-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
BlackBerry powered by Android Security Bulletin - January 2016
5 January 2016
AusCERT Security Bulletin Summary
Product: BlackBerry powered by Android
Operating System: BlackBerry Device
Impact/Access: Increased Privileges -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
CVE Names: CVE-2015-6645 CVE-2015-6644 CVE-2015-6643
- --------------------------BEGIN INCLUDED TEXT--------------------
BlackBerry powered by Android Security Bulletin January 2016
Article Number: 000037749
First Published: January 04, 2016
Last Modified: January 04, 2016
Type: Security Bulletin
Purpose of this Bulletin
BlackBerry has released a security update to address multiple vulnerabilities
in BlackBerry powered by Android smartphones. We recommend that users update
to the latest available build, as outlined in the Available Updates section.
BlackBerry releases security bulletins to notify users of its Android
smartphones about available security fixes; see BlackBerry.com/bbsirt for a
complete list of monthly bulletins. This advisory is in response to the Nexus
Security Bulletin (January 2016) and addresses the issues in that bulletin
that affect BlackBerry powered by Android smartphones.
Vulnerabilities Fixed in this Update
The following vulnerabilities have been remediated in this update:
Summary Description CVE
Remote Code Execution Vulnerability in Mediaserver During media file and data processing of a specially crafted file, CVE-2015-6636
vulnerabilities in mediaserver could allow an attacker to cause
memory corruption and remote code execution as the
The affected functionality is provided as a core part of the
operating system and there are multiple applications that allow
it to be reached with remote content, most notably MMS and
browser playback of media.
Elevation of Privilege Vulnerability in Setup Wizard An elevation of privilege vulnerability in the Setup Wizard can CVE-2015-6643
enable an attacker with physical access to the device to gain
access to device settings and perform a manual device reset.
Elevation of Privilege Vulnerability in Wi-Fi An elevation of privilege vulnerability in the Wi-Fi component CVE-2015-5310
can enable a locally proximate attacker to gain access to Wi-Fi
service related information. A device is only vulnerable to this
issue while in local proximity.
Information Disclosure Vulnerability in Bouncy Castle An information disclosure vulnerability in the Bouncy Castle can CVE-2015-6644
enable a local malicious application to gain access to user's
Denial of Service Vulnerability in SyncManager A denial of service vulnerability in the SyncManager can enable a CVE-2015-6645
local malicious application to cause a reboot loop.
An updated software version is available immediately for BlackBerry Powered by
Android smartphones that have been purchased from ShopBlackBerry.com. The
updated software version can be identified with the following build ID:
If your BlackBerry Powered by Android smartphone was purchased from a source
other than ShopBlackBerry.com, please contact that retailer or carrier
directly for security maintenance release availability information.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----