BlackBerry PRIV smartphones: Root Compromise -- Remote with User Interaction

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0777
        BSRT-2016-002 Vulnerability in Android/Linux kernel impacts
                        BlackBerry PRIV smartphones
                               24 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BlackBerry PRIV smartphones
Publisher:         Blackberry
Operating System:  BlackBerry Device
                   Android
Impact/Access:     Root Compromise -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-1805  

Reference:         ESB-2016.0760
                   ESB-2016.0579
                   ESB-2015.2640
                   ESB-2015.2329
                   ESB-2015.1776
                   ESB-2015.1728

Original Bulletin: 
   http://support.blackberry.com/kb/articleDetail?articleNumber=000038108

Comment: Blackberry has identiffied a number of protection mechanisms that 
         help reduce the likelihood of a successful attack. See the 
         Mitigations section for details.

- --------------------------BEGIN INCLUDED TEXT--------------------

BSRT-2016-002 Vulnerability in Android/Linux kernel impacts BlackBerry PRIV 
smartphones

Article Number: 000038108 

First Published: March 23, 2016 

Last Modified: March 23, 2016 

Type: Security Advisory

OVERVIEW

This advisory addresses an industry-wide elevation of privilege vulnerability
that is not currently being exploited against, but affects, BlackBerry PRIV 
smartphones. BlackBerry customer risk is limited by the inability of a 
potential attacker to force exploitation of the vulnerability without customer
interaction. Successful exploitation requires an attacker craft a malicious 
application (app) and that a user install the malicious app. If the 
requirements are met for exploitation, an attacker could potentially gain 
locally elevated privileges. After installing the recommended software update,
affected customers will be fully protected from this vulnerability.

WHO SHOULD READ THIS ADVISORY?

BlackBerry PRIV smartphone users

IT administrators who deploy BlackBerry PRIV smartphones

WHO SHOULD APPLY THE SOFTWARE FIX(ES)?

BlackBerry PRIV smartphone users

IT administrators who deploy BlackBerry PRIV smartphones

MORE INFORMATION

Have any BlackBerry customers been subject to an attack that exploits this 
vulnerability?

BlackBerry is not aware of any attacks targeting BlackBerry PRIV smartphone 
customers using this vulnerability.

What factors affected the release of this security advisory?

This advisory addresses a publicly known vulnerability. BlackBerry publishes 
details of a software update in a security advisory after the fix is 
available. Publishing this advisory ensures that our customers can protect 
themselves by updating their software or employing available workarounds if 
updating is not possible.

Where can I read more about the security of BlackBerry products and solutions?

For more information on BlackBerry security, visit www.blackberry.com/security
and www.blackberry.com/bbsirt.

AFFECTED PRODUCTS AND RESOLUTIONS

Read the following to determine if your BlackBerry PRIV smartphone is 
affected.

AFFECTED PRODUCTS

BlackBerry PRIV running build AAE134 and earlier

NON AFFECTED PRODUCTS

BlackBerry PRIV running build AAE298 and later

ARE BLACKBERRY DEVICES AFFECTED?

BlackBerry 10 and BlackBerry OS smartphones are not affected by this issue. 
The shared Android/Linux kernel on the BlackBerry PRIV is impacted.

RESOLUTION

An updated software version is available immediately for BlackBerry PRIV 
smartphones that have been purchased from ShopBlackBerry.com. The updated 
software version can be identified with the following build ID:

Build AAE298 and later

If your BlackBerry PRIV smartphone was purchased from a source other than 
ShopBlackBerry.com, please contact that retailer or carrier directly for 
urgent maintenance release availability information.

VULNERABILITY INFORMATION

An elevation of privilege vulnerability exists in the shared Android/Linux 
kernel used in affected versions of BlackBerry PRIV smartphones. The kernel 
constitutes the central core of the smartphones operating system.

Successful exploitation of this vulnerability could result in an attacker 
gaining elevated privileges on the smartphone.

In order to exploit this vulnerability, an attacker must craft a malicious 
app. The attacker must then persuade a user to download and install the 
malicious app.

This vulnerability has a Common Vulnerability Scoring System (CVSSv2) score of
6.9. View the linked Common Vulnerability and Exposures (CVE) identifiers for
a description of the security issue that this security advisory addresses.

CVE identifier 	CVSSv2 score

CVE-2015-1805 	6.9

MITIGATIONS

Mitigations are existing conditions that a potential attacker would need to 
overcome to mount a successful attack or that would limit the severity of an 
attack. Examples of such conditions include default settings, common 
configurations, and general best practices.

This vulnerability is mitigated for all customers by the requirement that an 
attacker must persuade a user to install a local app running malicious code on
the smartphone. An attacker cannot force the user to install a malicious 
application. Further, BlackBerry is not aware of any such malicious 
applications targeting the BlackBerry PRIV.

There are no remote vectors for this vulnerability.

Further, BlackBerry PRIV smartphones use a unique security system to prevent 
persistent compromise. Attempts to use this vulnerability to gain persistent 
elevated privileges on a BlackBerry PRIV are likely to fail with an error. Any
compromise would not persist after a reboot.

The risk for enterprise customers is partially mitigated for customers running
current versions of BES to manage their BlackBerry PRIV smartphones. For those
customers, the BlackBerry Integrity Detection Engine will identify and report
any BlackBerry PRIV smartphones that have been compromised by this 
vulnerability.

By default, sideloading apps on BlackBerry PRIV is not permitted; users should
check the DTEK by BlackBerry application for verification of their security 
settings.

Finally, the Verify Apps feature will prompt the user with a warning about 
unsafe apps. The user must actively ignore multiple warnings generated by the
Verify Apps feature in order to install a malicious application.

WORKAROUNDS

Workarounds are settings or configuration changes that a user or administrator
can apply to help protect against an attack. BlackBerry recommends that all 
users apply the available software update to fully protect their system. All 
workarounds should be considered temporary measures for customers to apply if
they cannot install the update immediately or must perform standard testing 
and risk analysis. BlackBerry recommends that customers who are able to do so
install the update to secure their systems.

BlackBerry recommends that customers should only download apps from trusted 
sources.

DEFINITIONS

CVE

Common Vulnerability and Exposures (CVE) is a dictionary of common names (CVE
Identifiers) for publicly known information security vulnerability maintained
by the MITRE Corporation.

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the 
severity of vulnerability. CVSS scores may be used to determine the urgency 
for update deployment within an organization. CVSS scores can range from 0.0 
(no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv2 in vulnerability
assessments to present an immutable characterization of security issues. 
BlackBerry assigns all relevant security issues a non-zero score. Customers 
performing their own risk assessments of vulnerability that may impact them 
can benefit from using the same industry-recognized CVSS metrics.

Trademark attributions

Android is a trademark of Google Inc.

Linux is the registered trademark of Linus Torvalds in the U.S. and other 
countries.

ACKNOWLEDGEMENTS

BlackBerry would like to thank the Android Security team at Google Inc for 
their assistance in protecting our customers. We would also like to thank 
Zimperium for their contribution to the rapid resolution of this issue.

CHANGE LOG

03-23-2016

Initial publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVvNbzX6ZAP0PgtI9AQJ3Qw/9HwrMYdF/ZTYOQbnyyk6ArN0Eyiik33Zr
8nk9ooSjrhtwAc40uiLRRj2aN3rmtDnttC2BhofrpYCkyuTSoOH7K4iJjGqcK5D1
cQsx7oUqVFpyiTIp+cwlJmO/NWIQCQL5ixgW8Zz6PrivssMadvYeuqyU5jf29I9p
K3iBZV/svHNe1JEai4MD4wneQqzM8rKVIPkExqgJwtgjGtYV4VuqAqNEpnNz2gzh
Kx9j8a25WkbOmR/00/MNOpEWL7JeeaMxogmh3gIiHKcFTLo58iA+pIEwvhXtYqLC
FUY0WWWA7+u7f+JnNCROTs1aw7Q5bjnEYstpiTXKE4IFNllISYDRuGXPgkBR1b1l
gzRrRi4qg1YtOBq0ljEwiFLy/627voQD8J62Z8J0rKTZyuQStB5wUA1PgM9AeWkt
GkM3/Of3UJkQZqpNAdGbsyCEPdvJg4t8FNl5jmvcZ4GnDBN2xnydD7EsLc+HFPDS
LlX7d/URKUOjWtVFoMXoY9BXqrD+ew15LMymE7Sp+i915h/ksFwKgm1Qpw1izPlY
1CHHH/ATjkRa7ausv1gkd9JYgxCEBx01ohkPrTqXjNFj2WjicYm3xd7ac9BrkEuQ
n4SmbUY6KPBe7A2Lw+kFaMqo8ZZb/YuFHpoBq4nPmGFJLCdikCi8auzBQXyDCTF5
S51PDPVyWcA=
=W/92
-----END PGP SIGNATURE-----