Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0777 BSRT-2016-002 Vulnerability in Android/Linux kernel impacts BlackBerry PRIV smartphones 24 March 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry PRIV smartphones Publisher: Blackberry Operating System: BlackBerry Device Android Impact/Access: Root Compromise -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-1805 Reference: ESB-2016.0760 ESB-2016.0579 ESB-2015.2640 ESB-2015.2329 ESB-2015.1776 ESB-2015.1728 Original Bulletin: http://support.blackberry.com/kb/articleDetail?articleNumber=000038108 Comment: Blackberry has identiffied a number of protection mechanisms that help reduce the likelihood of a successful attack. See the Mitigations section for details. - --------------------------BEGIN INCLUDED TEXT-------------------- BSRT-2016-002 Vulnerability in Android/Linux kernel impacts BlackBerry PRIV smartphones Article Number: 000038108 First Published: March 23, 2016 Last Modified: March 23, 2016 Type: Security Advisory OVERVIEW This advisory addresses an industry-wide elevation of privilege vulnerability that is not currently being exploited against, but affects, BlackBerry PRIV smartphones. BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction. Successful exploitation requires an attacker craft a malicious application (app) and that a user install the malicious app. If the requirements are met for exploitation, an attacker could potentially gain locally elevated privileges. After installing the recommended software update, affected customers will be fully protected from this vulnerability. WHO SHOULD READ THIS ADVISORY? BlackBerry PRIV smartphone users IT administrators who deploy BlackBerry PRIV smartphones WHO SHOULD APPLY THE SOFTWARE FIX(ES)? BlackBerry PRIV smartphone users IT administrators who deploy BlackBerry PRIV smartphones MORE INFORMATION Have any BlackBerry customers been subject to an attack that exploits this vulnerability? BlackBerry is not aware of any attacks targeting BlackBerry PRIV smartphone customers using this vulnerability. What factors affected the release of this security advisory? This advisory addresses a publicly known vulnerability. BlackBerry publishes details of a software update in a security advisory after the fix is available. Publishing this advisory ensures that our customers can protect themselves by updating their software or employing available workarounds if updating is not possible. Where can I read more about the security of BlackBerry products and solutions? For more information on BlackBerry security, visit www.blackberry.com/security and www.blackberry.com/bbsirt. AFFECTED PRODUCTS AND RESOLUTIONS Read the following to determine if your BlackBerry PRIV smartphone is affected. AFFECTED PRODUCTS BlackBerry PRIV running build AAE134 and earlier NON AFFECTED PRODUCTS BlackBerry PRIV running build AAE298 and later ARE BLACKBERRY DEVICES AFFECTED? BlackBerry 10 and BlackBerry OS smartphones are not affected by this issue. The shared Android/Linux kernel on the BlackBerry PRIV is impacted. RESOLUTION An updated software version is available immediately for BlackBerry PRIV smartphones that have been purchased from ShopBlackBerry.com. The updated software version can be identified with the following build ID: Build AAE298 and later If your BlackBerry PRIV smartphone was purchased from a source other than ShopBlackBerry.com, please contact that retailer or carrier directly for urgent maintenance release availability information. VULNERABILITY INFORMATION An elevation of privilege vulnerability exists in the shared Android/Linux kernel used in affected versions of BlackBerry PRIV smartphones. The kernel constitutes the central core of the smartphones operating system. Successful exploitation of this vulnerability could result in an attacker gaining elevated privileges on the smartphone. In order to exploit this vulnerability, an attacker must craft a malicious app. The attacker must then persuade a user to download and install the malicious app. This vulnerability has a Common Vulnerability Scoring System (CVSSv2) score of 6.9. View the linked Common Vulnerability and Exposures (CVE) identifiers for a description of the security issue that this security advisory addresses. CVE identifier CVSSv2 score CVE-2015-1805 6.9 MITIGATIONS Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices. This vulnerability is mitigated for all customers by the requirement that an attacker must persuade a user to install a local app running malicious code on the smartphone. An attacker cannot force the user to install a malicious application. Further, BlackBerry is not aware of any such malicious applications targeting the BlackBerry PRIV. There are no remote vectors for this vulnerability. Further, BlackBerry PRIV smartphones use a unique security system to prevent persistent compromise. Attempts to use this vulnerability to gain persistent elevated privileges on a BlackBerry PRIV are likely to fail with an error. Any compromise would not persist after a reboot. The risk for enterprise customers is partially mitigated for customers running current versions of BES to manage their BlackBerry PRIV smartphones. For those customers, the BlackBerry Integrity Detection Engine will identify and report any BlackBerry PRIV smartphones that have been compromised by this vulnerability. By default, sideloading apps on BlackBerry PRIV is not permitted; users should check the DTEK by BlackBerry application for verification of their security settings. Finally, the Verify Apps feature will prompt the user with a warning about unsafe apps. The user must actively ignore multiple warnings generated by the Verify Apps feature in order to install a malicious application. WORKAROUNDS Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems. BlackBerry recommends that customers should only download apps from trusted sources. DEFINITIONS CVE Common Vulnerability and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerability maintained by the MITRE Corporation. CVSS CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv2 in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerability that may impact them can benefit from using the same industry-recognized CVSS metrics. Trademark attributions Android is a trademark of Google Inc. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. ACKNOWLEDGEMENTS BlackBerry would like to thank the Android Security team at Google Inc for their assistance in protecting our customers. We would also like to thank Zimperium for their contribution to the rapid resolution of this issue. CHANGE LOG 03-23-2016 Initial publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVvNbzX6ZAP0PgtI9AQJ3Qw/9HwrMYdF/ZTYOQbnyyk6ArN0Eyiik33Zr 8nk9ooSjrhtwAc40uiLRRj2aN3rmtDnttC2BhofrpYCkyuTSoOH7K4iJjGqcK5D1 cQsx7oUqVFpyiTIp+cwlJmO/NWIQCQL5ixgW8Zz6PrivssMadvYeuqyU5jf29I9p K3iBZV/svHNe1JEai4MD4wneQqzM8rKVIPkExqgJwtgjGtYV4VuqAqNEpnNz2gzh Kx9j8a25WkbOmR/00/MNOpEWL7JeeaMxogmh3gIiHKcFTLo58iA+pIEwvhXtYqLC FUY0WWWA7+u7f+JnNCROTs1aw7Q5bjnEYstpiTXKE4IFNllISYDRuGXPgkBR1b1l gzRrRi4qg1YtOBq0ljEwiFLy/627voQD8J62Z8J0rKTZyuQStB5wUA1PgM9AeWkt GkM3/Of3UJkQZqpNAdGbsyCEPdvJg4t8FNl5jmvcZ4GnDBN2xnydD7EsLc+HFPDS LlX7d/URKUOjWtVFoMXoY9BXqrD+ew15LMymE7Sp+i915h/ksFwKgm1Qpw1izPlY 1CHHH/ATjkRa7ausv1gkd9JYgxCEBx01ohkPrTqXjNFj2WjicYm3xd7ac9BrkEuQ n4SmbUY6KPBe7A2Lw+kFaMqo8ZZb/YuFHpoBq4nPmGFJLCdikCi8auzBQXyDCTF5 S51PDPVyWcA= =W/92 -----END PGP SIGNATURE-----