-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2016.0034
         Multiple vulnerabilities have been identified in Android
                               6 April 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Nexus devices
Operating System:     Android
Impact/Access:        Root Compromise                 -- Remote with User Interaction
                      Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                      Increased Privileges            -- Remote/Unauthenticated      
                      Access Privileged Data          -- Remote with User Interaction
                      Denial of Service               -- Remote/Unauthenticated      
                      Provide Misleading Information  -- Remote/Unauthenticated      
                      Unauthorised Access             -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-2427 CVE-2016-2426 CVE-2016-2425
                      CVE-2016-2424 CVE-2016-2423 CVE-2016-2422
                      CVE-2016-2421 CVE-2016-2420 CVE-2016-2419
                      CVE-2016-2418 CVE-2016-2417 CVE-2016-2416
                      CVE-2016-2415 CVE-2016-2414 CVE-2016-2413
                      CVE-2016-2412 CVE-2016-2411 CVE-2016-2410
                      CVE-2016-2409 CVE-2016-1503 CVE-2016-0850
                      CVE-2016-0849 CVE-2016-0848 CVE-2016-0847
                      CVE-2016-0846 CVE-2016-0844 CVE-2016-0843
                      CVE-2016-0842 CVE-2016-0841 CVE-2016-0840
                      CVE-2016-0839 CVE-2016-0838 CVE-2016-0837
                      CVE-2016-0836 CVE-2016-0835 CVE-2016-0834
                      CVE-2015-1805 CVE-2014-9322 CVE-2014-6060
Member content until: Friday, May  6 2016
Reference:            ESB-2016.0777
                      ESB-2015.0019
                      ESB-2014.2412.2

OVERVIEW

        Multiple vulnerabilities have been identified in Android prior to 
        versions 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1. [1]


IMPACT

        The vendor has provided the following information:
        
        "Remote Code Execution Vulnerability in DHCPCD
        
        A vulnerability in the Dynamic Host Configuration Protocol service 
        could enable an attacker to cause memory corruption, which could 
        lead to remote code execution. This issue is rated as Critical 
        severity due to the possibility of remote code execution within the
        context of the DHCP client. The DHCP service has access to 
        privileges that third-party apps could not normally access.
        
        CVE            Bugs              Severity    Updated versions                 Date reported
        CVE-2014-6060  ANDROID-15268738  Critical    4.4.4                            July 30, 2014
        CVE-2014-6060  ANDROID-16677003  Critical    4.4.4                            July 30, 2014
        CVE-2016-1503  ANDROID-26461634  Critical    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Jan 4, 2016
        
        Remote Code Execution Vulnerability in Media Codec
        
        During media file and data processing of a specially crafted file, 
        vulnerabilities in a media codec used by mediaserver could allow an
        attacker to cause memory corruption and remote code execution as the
        mediaserver process.
        
        The affected functionality is provided as a core part of the 
        operating system, and there are multiple applications that allow it
        to be reached with remote content, most notably MMS and browser 
        playback of media.
        
        This issue is rated as Critical severity due to the possibility of 
        remote code execution within the context of the mediaserver service.
        The mediaserver service has access to audio and video streams, as 
        well as access to privileges that third-party apps could not 
        normally access.
        
        CVE            Bug               Severity    Updated versions    Date reported
        CVE-2016-0834  ANDROID-26220548  Critical    6.0, 6.0.1          Dec 16, 2015
        
        Remote Code Execution Vulnerability in Mediaserver
        
        During media file and data processing of a specially crafted file, 
        vulnerabilities in mediaserver could allow an attacker to cause 
        memory corruption and remote code execution as the mediaserver 
        process.
        
        The affected functionality is provided as a core part of the 
        operating system, and there are multiple applications that allow it
        to be reached with remote content, most notably MMS and browser 
        playback of media.
        
        This issue is rated as Critical severity due to the possibility of 
        remote code execution within the context of the mediaserver service.
        The mediaserver service has access to audio and video streams, as 
        well as access to privileges that third-party apps could not 
        normally access.
        
        CVE            Bugs              Severity    Updated versions                 Date reported
        CVE-2016-0835  ANDROID-26070014  Critical    6.0, 6.0.1                       Dec 6, 2015
        CVE-2016-0836  ANDROID-25812590  Critical    6.0, 6.0.1                       Nov 19, 2015
        CVE-2016-0837  ANDROID-27208621  Critical    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Feb 11, 2016
        CVE-2016-0838  ANDROID-26366256  Critical    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Google Internal
        CVE-2016-0839  ANDROID-25753245  Critical    6.0, 6.0.1                       Google Internal
        CVE-2016-0840  ANDROID-26399350  Critical    6.0, 6.0.1                       Google Internal
        CVE-2016-0841  ANDROID-26040840  Critical    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Google Internal
        
        Remote Code Execution Vulnerability in libstagefright
        
        During media file and data processing of a specially crafted file, 
        vulnerabilities in libstagefright could allow an attacker to cause 
        memory corruption and remote code execution as the mediaserver 
        process.
        
        CVE            Bug               Severity    Updated versions    Date reported
        CVE-2016-0842  ANDROID-25818142  Critical    6.0, 6.0.1          Nov 23, 2015
        
        Elevation of Privilege Vulnerability in Kernel
        
        An elevation of privilege vulnerability in the kernel could enable a
        local malicious application to execute arbitrary code within the 
        kernel. This issue is rated as Critical severity due to the 
        possibility of a local permanent device compromise, and the device 
        would possibly need to be repaired by re-flashing the operating 
        system. This issue was described in Android Security Advisory 
        2016-03-18.
        
        Note: For reference, the patch in AOSP is available for specific 
        kernel versions: 3.14, 3.10, and 3.4.
        
        CVE            Bug               Severity    Updated versions                 Date reported
        CVE-2015-1805  ANDROID-27275324  Critical    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  February 19, 2016
        
        Elevation of Privilege Vulnerability in Qualcomm Performance Module
        
        An elevation of privilege vulnerability in the performance event 
        manager component for ARM processors from Qualcomm could enable a 
        local malicious application to execute arbitrary code within the 
        kernel. This issue is rated as Critical severity due to the 
        possibility of a local permanent device compromise, and the device 
        would possibly need to be repaired by re-flashing the operating 
        system.
        
        CVE            Bug               Severity    Updated versions                 Date reported
        CVE-2016-0843  ANDROID-25801197  Critical    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Nov 19, 2015
        
        Elevation of Privilege Vulnerability in Qualcomm RF component
        
        There is a vulnerability in the Qualcomm RF driver that could enable
        a local malicious application to execute arbitrary code within the 
        context of the kernel. This issue is rated as Critical severity due
        to the possibility of a local permanent device compromise, and the 
        device would possibly need to be repaired by re-flashing the 
        operating system.
        
        Note: The fix for this is located in Linux upstream.
        
        CVE            Bug               Severity    Updated versions    Date reported
        CVE-2016-0844  ANDROID-26324307  Critical    6.0, 6.0.1          Dec 25, 2015
        
        Elevation of Privilege Vulnerability in Kernel
        
        An elevation of privilege vulnerability in the common kernel could 
        enable a local malicious application to execute arbitrary code in 
        the kernel. This issue is rated as Critical severity due to the 
        possibility of a local permanent device compromise and the device 
        would possibly need to be repaired by re-flashing the operating 
        system.
        
        CVE            Bug with AOSP	 Severity    Updated versions   Date reported
        	       links
        CVE-2014-9322  ANDROID-26927260  Critical    6.0, 6.0.1         Dec 25, 2015
                       [2][3][4][5][6][7]
        	       [8][9][10][11]
        
        Elevation of Privilege Vulnerability in IMemory Native Interface
        
        An elevation of privilege vulnerability in the IMemory Native 
        Interface could enable a local malicious application to execute 
        arbitrary code within the context of an elevated system application.
        This issue is rated as High severity because it could be used to 
        gain elevated capabilities, such as Signature or SignatureOrSystem 
        permissions privileges, which are not accessible to a third-party 
        application.
        
        CVE            Bug               Severity    Updated versions                 Date reported
        CVE-2016-0846  ANDROID-26877992  High        4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Jan 29, 2016
        
        Elevation of Privilege Vulnerability in Telecom Component
        
        An elevation of privilege vulnerability in the Telecom Component 
        could enable an attacker to make calls appear to come from any 
        arbitrary number. This issue is rated as High severity because it 
        could be used to gain local access to elevated capabilities, such as
        Signature or SignatureOrSystem permissions privileges, which are not
        accessible to a third-party application.
        
        CVE            Bug               Severity    Updated versions          Date reported
        CVE-2016-0847  ANDROID-26864502  High        5.0.2, 5.1.1, 6.0, 6.0.1  Google Internal
        
        Elevation of Privilege Vulnerability in Download Manager
        
        An elevation of privilege vulnerability in the Download Manager 
        could enable an attacker to gain access to unauthorized files in 
        private storage. This issue is rated as High severity because it 
        could be used to gain local access to elevated capabilities, such as
        Signature or SignatureOrSystem permissions privileges, which are not
        accessible to a third-party application.
        
        CVE            Bug               Severity    Updated versions                 Date reported
        CVE-2016-0848  ANDROID-26211054  High        4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Dec 14, 2015
        
        Elevation of Privilege Vulnerability in Recovery Procedure
        
        An elevation of privilege vulnerability in the Recovery Procedure 
        could enable a local malicious application to execute arbitrary code
        within the context of an elevated system application. This issue is
        rated as High severity because it could be used to gain elevated 
        capabilities, such as Signature or SignatureOrSystem permissions 
        privileges, which are not accessible to a third-party application.
        
        CVE            Bug               Severity    Updated versions          Date reported
        CVE-2016-0849  ANDROID-26960931  High        5.0.2, 5.1.1, 6.0, 6.0.1  Feb 3, 2016
        
        Elevation of Privilege Vulnerability in Bluetooth
        
        An elevation of privilege vulnerability in Bluetooth could enable an
        untrusted device to pair with the phone during the initial pairing 
        process. This could lead to unauthorized access of the device 
        resources, such as the Internet connection. This issue is rated as 
        High severity because it could be used to gain elevated capabilities
        that are not accessible to untrusted devices.
        
        CVE            Bug               Severity    Updated versions                 Date reported
        CVE-2016-0850  ANDROID-26551752  High        4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Jan 13, 2016
        
        Elevation of Privilege Vulnerability in Texas Instruments Haptic 
        Driver
        
        There is an elevation of privilege vulnerability in a Texas 
        Instruments haptic kernel driver that could enable a local malicious
        application to execute arbitrary code within the context of the 
        kernel. Normally a kernel code execution bug like this would be 
        rated Critical, but because it first requires compromising a service
        that can call the driver, it is rated as High severity instead.
        
        CVE            Bug               Severity    Updated versions    Date reported
        CVE-2016-2409  ANDROID-25981545  High        6.0, 6.0.1          Dec 25, 2015
        
        Elevation of Privilege Vulnerability in Qualcomm Video Kernel Driver
        
        There is an elevation of privilege vulnerability in a Qualcomm video
        kernel driver that could enable a local malicious application to 
        execute arbitrary code within the context of the kernel. Normally a
        kernel code execution vulnerability would be rated Critical, but 
        because it requires first compromising a service that can call the 
        driver, it is rated as High severity instead.
        
        CVE            Bug               Severity    Updated versions    Date reported
        CVE-2016-2410  ANDROID-26291677  High        6.0, 6.0.1          Dec 21, 2015
        
        Elevation of Privilege Vulnerability in Qualcomm Power Management 
        component
        
        There is an elevation of privilege vulnerability in a Qualcomm Power
        Management kernel driver that could enable a local malicious 
        application to execute arbitrary code within the context of the 
        kernel. Normally a kernel code execution bug like this would be 
        rated Critical, but because it requires first compromising the 
        device and elevation to root, it is rated as High severity instead.
        
        CVE            Bug               Severity    Updated versions    Date reported
        CVE-2016-2411  ANDROID-26866053  High        6.0, 6.0.1          Jan 28, 2016
        
        Elevation of Privilege Vulnerability in System_server
        
        An elevation of privilege vulnerability in System_server could 
        enable a local malicious application to execute arbitrary code 
        within the context of an elevated system application. This issue is
        rated as High severity because it could be used to gain elevated 
        capabilities, such as Signature or SignatureOrSystem permissions 
        privileges, which are not accessible to a third-party application.
        
        CVE            Bug               Severity    Updated versions                 Date reported
        CVE-2016-2412  ANDROID-26593930  High        4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Jan 15, 2016
        
        Elevation of Privilege Vulnerability in Mediaserver
        
        An elevation of privilege vulnerability in mediaserver could enable
        a local malicious application to execute arbitrary code within the 
        context of an elevated system application. This issue is rated as 
        High severity because it could be used to gain elevated 
        capabilities, such as Signature or SignatureOrSystem permissions 
        privileges, which are not accessible to a third-party application.
        
        CVE            Bug               Severity    Updated versions          Date reported
        CVE-2016-2413  ANDROID-26403627  High        5.0.2, 5.1.1, 6.0, 6.0.1  Jan 5, 2016
        
        Denial of Service Vulnerability in Minikin
        
        A denial of service vulnerability in the Minikin library could allow
        a local attacker to temporarily block access to an affected device.
        An attacker could cause an untrusted font to be loaded and cause an
        overflow in the Minikin component, which leads to a crash. This is 
        rated as High severity because Denial of Service would lead to a 
        continuous reboot loop.
        
        CVE            Bug               Severity    Updated versions          Date reported
        CVE-2016-2414  ANDROID-26413177  High        5.0.2, 5.1.1, 6.0, 6.0.1  Nov 3, 2015
        
        Information Disclosure Vulnerability in Exchange ActiveSync
        
        An information disclosure vulnerability in Exchange ActiveSync could
        enable a local malicious application to gain access to a user's 
        private information. This issue is rated as High severity because it
        allows remote access to protected data.
        
        CVE            Bug               Severity    Updated versions          Date reported
        CVE-2016-2415  ANDROID-26488455  High        5.0.2, 5.1.1, 6.0, 6.0.1  Jan 11, 2016
        
        Information Disclosure Vulnerability in Mediaserver
        
        An information disclosure vulnerability in Mediaserver could permit
        a bypass of security measures in place to increase the difficulty of
        attackers exploiting the platform. These issues are rated as High 
        severity because they could also be used to gain elevated 
        capabilities, such as Signature or SignatureOrSystem permissions 
        privileges, which are not accessible to third-party applications.
        
        CVE            Bugs              Severity    Updated versions                 Date reported
        CVE-2016-2416  ANDROID-27046057  High        4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Feb 5, 2016
        CVE-2016-2417  ANDROID-26914474  High        4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Feb 1, 2016
        CVE-2016-2418  ANDROID-26324358  High        6.0, 6.0.1                       Dec 24, 2015
        CVE-2016-2419  ANDROID-26323455  High        6.0, 6.0.1                       Dec 24, 2015
        
        Elevation of Privilege Vulnerability in Debuggerd Component
        
        An elevation of privilege vulnerability in the Debuggerd component 
        could enable a local malicious application to execute arbitrary code
        that could lead to a permanent device compromise. As a result, the 
        device would possibly need to be repaired by re-flashing the 
        operating system. Normally a code execution bug like this would be 
        rated as Critical, but because it enables an elevation of privilege
        from system to root only in Android version 4.4.4, it is rated as 
        Moderate instead. In Android versions 5.0 and above, SELinux rules 
        prevent third-party applications from reaching the affected code.
        
        CVE            Bug               Severity    Updated versions                 Date reported
        CVE-2016-2420  ANDROID-26403620  Moderate    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Jan 5, 2016
        Elevation of Privilege Vulnerability in Setup Wizard
        
        A vulnerability in the Setup Wizard could allow an attacker to 
        bypass the Factory Reset Protection and gain access to the device. 
        This is rated as Moderate severity because it potentially allows 
        someone with physical access to a device to bypass the Factory Reset
        Protection, which would enable an attacker to successfully reset a 
        device, erasing all data.
        
        CVE            Bug               Severity    Updated versions    Date reported
        CVE-2016-2421  ANDROID-26154410  Moderate    5.1.1, 6.0, 6.0.1   Google Internal
        
        Elevation of Privilege Vulnerability in Wi-Fi
        
        An elevation of privilege vulnerability in Wi-Fi could enable a 
        local malicious application to execute arbitrary code within the 
        context of an elevated system application. This issue is rated as 
        Moderate severity because it could be used to gain elevated 
        capabilities, such as Signature or SignatureOrSystem permissions 
        privileges, which are not accessible to a third-party application.
        
        CVE            Bug               Severity    Updated versions                 Date reported
        CVE-2016-2422  ANDROID-26324357  Moderate    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Dec 23, 2015
        
        Elevation of Privilege Vulnerability in Telephony
        
        A vulnerability in Telephony could allow an attacker to bypass the 
        Factory Reset Protection and gain access to the device. This is 
        rated as Moderate severity because it potentially allows someone 
        with physical access to a device to bypass the Factory Reset 
        Protection, which would enable an attacker to successfully reset a 
        device, erasing all data.
        
        CVE            Bug               Severity    Updated versions                 Date reported
        CVE-2016-2423  ANDROID-26303187  Moderate    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Google Internal
        
        Denial of Service Vulnerability in SyncStorageEngine
        
        A denial of service vulnerability in SyncStorageEngine could enable
        a local malicious application to cause a reboot loop. This issue is
        rated as Moderate severity because it could be used to cause a local
        temporary denial of service that would possibly need to be fixed 
        though a factory reset.
        
        CVE            Bug               Severity    Updated versions                 Date reported
        CVE-2016-2424  ANDROID-26513719  Moderate    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Google Internal
        
        Information Disclosure Vulnerability in AOSP Mail
        
        An information disclosure vulnerability in AOSP Mail could enable a
        local malicious application to gain access to a user's private 
        information. This issue is rated as Moderate severity because it 
        could be used to improperly gain "dangerous" permissions.
        
        CVE            Bugs              Severity    Updated versions          Date reported
        CVE-2016-2425  ANDROID-26989185  Moderate    4.4.4, 5.1.1, 6.0, 6.0.1  Jan 29, 2016
        CVE-2016-2425  ANDROID-7154234   Moderate    5.0.2                     Jan 29, 2016
        
        Information Disclosure Vulnerability in Framework
        
        An information disclosure vulnerability in the Framework component 
        could allow an application to access sensitive information. This 
        issue is rated Moderate severity because it could be used to 
        improperly access to data without permission.
        
        CVE            Bug               Severity    Updated versions                 Date reported
        CVE-2016-2426  ANDROID-26094635  Moderate    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1  Dec 8, 2015
        
        Information Disclosure Vulnerability in BouncyCastle
        
        An information disclosure vulnerability in BouncyCastle could allow
        an authentication key to be leaked. This issue is rated as Moderate
        severity because it could be used to gain dangerous level data or 
        capabilities without permission with an app installed on the device.
        
        The affected functionality is provided as a core part of the 
        operating system, and there are multiple applications that allow it
        to be reached with remote content, most notably MMS and browser 
        playback of media.
        
        This issue is rated as a Critical severity due to the possibility of
        remote code execution within the context of the mediaserver service.
        The mediaserver service has access to audio and video streams, as 
        well as access to privileges that third-party apps could not 
        normally access.
        
        CVE            Bug               Severity    Updated versions          Date reported
        CVE-2016-2427  ANDROID-26234568  Moderate    5.0.2, 5.1.1, 6.0, 6.0.1  Google Internal" [1]


MITIGATION

        Android users are advised to update to the latest versions to 
        address these issues. [1]


REFERENCES

        [1] Nexus Security Bulletin - April 2016
            https://source.android.com/security/bulletin/2016-04-02.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVwR+K36ZAP0PgtI9AQLjzhAAwphD4MrS+i7kbha/7Ufc9S8fq8erwwn6
M8QUSjm9evylG834InlcXEkIRwTgEeXAfhd75iy8oNImM1ccBlWJZrtjl3xv5T2o
kI4kKrP1RTmijzsaqcjxyivLts0EIxv9VZCuPl2dETJUmatSZC8aMdocwyufoEj1
vgGH5+Cq3kmgKVgDRe63mhe0V/QyuwJuB3lboWEH7DNv2MELkUFx2jpGGCrq+29y
NBV814bUSmh6Q6//C2klQLaO0MFu+Fh281xyGpt2V9E/3+UwLHSml6AKzz5evpH1
tlMNoesW8FVSzszgj/X+ukDiYebMKJIbSX1x5lsCEgP+T1ZSrWC6PSPTJnS/diUy
SMjcenICtnOdljD08R81w7AxbUO48q96JxB81i0XqKKMfrOIQzDAkwjlwlG1Ty/6
E60uqL80o/78U+eeyJdp6I0LIw79HXSu3KAEVVxMcQQQjb4sofSr2Lk5qWTePDjg
Y+w4nukvlPxi+0Eys04gVzrJkZM6DwW0qGDBOwuC8ifG+93wE4gKxtn5bWqhvRGW
Fxy18svkNZaIAw2+v83xaVk5eR1J+E/ZqkRLx7HmR2A0DyhW1eXWnxJPA6T5T6tJ
FYEmd2CktLBSo1Oa9FXd4HiQkjl/6AwKW53Cmu/wNGj1im/BR9isMp2uDzHewK98
MMR+/cMzPrk=
=zuK3
-----END PGP SIGNATURE-----