Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2016.0034 Multiple vulnerabilities have been identified in Android 6 April 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Nexus devices Operating System: Android Impact/Access: Root Compromise -- Remote with User Interaction Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Remote/Unauthenticated Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-2427 CVE-2016-2426 CVE-2016-2425 CVE-2016-2424 CVE-2016-2423 CVE-2016-2422 CVE-2016-2421 CVE-2016-2420 CVE-2016-2419 CVE-2016-2418 CVE-2016-2417 CVE-2016-2416 CVE-2016-2415 CVE-2016-2414 CVE-2016-2413 CVE-2016-2412 CVE-2016-2411 CVE-2016-2410 CVE-2016-2409 CVE-2016-1503 CVE-2016-0850 CVE-2016-0849 CVE-2016-0848 CVE-2016-0847 CVE-2016-0846 CVE-2016-0844 CVE-2016-0843 CVE-2016-0842 CVE-2016-0841 CVE-2016-0840 CVE-2016-0839 CVE-2016-0838 CVE-2016-0837 CVE-2016-0836 CVE-2016-0835 CVE-2016-0834 CVE-2015-1805 CVE-2014-9322 CVE-2014-6060 Member content until: Friday, May 6 2016 Reference: ESB-2016.0777 ESB-2015.0019 ESB-2014.2412.2 OVERVIEW Multiple vulnerabilities have been identified in Android prior to versions 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1. [1] IMPACT The vendor has provided the following information: "Remote Code Execution Vulnerability in DHCPCD A vulnerability in the Dynamic Host Configuration Protocol service could enable an attacker to cause memory corruption, which could lead to remote code execution. This issue is rated as Critical severity due to the possibility of remote code execution within the context of the DHCP client. The DHCP service has access to privileges that third-party apps could not normally access. CVE Bugs Severity Updated versions Date reported CVE-2014-6060 ANDROID-15268738 Critical 4.4.4 July 30, 2014 CVE-2014-6060 ANDROID-16677003 Critical 4.4.4 July 30, 2014 CVE-2016-1503 ANDROID-26461634 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 4, 2016 Remote Code Execution Vulnerability in Media Codec During media file and data processing of a specially crafted file, vulnerabilities in a media codec used by mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process. The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. This issue is rated as Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams, as well as access to privileges that third-party apps could not normally access. CVE Bug Severity Updated versions Date reported CVE-2016-0834 ANDROID-26220548 Critical 6.0, 6.0.1 Dec 16, 2015 Remote Code Execution Vulnerability in Mediaserver During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process. The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. This issue is rated as Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams, as well as access to privileges that third-party apps could not normally access. CVE Bugs Severity Updated versions Date reported CVE-2016-0835 ANDROID-26070014 Critical 6.0, 6.0.1 Dec 6, 2015 CVE-2016-0836 ANDROID-25812590 Critical 6.0, 6.0.1 Nov 19, 2015 CVE-2016-0837 ANDROID-27208621 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Feb 11, 2016 CVE-2016-0838 ANDROID-26366256 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal CVE-2016-0839 ANDROID-25753245 Critical 6.0, 6.0.1 Google Internal CVE-2016-0840 ANDROID-26399350 Critical 6.0, 6.0.1 Google Internal CVE-2016-0841 ANDROID-26040840 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal Remote Code Execution Vulnerability in libstagefright During media file and data processing of a specially crafted file, vulnerabilities in libstagefright could allow an attacker to cause memory corruption and remote code execution as the mediaserver process. CVE Bug Severity Updated versions Date reported CVE-2016-0842 ANDROID-25818142 Critical 6.0, 6.0.1 Nov 23, 2015 Elevation of Privilege Vulnerability in Kernel An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code within the kernel. This issue is rated as Critical severity due to the possibility of a local permanent device compromise, and the device would possibly need to be repaired by re-flashing the operating system. This issue was described in Android Security Advisory 2016-03-18. Note: For reference, the patch in AOSP is available for specific kernel versions: 3.14, 3.10, and 3.4. CVE Bug Severity Updated versions Date reported CVE-2015-1805 ANDROID-27275324 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 February 19, 2016 Elevation of Privilege Vulnerability in Qualcomm Performance Module An elevation of privilege vulnerability in the performance event manager component for ARM processors from Qualcomm could enable a local malicious application to execute arbitrary code within the kernel. This issue is rated as Critical severity due to the possibility of a local permanent device compromise, and the device would possibly need to be repaired by re-flashing the operating system. CVE Bug Severity Updated versions Date reported CVE-2016-0843 ANDROID-25801197 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Nov 19, 2015 Elevation of Privilege Vulnerability in Qualcomm RF component There is a vulnerability in the Qualcomm RF driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical severity due to the possibility of a local permanent device compromise, and the device would possibly need to be repaired by re-flashing the operating system. Note: The fix for this is located in Linux upstream. CVE Bug Severity Updated versions Date reported CVE-2016-0844 ANDROID-26324307 Critical 6.0, 6.0.1 Dec 25, 2015 Elevation of Privilege Vulnerability in Kernel An elevation of privilege vulnerability in the common kernel could enable a local malicious application to execute arbitrary code in the kernel. This issue is rated as Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system. CVE Bug with AOSP Severity Updated versions Date reported links CVE-2014-9322 ANDROID-26927260 Critical 6.0, 6.0.1 Dec 25, 2015 [2][3][4][5][6][7] [8][9][10][11] Elevation of Privilege Vulnerability in IMemory Native Interface An elevation of privilege vulnerability in the IMemory Native Interface could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application. CVE Bug Severity Updated versions Date reported CVE-2016-0846 ANDROID-26877992 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 29, 2016 Elevation of Privilege Vulnerability in Telecom Component An elevation of privilege vulnerability in the Telecom Component could enable an attacker to make calls appear to come from any arbitrary number. This issue is rated as High severity because it could be used to gain local access to elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application. CVE Bug Severity Updated versions Date reported CVE-2016-0847 ANDROID-26864502 High 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal Elevation of Privilege Vulnerability in Download Manager An elevation of privilege vulnerability in the Download Manager could enable an attacker to gain access to unauthorized files in private storage. This issue is rated as High severity because it could be used to gain local access to elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application. CVE Bug Severity Updated versions Date reported CVE-2016-0848 ANDROID-26211054 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 14, 2015 Elevation of Privilege Vulnerability in Recovery Procedure An elevation of privilege vulnerability in the Recovery Procedure could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application. CVE Bug Severity Updated versions Date reported CVE-2016-0849 ANDROID-26960931 High 5.0.2, 5.1.1, 6.0, 6.0.1 Feb 3, 2016 Elevation of Privilege Vulnerability in Bluetooth An elevation of privilege vulnerability in Bluetooth could enable an untrusted device to pair with the phone during the initial pairing process. This could lead to unauthorized access of the device resources, such as the Internet connection. This issue is rated as High severity because it could be used to gain elevated capabilities that are not accessible to untrusted devices. CVE Bug Severity Updated versions Date reported CVE-2016-0850 ANDROID-26551752 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 13, 2016 Elevation of Privilege Vulnerability in Texas Instruments Haptic Driver There is an elevation of privilege vulnerability in a Texas Instruments haptic kernel driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. Normally a kernel code execution bug like this would be rated Critical, but because it first requires compromising a service that can call the driver, it is rated as High severity instead. CVE Bug Severity Updated versions Date reported CVE-2016-2409 ANDROID-25981545 High 6.0, 6.0.1 Dec 25, 2015 Elevation of Privilege Vulnerability in Qualcomm Video Kernel Driver There is an elevation of privilege vulnerability in a Qualcomm video kernel driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. Normally a kernel code execution vulnerability would be rated Critical, but because it requires first compromising a service that can call the driver, it is rated as High severity instead. CVE Bug Severity Updated versions Date reported CVE-2016-2410 ANDROID-26291677 High 6.0, 6.0.1 Dec 21, 2015 Elevation of Privilege Vulnerability in Qualcomm Power Management component There is an elevation of privilege vulnerability in a Qualcomm Power Management kernel driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. Normally a kernel code execution bug like this would be rated Critical, but because it requires first compromising the device and elevation to root, it is rated as High severity instead. CVE Bug Severity Updated versions Date reported CVE-2016-2411 ANDROID-26866053 High 6.0, 6.0.1 Jan 28, 2016 Elevation of Privilege Vulnerability in System_server An elevation of privilege vulnerability in System_server could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application. CVE Bug Severity Updated versions Date reported CVE-2016-2412 ANDROID-26593930 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 15, 2016 Elevation of Privilege Vulnerability in Mediaserver An elevation of privilege vulnerability in mediaserver could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application. CVE Bug Severity Updated versions Date reported CVE-2016-2413 ANDROID-26403627 High 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 5, 2016 Denial of Service Vulnerability in Minikin A denial of service vulnerability in the Minikin library could allow a local attacker to temporarily block access to an affected device. An attacker could cause an untrusted font to be loaded and cause an overflow in the Minikin component, which leads to a crash. This is rated as High severity because Denial of Service would lead to a continuous reboot loop. CVE Bug Severity Updated versions Date reported CVE-2016-2414 ANDROID-26413177 High 5.0.2, 5.1.1, 6.0, 6.0.1 Nov 3, 2015 Information Disclosure Vulnerability in Exchange ActiveSync An information disclosure vulnerability in Exchange ActiveSync could enable a local malicious application to gain access to a user's private information. This issue is rated as High severity because it allows remote access to protected data. CVE Bug Severity Updated versions Date reported CVE-2016-2415 ANDROID-26488455 High 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 11, 2016 Information Disclosure Vulnerability in Mediaserver An information disclosure vulnerability in Mediaserver could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could also be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications. CVE Bugs Severity Updated versions Date reported CVE-2016-2416 ANDROID-27046057 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Feb 5, 2016 CVE-2016-2417 ANDROID-26914474 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Feb 1, 2016 CVE-2016-2418 ANDROID-26324358 High 6.0, 6.0.1 Dec 24, 2015 CVE-2016-2419 ANDROID-26323455 High 6.0, 6.0.1 Dec 24, 2015 Elevation of Privilege Vulnerability in Debuggerd Component An elevation of privilege vulnerability in the Debuggerd component could enable a local malicious application to execute arbitrary code that could lead to a permanent device compromise. As a result, the device would possibly need to be repaired by re-flashing the operating system. Normally a code execution bug like this would be rated as Critical, but because it enables an elevation of privilege from system to root only in Android version 4.4.4, it is rated as Moderate instead. In Android versions 5.0 and above, SELinux rules prevent third-party applications from reaching the affected code. CVE Bug Severity Updated versions Date reported CVE-2016-2420 ANDROID-26403620 Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 5, 2016 Elevation of Privilege Vulnerability in Setup Wizard A vulnerability in the Setup Wizard could allow an attacker to bypass the Factory Reset Protection and gain access to the device. This is rated as Moderate severity because it potentially allows someone with physical access to a device to bypass the Factory Reset Protection, which would enable an attacker to successfully reset a device, erasing all data. CVE Bug Severity Updated versions Date reported CVE-2016-2421 ANDROID-26154410 Moderate 5.1.1, 6.0, 6.0.1 Google Internal Elevation of Privilege Vulnerability in Wi-Fi An elevation of privilege vulnerability in Wi-Fi could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as Moderate severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application. CVE Bug Severity Updated versions Date reported CVE-2016-2422 ANDROID-26324357 Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 23, 2015 Elevation of Privilege Vulnerability in Telephony A vulnerability in Telephony could allow an attacker to bypass the Factory Reset Protection and gain access to the device. This is rated as Moderate severity because it potentially allows someone with physical access to a device to bypass the Factory Reset Protection, which would enable an attacker to successfully reset a device, erasing all data. CVE Bug Severity Updated versions Date reported CVE-2016-2423 ANDROID-26303187 Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal Denial of Service Vulnerability in SyncStorageEngine A denial of service vulnerability in SyncStorageEngine could enable a local malicious application to cause a reboot loop. This issue is rated as Moderate severity because it could be used to cause a local temporary denial of service that would possibly need to be fixed though a factory reset. CVE Bug Severity Updated versions Date reported CVE-2016-2424 ANDROID-26513719 Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal Information Disclosure Vulnerability in AOSP Mail An information disclosure vulnerability in AOSP Mail could enable a local malicious application to gain access to a user's private information. This issue is rated as Moderate severity because it could be used to improperly gain "dangerous" permissions. CVE Bugs Severity Updated versions Date reported CVE-2016-2425 ANDROID-26989185 Moderate 4.4.4, 5.1.1, 6.0, 6.0.1 Jan 29, 2016 CVE-2016-2425 ANDROID-7154234 Moderate 5.0.2 Jan 29, 2016 Information Disclosure Vulnerability in Framework An information disclosure vulnerability in the Framework component could allow an application to access sensitive information. This issue is rated Moderate severity because it could be used to improperly access to data without permission. CVE Bug Severity Updated versions Date reported CVE-2016-2426 ANDROID-26094635 Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 8, 2015 Information Disclosure Vulnerability in BouncyCastle An information disclosure vulnerability in BouncyCastle could allow an authentication key to be leaked. This issue is rated as Moderate severity because it could be used to gain dangerous level data or capabilities without permission with an app installed on the device. The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. This issue is rated as a Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams, as well as access to privileges that third-party apps could not normally access. CVE Bug Severity Updated versions Date reported CVE-2016-2427 ANDROID-26234568 Moderate 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal" [1] MITIGATION Android users are advised to update to the latest versions to address these issues. [1] REFERENCES [1] Nexus Security Bulletin - April 2016 https://source.android.com/security/bulletin/2016-04-02.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVwR+K36ZAP0PgtI9AQLjzhAAwphD4MrS+i7kbha/7Ufc9S8fq8erwwn6 M8QUSjm9evylG834InlcXEkIRwTgEeXAfhd75iy8oNImM1ccBlWJZrtjl3xv5T2o kI4kKrP1RTmijzsaqcjxyivLts0EIxv9VZCuPl2dETJUmatSZC8aMdocwyufoEj1 vgGH5+Cq3kmgKVgDRe63mhe0V/QyuwJuB3lboWEH7DNv2MELkUFx2jpGGCrq+29y NBV814bUSmh6Q6//C2klQLaO0MFu+Fh281xyGpt2V9E/3+UwLHSml6AKzz5evpH1 tlMNoesW8FVSzszgj/X+ukDiYebMKJIbSX1x5lsCEgP+T1ZSrWC6PSPTJnS/diUy SMjcenICtnOdljD08R81w7AxbUO48q96JxB81i0XqKKMfrOIQzDAkwjlwlG1Ty/6 E60uqL80o/78U+eeyJdp6I0LIw79HXSu3KAEVVxMcQQQjb4sofSr2Lk5qWTePDjg Y+w4nukvlPxi+0Eys04gVzrJkZM6DwW0qGDBOwuC8ifG+93wE4gKxtn5bWqhvRGW Fxy18svkNZaIAw2+v83xaVk5eR1J+E/ZqkRLx7HmR2A0DyhW1eXWnxJPA6T5T6tJ FYEmd2CktLBSo1Oa9FXd4HiQkjl/6AwKW53Cmu/wNGj1im/BR9isMp2uDzHewK98 MMR+/cMzPrk= =zuK3 -----END PGP SIGNATURE-----