Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0023.2
Multiple vulnerabilities have been identified in Android
9 March 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Nexus devices
Android devices
Operating System: Android
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Access Privileged Data -- Existing Account
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2016-1621 CVE-2016-0832 CVE-2016-0831
CVE-2016-0830 CVE-2016-0829 CVE-2016-0828
CVE-2016-0827 CVE-2016-0826 CVE-2016-0825
CVE-2016-0824 CVE-2016-0823 CVE-2016-0822
CVE-2016-0821 CVE-2016-0820 CVE-2016-0819
CVE-2016-0818 CVE-2016-0816 CVE-2016-0815
CVE-2016-0728
Member content until: Thursday, April 7 2016
Reference: ASB-2016.0017
ESB-2016.0572
ESB-2016.0273
ESB-2016.0178
ESB-2016.0137
Revision History: March 9 2016: Added reference to Impact section
March 8 2016: Initial Release
OVERVIEW
Multiple vulnerabilities have been identified in Google Nexus
firmware prior to build LMY49H and Android prior to Android M with
Security Patch Level of March 01, 2016. [1]
IMPACT
Google has provided the following details regarding the
vulnerabilities:
"Remote Code Execution Vulnerability in Mediaserver
During media file and data processing of a specially crafted file,
vulnerabilities in mediaserver could allow an attacker to cause
memory corruption and remote code execution as the mediaserver
process.
The affected functionality is provided as a core part of the
operating system, and there are multiple applications that allow it
to be reached with remote content, most notably MMS and browser
playback of media.
This issue is rated as a Critical severity due to the possibility of
remote code execution within the context of the mediaserver service.
The mediaserver service has access to audio and video streams as
well as access to privileges that third-party apps could not
normally access.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0815 ANDROID-26365349 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal
CVE-2016-0816 ANDROID-25928803 Critical 6.0, 6.0.1 Google Internal
Remote Code Execution Vulnerabilities in libvpx
During media file and data processing of a specially crafted file,
vulnerabilities in mediaserver could allow an attacker to cause
memory corruption and remote code execution as the mediaserver
process.
The affected functionality is provided as a core part of the
operating system and there are multiple applications that allow it
to be reached with remote content, most notably MMS and browser
playback of media.
The issues are rated as Critical severity because they could be used
for remote code execution within the context of the mediaserver
service. The mediaserver service has access to audio and video
streams as well as access to privileges that third-party apps cannot
normally access.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-1621 ANDROID-23452792 Critical 4.4.4, 5.0.2, 5.1.1, 6.0 Google Internal
Elevation of Privilege in Conscrypt
A vulnerability in Conscrypt could allow a specific type of invalid
certificate, issued by an intermediate Certificate Authority (CA),
to be incorrectly trusted. This may enable a man in the middle
attack. This issue is rated as a Critical severity due to the
possibility of an elevation of privilege and remote arbitrary code
execution.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0818 ANDROID-26232830 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal
Elevation of Privilege Vulnerability in the Qualcomm Performance
Component
An elevation of privilege vulnerability in the Qualcomm performance
component could enable a local malicious application to execute
arbitrary code in the kernel. This issue is rated as a Critical
severity due to the possibility of a local permanent device
compromise, and the device could only be repaired by re-flashing the
operating system.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0819 ANDROID-25364034* Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal
* The patch for this issue is not in AOSP. The update is contained
in the latest binary drivers for Nexus devices available from the
Google Developer site.
Elevation of Privilege Vulnerability in MediaTek Wi-Fi Kernel Driver
There is a vulnerability in the MediaTek Wi-Fi kernel driver that
could enable a local malicious application to execute arbitrary code
within the context of the kernel. This issue is rated as a Critical
severity due to the possibility of elevation of privilege and
arbitrary code execution in the context of the kernel.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0820 ANDROID-26267358* Critical 6.0.1 Dec 18, 2015
* The patch for this issue is not in AOSP. The update is contained
in the latest binary drivers for Nexus devices available from the
Google Developer site.
Elevation of Privilege Vulnerability in Kernel Keyring Component
An elevation of privilege vulnerability in the Kernel Keyring
Component could enable a local malicious application to execute
arbitrary code within the kernel. This issue is rated as a Critical
severity due to the possibility of a local permanent device
compromise and the device could potentially only be repaired by
re-flashing the operating system. However, in Android versions 5.0
and above, SELinux rules prevents third-party applications from
reaching the affected code.
Note: For reference, the patch in AOSP is available for specific
kernel versions: 4.1, 3.18, 3.14, and 3.10.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0728 ANDROID-26636379 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 11, 2016
Mitigation Bypass Vulnerability in the Kernel
A mitigation bypass vulnerability in the kernel could permit a
bypass of security measures in place to increase the difficulty of
attackers exploiting the platform. This issue is rated as High
severity because it could permit a bypass of security measures in
place to increase the difficulty of attackers exploiting the
platform.
Note: There is an update for this issue is located in the Linux
upstream.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0821 ANDROID-26186802 High 6.0.1 Google internal
Elevation of Privilege in MediaTek Connectivity Kernel Driver
There is an elevation of privilege vulnerability in a MediaTek
connectivity kernel driver that could enable a local malicious
application to execute arbitrary code within the context of the
kernel. Normally a kernel code execution bug like this would be
rated critical, but given that it requires first compromising the
conn_launcher service, which may not even be possible, it justifies
a downgrade to High severity rating.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0822 ANDROID-25873324* High 6.0.1 Google internal
* The patch for this issue is not in AOSP. The update is contained
in the latest binary drivers for Nexus devices available from the
Google Developer site.
Information Disclosure Vulnerability in Kernel
An information disclosure vulnerability in the kernel could permit a
bypass of security measures in place to increase the difficulty of
attackers exploiting the platform. These issues are rated as High
severity because they could allow a local bypass of exploit
mitigation technologies such as ASLR in a privileged process.
Note: There is a fix for this issue is located in Linux upstream.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0823 ANDROID-25739721* High 6.0.1 Google internal
Information Disclosure Vulnerability in libstagefright
An information disclosure vulnerability in libstagefright could
permit a bypass of security measures in place to increase the
difficulty of attackers exploiting the platform. These issues are
rated as High severity because they could also be used to gain
elevated capabilities, such as Signature or SignatureOrSystem
permissions privileges, which are not accessible to third-party
applications.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0824 ANDROID-25765591 High 6.0, 6.0.1 Nov 18, 2015
Information Disclosure Vulnerability in Widevine
An information disclosure vulnerability in the Widevine Trusted
Application could allow code running in the kernel context to access
information in TrustZone secure storage. This issue is rated as High
severity because it could be used to gain elevated capabilities,
such as Signature or SignatureOrSystem permissions privileges.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0825 ANDROID-20860039* High 6.0.1 Google Internal
* The patch for this issue is not in AOSP. The update is contained
in the latest binary drivers for Nexus devices available from the
Google Developer site.
Elevation of Privilege Vulnerability in Mediaserver
An elevation of privilege vulnerability in mediaserver could enable
a local malicious application to execute arbitrary code within the
context of an elevated system application. This issue is rated as
High severity because it could be used to gain elevated
capabilities, such as Signature or SignatureOrSystem permissions
privileges, which are not accessible to a third-party application.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0826 ANDROID-26265403 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 17, 2015
CVE-2016-0827 ANDROID-26347509 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 28, 2015
Information Disclosure Vulnerability in Mediaserver
An information disclosure vulnerability in mediaserver could permit
a bypass of security measures in place to increase the difficulty of
attackers exploiting the platform. These issues are rated as High
severity because they could also be used to gain elevated
capabilities, such as Signature or SignatureOrSystem permissions
privileges, which are not accessible to third-party applications.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0828 ANDROID-26338113 High 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 27, 2015
CVE-2016-0829 ANDROID-26338109 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 27, 2015
Remote Denial of Service Vulnerability in Bluetooth
A remote denial of service vulnerability in the Bluetooth component
could allow a proximal attacker to block access to an affected
device. An attacker could cause an overflow of identified Bluetooth
devices in the Bluetooth component, which leads to memory corruption
and service stop. This is rated as a High severity because it leads
to a Denial of Service to the Bluetooth service, which could
potentially only be fixed with a flash of the device.
CVE AOSP Link Severity Updated versions Date reported
CVE-2016-0830 ANDROID-26071376 High 6.0, 6.0.1 Google Internal
Information Disclosure Vulnerability in Telephony
An information disclosure vulnerability in the Telephony component
could allow an application to access sensitive information. This
issue is rated Moderate severity because it could be used to
improperly access data without permission.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0831 ANDROID-25778215 Moderate 5.0.2, 5.1.1, 6.0, 6.0.1 Nov 16, 2015
Elevation of Privilege Vulnerability in Setup Wizard
A vulnerability in the Setup Wizard could enable an attacker who had
physical access to the device to gain access to device settings and
perform a manual device reset. This issue is rated as Moderate
severity because it could be used to improperly work around the
factory reset protection.
CVE Bug(s) Severity Updated versions Date reported
CVE-2016-0832 ANDROID-25955042* Moderate 5.1.1, 6.0, 6.0.1 Google Internal" [1]
MITIGATION
Google advises it has released Over The Air (OTA) updates for Nexus,
and partner updates are expected to be released to the Android Open
Source Project (AOSP) shortly.
Android users are advised to update to the latest versions to
address these issues. [1]
REFERENCES
[1] Nexus Security Bulletin - March 2016
https://source.android.com/security/bulletin/2016-03-01.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVt9szX6ZAP0PgtI9AQIkkRAAlw7YkLXScrAP0rdw8LEFI+M1C5O2CoEl
apK5IVNPr9k5ouZmV1ukv574slORF8cye0GGnNzWoZRrb1i8/DgOphaweHIEU785
DuMRplt++9nDmoV/RpHaO2fusz7+VSH9HRPppdewuOsmo4Arc4yy2f6not6Y6f/7
O2mMmLkQkfru5fJnE8El2c+oh/GAD5iX2TmAnw2/V3IkY1XfUqgnf9z14h99Gpzc
dX/kV9hEGW3ubweUAjF5S/I9lqO7wSaXecQsbFl2rual/PEZuFBNpZHnR7BwH4vN
Q3HURRgu7xZLdKBItClptvGgocSf5vCsy9mM74d22z1nkuFRzAn2JVbS/+WaENSx
DTfuG/VD/LPrpIAvl9vVHJSsJbuqew+foIpo4nLVtXHLL2zVVjx85p5HyflP14qK
mDGNdbK5UJoq4BFrIudXtqsvOuE80R+0xM3C16xyUe912E6enFDImDCLEDtZXIbA
mP7834MDxFMoH0zeSmNvxswW3KqHqzKE471lZLFL+twl36u/woxeeGYqHEUMcCcr
W6hP4b1leoeUFDTMGhX51nrZ3M8jrxSQkht/z+eD8nKsNnhJGg8p3xhw2+/TYZ8N
Kwp120c8DIwPYKWJurNRKqrBGHkcIrOtY6RS/7kfgDMFqWKn6W2AgSPMUzE7YZUL
+u2Fh/EfY5k=
=ehuZ
-----END PGP SIGNATURE-----