Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2016.0023.2 Multiple vulnerabilities have been identified in Android 9 March 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Nexus devices Android devices Operating System: Android Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Access Privileged Data -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2016-1621 CVE-2016-0832 CVE-2016-0831 CVE-2016-0830 CVE-2016-0829 CVE-2016-0828 CVE-2016-0827 CVE-2016-0826 CVE-2016-0825 CVE-2016-0824 CVE-2016-0823 CVE-2016-0822 CVE-2016-0821 CVE-2016-0820 CVE-2016-0819 CVE-2016-0818 CVE-2016-0816 CVE-2016-0815 CVE-2016-0728 Member content until: Thursday, April 7 2016 Reference: ASB-2016.0017 ESB-2016.0572 ESB-2016.0273 ESB-2016.0178 ESB-2016.0137 Revision History: March 9 2016: Added reference to Impact section March 8 2016: Initial Release OVERVIEW Multiple vulnerabilities have been identified in Google Nexus firmware prior to build LMY49H and Android prior to Android M with Security Patch Level of March 01, 2016. [1] IMPACT Google has provided the following details regarding the vulnerabilities: "Remote Code Execution Vulnerability in Mediaserver During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process. The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. This issue is rated as a Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps could not normally access. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0815 ANDROID-26365349 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal CVE-2016-0816 ANDROID-25928803 Critical 6.0, 6.0.1 Google Internal Remote Code Execution Vulnerabilities in libvpx During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process. The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. The issues are rated as Critical severity because they could be used for remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access. CVE Bug(s) Severity Updated versions Date reported CVE-2016-1621 ANDROID-23452792 Critical 4.4.4, 5.0.2, 5.1.1, 6.0 Google Internal Elevation of Privilege in Conscrypt A vulnerability in Conscrypt could allow a specific type of invalid certificate, issued by an intermediate Certificate Authority (CA), to be incorrectly trusted. This may enable a man in the middle attack. This issue is rated as a Critical severity due to the possibility of an elevation of privilege and remote arbitrary code execution. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0818 ANDROID-26232830 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal Elevation of Privilege Vulnerability in the Qualcomm Performance Component An elevation of privilege vulnerability in the Qualcomm performance component could enable a local malicious application to execute arbitrary code in the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise, and the device could only be repaired by re-flashing the operating system. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0819 ANDROID-25364034* Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal * The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. Elevation of Privilege Vulnerability in MediaTek Wi-Fi Kernel Driver There is a vulnerability in the MediaTek Wi-Fi kernel driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as a Critical severity due to the possibility of elevation of privilege and arbitrary code execution in the context of the kernel. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0820 ANDROID-26267358* Critical 6.0.1 Dec 18, 2015 * The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. Elevation of Privilege Vulnerability in Kernel Keyring Component An elevation of privilege vulnerability in the Kernel Keyring Component could enable a local malicious application to execute arbitrary code within the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device could potentially only be repaired by re-flashing the operating system. However, in Android versions 5.0 and above, SELinux rules prevents third-party applications from reaching the affected code. Note: For reference, the patch in AOSP is available for specific kernel versions: 4.1, 3.18, 3.14, and 3.10. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0728 ANDROID-26636379 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 11, 2016 Mitigation Bypass Vulnerability in the Kernel A mitigation bypass vulnerability in the kernel could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. This issue is rated as High severity because it could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. Note: There is an update for this issue is located in the Linux upstream. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0821 ANDROID-26186802 High 6.0.1 Google internal Elevation of Privilege in MediaTek Connectivity Kernel Driver There is an elevation of privilege vulnerability in a MediaTek connectivity kernel driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. Normally a kernel code execution bug like this would be rated critical, but given that it requires first compromising the conn_launcher service, which may not even be possible, it justifies a downgrade to High severity rating. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0822 ANDROID-25873324* High 6.0.1 Google internal * The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. Information Disclosure Vulnerability in Kernel An information disclosure vulnerability in the kernel could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could allow a local bypass of exploit mitigation technologies such as ASLR in a privileged process. Note: There is a fix for this issue is located in Linux upstream. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0823 ANDROID-25739721* High 6.0.1 Google internal Information Disclosure Vulnerability in libstagefright An information disclosure vulnerability in libstagefright could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could also be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0824 ANDROID-25765591 High 6.0, 6.0.1 Nov 18, 2015 Information Disclosure Vulnerability in Widevine An information disclosure vulnerability in the Widevine Trusted Application could allow code running in the kernel context to access information in TrustZone secure storage. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0825 ANDROID-20860039* High 6.0.1 Google Internal * The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. Elevation of Privilege Vulnerability in Mediaserver An elevation of privilege vulnerability in mediaserver could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0826 ANDROID-26265403 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 17, 2015 CVE-2016-0827 ANDROID-26347509 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 28, 2015 Information Disclosure Vulnerability in Mediaserver An information disclosure vulnerability in mediaserver could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could also be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0828 ANDROID-26338113 High 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 27, 2015 CVE-2016-0829 ANDROID-26338109 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 27, 2015 Remote Denial of Service Vulnerability in Bluetooth A remote denial of service vulnerability in the Bluetooth component could allow a proximal attacker to block access to an affected device. An attacker could cause an overflow of identified Bluetooth devices in the Bluetooth component, which leads to memory corruption and service stop. This is rated as a High severity because it leads to a Denial of Service to the Bluetooth service, which could potentially only be fixed with a flash of the device. CVE AOSP Link Severity Updated versions Date reported CVE-2016-0830 ANDROID-26071376 High 6.0, 6.0.1 Google Internal Information Disclosure Vulnerability in Telephony An information disclosure vulnerability in the Telephony component could allow an application to access sensitive information. This issue is rated Moderate severity because it could be used to improperly access data without permission. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0831 ANDROID-25778215 Moderate 5.0.2, 5.1.1, 6.0, 6.0.1 Nov 16, 2015 Elevation of Privilege Vulnerability in Setup Wizard A vulnerability in the Setup Wizard could enable an attacker who had physical access to the device to gain access to device settings and perform a manual device reset. This issue is rated as Moderate severity because it could be used to improperly work around the factory reset protection. CVE Bug(s) Severity Updated versions Date reported CVE-2016-0832 ANDROID-25955042* Moderate 5.1.1, 6.0, 6.0.1 Google Internal" [1] MITIGATION Google advises it has released Over The Air (OTA) updates for Nexus, and partner updates are expected to be released to the Android Open Source Project (AOSP) shortly. Android users are advised to update to the latest versions to address these issues. [1] REFERENCES [1] Nexus Security Bulletin - March 2016 https://source.android.com/security/bulletin/2016-03-01.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVt9szX6ZAP0PgtI9AQIkkRAAlw7YkLXScrAP0rdw8LEFI+M1C5O2CoEl apK5IVNPr9k5ouZmV1ukv574slORF8cye0GGnNzWoZRrb1i8/DgOphaweHIEU785 DuMRplt++9nDmoV/RpHaO2fusz7+VSH9HRPppdewuOsmo4Arc4yy2f6not6Y6f/7 O2mMmLkQkfru5fJnE8El2c+oh/GAD5iX2TmAnw2/V3IkY1XfUqgnf9z14h99Gpzc dX/kV9hEGW3ubweUAjF5S/I9lqO7wSaXecQsbFl2rual/PEZuFBNpZHnR7BwH4vN Q3HURRgu7xZLdKBItClptvGgocSf5vCsy9mM74d22z1nkuFRzAn2JVbS/+WaENSx DTfuG/VD/LPrpIAvl9vVHJSsJbuqew+foIpo4nLVtXHLL2zVVjx85p5HyflP14qK mDGNdbK5UJoq4BFrIudXtqsvOuE80R+0xM3C16xyUe912E6enFDImDCLEDtZXIbA mP7834MDxFMoH0zeSmNvxswW3KqHqzKE471lZLFL+twl36u/woxeeGYqHEUMcCcr W6hP4b1leoeUFDTMGhX51nrZ3M8jrxSQkht/z+eD8nKsNnhJGg8p3xhw2+/TYZ8N Kwp120c8DIwPYKWJurNRKqrBGHkcIrOtY6RS/7kfgDMFqWKn6W2AgSPMUzE7YZUL +u2Fh/EfY5k= =ehuZ -----END PGP SIGNATURE-----