2017-0854(N 7.x, O 8.0), CVE-2016-2105, CVE-2016-2106, CVE-2017-3731, CVE-2017-0860 Low None NSI CVE-2017-0857(N 7.x, O 8.0), CVE-2017-0858(N 7.x, O 8.0), CVE-2017-0859(N 7.x) Already included in previous updates None Not applicable to Samsung devices CVE-2017-7374, CVE-2017-0827, CVE-2017-9683, CVE-2017-0826, CVE-2017-0828, CVE-2017-0829, CVE-2017-11062, CVE-2017-9687 ※ Please see Android Security Bulletin for detailed information on Google patches. Along with Google patches, Samsung Mobile provides 6 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release. SVE-2017-8973, SVE-2017-8974, SVE-2017-8975: TA Scrypto v1.0 Vulnerability Severity: Low Affected versions: M(6,x), N(7.0) Reported on: April 17, 2017 Disclosure status: Privately disclosed. A race condition may occur in Secure Driver resulting in potential buffer overflow vulnerability. The patch prevents race condition and buffer overflow by checking boundary of a buffer. SVE-2017-10086: Arbitrary file read/write in locked device via mtp Severity: High Affected versions: KK(4.4.x), L(5.x), M(6.x), N(7.x) Reported on: August 17, 2017 Disclosure status: Privately disclosed. Device responds from malicious MTP command on the locked state. The patch prevents the device from responding from a malicious MTP command when it receives MTP command on the locked state. SVE-2017-10465: Bug in MSM8998 chipset’s bootloader that checks integrity of system image (SamFAIL) Severity: High Affected versions: N(7.x) Reported on: October 08, 2017 Disclosure status: Privately disclosed. A vulnerability in verification logic within the bootloader in Qualcomm MSM8998 chipset allows an attacker to successfully boot the Samsung Galaxy Note8 device with root privilege. The patch prevents an Attacker from booting Note8 successfully by checking an integrity of system image. Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time. Acknowledgements We truely appreciate the following researchers for helping Samsung to improve the security of our products. – Salvatore Mesoraca : SVE-2017-10086 – Daniel Komaromy : SVE-2017-8973, SVE-2017-8974, SVE-2017-8975