08-16-16 07:26 AM
61 123
tools
  1. gizmo21's Avatar
    Update as of August 15th: With the hotfix AAG111 (PRIV) and AAG124 (DEK50) the quadrooter vulnerablity is fixed - at least for those that are getting those updates:
    * http://blogs.blackberry.com/2016/08/...lnerabilities/

    * http://support.blackberry.com/kb/art...mber=000038385


    A third party application (reads https://play.google.com/store/apps/d...int.quadrooter ) reports a software version as vulnerable when the advisory document lists it as not affected. Why is this?


    BlackBerry is not responsible for third party applications but is aware that some applications check component versions rather than attempting to reproduce a vulnerability. Since this approach does not account for differences in specific implementations, it is possible for these tests to give a false positive response. BlackBerry has extensively tested these patches and can confirm that the fix versions that are listed in this advisory are unaffected by the QuadRooter issues, including ASHmenian Devil.


    ---


    Check Point just released an article to the media naming 4 Qualcomm vulnerabilities "quadrooter" where 900 million devices are affected also explicitly naming BlackBerry PRIV as first device.

    The four security flaws are CVE-2016-2503 ★ (found in Qualcomm's GPU driver, fixed in Google's Android Security Bulletin for July 2016), CVE-2016-2504 ★ (Qualcomm GPU driver, fixed in Google's Android Security Bulletin for August 2016), CVE-2016-2059 ★ (Qualcomm kernel module, fixed in April, patch status unknown), and CVE-2016-5340 ★ (Qualcomm GPU driver, fixed, patch status unknown).

    The upper two CVEs seems to be fixed by BlackBerry (if you already have August 5th update as some are still waiting) but the other two only one seem not fixed atm (as for the security bulletins of BlackBerry). But unclear if Priv is really affected by those two.

    QuadRooter: New Android Vulnerabilities in Over 900 Million Devices | Check Point Blog

    QuadRooter Android Security Bugs Affect over 900 Million Devices

    Now BlackBerry could release some statement to use the media coverage and at least get those Aug patches out to all users:
    http://forums.crackberry.com/blackbe...pdate-1081877/
    Last edited by gizmo21; 08-16-16 at 07:06 AM.
    08-08-16 01:04 AM
  2. plutschnik's Avatar
    So NOW is the chance to finally root my Priv?
    Supa_Fly1, MBrettH and Gajja like this.
    08-08-16 01:30 AM
  3. gizmo21's Avatar
    Just check XDA, for news on that front
    08-08-16 01:58 AM
  4. paulwallace1234's Avatar
    The integrity checks would probably stop it from booting ^

    Posted via CB10
    08-08-16 02:58 AM
  5. kariekas's Avatar
    does the wink imply there is such possibility? for I only find one thread about bypassing frp, yet it doesn't work anymore
    08-08-16 04:47 AM
  6. ChillieBrick's Avatar
    Check Point just released an article to the media naming 4 Qualcomm vulnerabilities ...

    The upper two CVEs seems to be fixed by BlackBerry (if you already have August 5th update as some are still waiting)
    I found 2 on my Priv, just purchased mid July. Do I contact BlackBerry to get an update?

    Thanks for posting.
    08-08-16 05:13 AM
  7. gizmo21's Avatar
    does the wink imply there is such possibility? for I only find one thread about bypassing frp, yet it doesn't work anymore
    No just wanted to channel "wanted rooting" discussions to XDA to where it belongs.
    Supa_Fly1 likes this.
    08-08-16 05:38 AM
  8. Acchaladka's Avatar
    The integrity checks would probably stop it from booting ^

    Posted via CB10
    Thanks for this - makes intuitive sense but a statement from BlackBerry will be appreciated.

    I found one vulnerability using the 'Quadrooter Scanner' app in the Playstore, and my Priv has all updates installed including August 5th.

    I assume the recommendation is to sit tight and wait a few hours or days for an update / security patch to come out?
    08-08-16 05:54 AM
  9. gizmo21's Avatar
    I found 2 on my Priv, just purchased mid July. Do I contact BlackBerry to get an update?

    Thanks for posting.
    Did you check with https://play.google.com/store/apps/d...int.quadrooter ??


    Beware, this testing app by the guys that discovered the vulnerabilities wishes permission e.g. for contacts.
    08-08-16 05:54 AM
  10. LyoobaBerry's Avatar
    On my Priv it didn't ask for any permission, but did find two non addressed vulnerabilities. I see one has been fixed in August patch, but I'm still on July one

    Posted via the CrackBerry App for Android
    Supa_Fly1 likes this.
    08-08-16 05:57 AM
  11. AnimalPak200's Avatar
    The integrity checks would probably stop it from booting ^

    Posted via CB10
    That would be interesting to see.

    Posted via CB10
    08-08-16 06:44 AM
  12. ChrisAmbrose's Avatar
    Issue remains in 5th August Patch https://www.codeaurora.org/invalid-p...-cve-2016-5340

    Posted via the CrackBerry App for Android 6.0.1
    Attached Thumbnails Quadrooter vulnerability article names PRIV as vulnerable-96395.jpg  
    08-08-16 06:56 AM
  13. ToniCipriani's Avatar
    'Quadrooter' flaws affect over 900 million Android phones | ZDNet

    Nexus is affected, says should be part of Septemer. It's up to BlackBerry to decide if this is a critical vulnerability such that they need a push to update earlier, "Qualcomm provided the patch to partners" already.

    At least we're only one out of the four not patched. Run it on a Verizon unit and I bet all 4 are a hit.
    08-08-16 07:09 AM
  14. gizmo21's Avatar
    The recently-announced BlackBerry DTEK50, which the company touts as the "most secure Android smartphone," is also vulnerable to one of the flaws.

    Ouch, this CVE 2016-5340 was committed on 2016-07-13 09:20:15 (GMT). Too late for initial DTEK50 launch but now we'll see if take out of band patching seriously or the whole "most secure android" will be a good PR for BB bashers.
    FF22 and MBrettH like this.
    08-08-16 07:47 AM
  15. ToniCipriani's Avatar
    The recently-announced BlackBerry DTEK50, which the company touts as the "most secure Android smartphone," is also vulnerable to one of the flaws.

    Ouch, this CVE 2016-5340 was committed on 2016-07-13 09:20:15 (GMT). Too late for initial DTEK50 launch but now we'll see if take out of band patching seriously or the whole "most secure android" will be a good PR for BB bashers.
    I'm pretty sure the firmware need to be sent to TCL well before that. Not like they just started production last week for a launch this week, so there's no way they could have included that patch. Best they can do is an August update the moment it's out of the box and connects to the Internet.
    08-08-16 08:17 AM
  16. anon(9607753)'s Avatar
    This is where the added value in purchasing a BlackBerry Android phone shines through. And guess what? BlackBerry can still sit back and say yeah we have done our best to secure Android. It is what it is. But we still have BB10. Buy a Passport. LOL.

    Posted via BlackBerry Priv STV100-1
    mh1983, ioan_calin and ZayDub like this.
    08-08-16 08:20 AM
  17. Bla1ze's Avatar
    08-08-16 11:12 AM
  18. gizmo21's Avatar
    Got that as PM:

    BlackBerry is aware of the issue described in CVE-2016-5340 known as ASHmenian Devil. A fix was integrated and tested in our labs shortly after the report was received and will be made available to customers as soon as possible.

    While the vulnerability affects the majority of Android devices including BlackBerry Android Smartphones, we believe that BlackBerrys secure boot chain design mitigates the issue since any elevation of privilege to root level will be temporary and any exploit for this issue would be unable to gain a persistent root. BlackBerry is not aware of any exploits for this vulnerability in the wild and does not believe that any customers are currently at risk from this issue


    At least you need a good name for vulnerabilities these days. Thanks BB Team for letting us know.
    08-08-16 02:26 PM
  19. Mecca EL's Avatar
    What's funny to me is, after everyone reads these reported vulnerabilities that "could" - not HAVE - allow an attacker access, as long as the "attacker" has PHYSICAL access to the device in question, the Chicken Little's do thee EXACT thing that they are told NOT to do... they install a Quadrooter Vulnerability app from an unknown source

    I swear.

    The only hack people ever need to fear is the hack that has the ability to penetrate their fears.
    08-08-16 02:44 PM
  20. ToniCipriani's Avatar
    Got that as PM:

    BlackBerry is aware of the issue described in CVE-2016-5340 known as ‘ASHmenian Devil’. A fix was integrated and tested in our labs shortly after the report was received and will be made available to customers as soon as possible.

    While the vulnerability affects the majority of Android devices including BlackBerry Android Smartphones, we believe that BlackBerry’s secure boot chain design mitigates the issue since any elevation of privilege to root level will be temporary and any exploit for this issue would be unable to gain a persistent root. BlackBerry is not aware of any exploits for this vulnerability in the wild and does not believe that any customers are currently at risk from this issue


    At least you need a good name for vulnerabilities these days. Thanks BB Team for letting us know.
    They actually should post this in like big letters on their blog and tell everyone about it, and pronounce to the world that they are the first to completely patch up the vulnerability, within the week it was announced. That should get some shock and awe.
    Mecca EL and gizmo21 like this.
    08-08-16 04:03 PM
  21. anon(9742832)'s Avatar
    Check Point just released an article to the media naming 4 Qualcomm vulnerabilities "quadrooter" where 900 million devices are affected also explicitly naming BlackBerry PRIV as first device.

    The four security flaws are CVE-2016-2503 ★ (found in Qualcomm's GPU driver, fixed in Google's Android Security Bulletin for July 2016), CVE-2016-2504 ★ (Qualcomm GPU driver, fixed in Google's Android Security Bulletin for August 2016), CVE-2016-2059 † (Qualcomm kernel module, fixed in April, patch status unknown), and CVE-2016-5340 † (Qualcomm GPU driver, fixed, patch status unknown).

    The upper two CVEs seems to be fixed by BlackBerry (if you already have August 5th update as some are still waiting) but the other two seem not fixed atm (as for the security bulletins of BlackBerry). But unclear if Priv is really affected by those two.

    QuadRooter: New Android Vulnerabilities in Over 900 Million Devices | Check Point Blog

    QuadRooter Android Security Bugs Affect over 900 Million Devices

    Now BlackBerry could release some statement to use the media coverage and at least get those Aug patches out to all users:
    http://forums.crackberry.com/blackbe...pdate-1081877/
    No worries if you are careful with your phone than its a non starter for trouble. Just like with Windows, as long as you watch what you install or download than no issues occur. When the patch comes as it will, I would love to know what the actual patch rate is. I would bet its less than 50%. That's why Microsoft went to mandatory updates in Windows 10. People just don't update and install security patches. Same goes for APPS. People seldom update the APPS and only when they have too. So a secure phone as always defaults to the owner and in the end they are the weakest link.
    08-08-16 04:27 PM
  22. liridonw's Avatar
    It's already here even after August update

    Posted via the CrackBerry App for Android
    Attached Thumbnails Quadrooter vulnerability article names PRIV as vulnerable-98586.jpg  
    08-08-16 04:27 PM
  23. Ecm's Avatar
    It's already here even after August update

    Posted via the CrackBerry App for Android
    Hmm... I wonder how many people have run the check, then tapped "Get ZoneAlarm Protection" conveniently placed at the bottom of the results screen?
    Mecca EL, howarmat, Wezard and 1 others like this.
    08-08-16 05:45 PM
  24. Mecca EL's Avatar
    Hmm... I wonder how many people have run the check, then tapped "Get ZoneAlarm Protection" conveniently placed at the bottom of the results screen?
    Supa_Fly1 and Wezard like this.
    08-08-16 05:47 PM
  25. FF22's Avatar
    They actually should post this in like big letters on their blog and tell everyone about it, and pronounce to the world that they are the first to completely patch up the vulnerability, within the week it was announced. That should get some shock and awe.
    Except if you have a Priv from Verizon. In which case no one gives a DAMN!
    Mecca EL likes this.
    08-08-16 05:49 PM
61 123

Similar Threads

  1. Can Blend, as a terminal App, be installed on an Android phone?
    By herbersh in forum General BlackBerry Discussion
    Replies: 10
    Last Post: 08-21-16, 03:16 PM
  2. Blackberry Priv Issue with Wireless Charger
    By KOAO in forum BlackBerry Priv
    Replies: 13
    Last Post: 08-15-16, 09:23 AM
  3. Will the Priv get a refresh?
    By mithrazor in forum BlackBerry Priv
    Replies: 5
    Last Post: 08-09-16, 03:00 AM
  4. Replies: 2
    Last Post: 08-08-16, 06:41 PM
  5. Is Priv less secure than DTEK50?
    By chw6922 in forum BlackBerry Priv
    Replies: 13
    Last Post: 08-08-16, 12:35 AM
LINK TO POST COPIED TO CLIPBOARD