Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1970 BSRT-2016-007 Vulnerability in Qualcomm kernel driver impacts BlackBerry powered by Android smartphones 16 August 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry powered by Android Publisher: BlackBerry Operating System: BlackBerry Device Android Impact/Access: Root Compromise -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-5340 Original Bulletin: http://support.blackberry.com/kb/articleDetail?articleNumber=000038385 - --------------------------BEGIN INCLUDED TEXT-------------------- BSRT-2016-007 Vulnerability in Qualcomm kernel driver impacts BlackBerry powered by Android smartphones Article Number: 000038385 First Published: August 15, 2016 Last Modified: August 15, 2016 Type: Security Advisory Overview This advisory addresses an industry-wide local elevation of privilege vulnerability (ASHmenian Devil) that has been discovered in BlackBerry powered by Android smartphones. BlackBerry is not aware of any exploitation of this vulnerability. BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction. Successful exploitation requires an attacker craft a malicious application (app) and that a user install the malicious app. If the requirements are met for exploitation, an attacker could potentially gain non-persistent locally elevated privileges. After installing the recommended software update, affected customers will be fully protected from this vulnerability. Who Should Read This Advisory? - - BlackBerry powered by Android smartphone users - - IT administrators who deploy BlackBerry powered by Android smartphones Who Should Apply The Software Fix(es)? - - BlackBerry powered by Android smartphone users - - IT administrators who deploy BlackBerry powered by Android smartphones More Information What is the ASHmenian Devil vulnerability? The vulnerability known as ASHmenian Devil is one of four vulnerabilities (collectively known as QuadRooter) that were disclosed at the DefCon 24 security conference. Three of the four QuadRooter vulnerabilities were fixed at, or before, the August 5, 2016 Android security patch level on the BlackBerry PRIV. The same vulnerabilities are fixed in all software versions on BlackBerry DTEK50. Have any BlackBerry customers been subject to an attack that exploits this vulnerability? BlackBerry is not aware of any attacks targeting BlackBerry smartphone customers using this vulnerability. What factors affected the release of this security advisory? This advisory addresses a publicly known vulnerability. BlackBerry publishes details of a software update in a security advisory after the fix is available. Publishing this advisory ensures that our customers can protect themselves by updating their software or employing available workarounds if updating is not possible. Where can I read more about the security of BlackBerry products and solutions? For more information on BlackBerry security, visit www.blackberry.com/security and www.blackberry.com/bbsirt. Affected Products and Resolutions Read the following to determine if your BlackBerry powered by Android smartphone is affected. Affected Products - - BlackBerry powered by Android smartphones running builds earlier than AAG111 Non Affected Products - - BlackBerry powered by Android smartphones running build AAG111 and later Resolution An updated software version is available immediately for affected BlackBerry smartphones that have been purchased from ShopBlackBerry.com. The updated software version can be identified with the following build ID: - - Build AAG111 and later If your BlackBerry PRIV or DTEK50 smartphone was purchased from a source other than ShopBlackBerry.com, please contact that retailer or carrier directly for availability information. A third party application reports a software version as vulnerable when the advisory document lists it as not affected. Why is this? BlackBerry is not responsible for third party applications but is aware that some applications check component versions rather than attempting to reproduce a vulnerability. Since this approach does not account for differences in specific implementations, it is possible for these tests to give a false positive response. BlackBerry has extensively tested these patches and can confirm that the fix versions that are listed in this advisory are unaffected by the QuadRooter issues, including ASHmenian Devil. Vulnerability Information A local elevation of privilege vulnerability exists in a Qualcomm kernel driver used in affected versions of BlackBerry powered by Android smartphones. The kernel driver allows shared memory regions to be created for inter-process communication. In order to exploit this vulnerability, an attacker must craft a specifically designed malicious app. The attacker must then persuade a user to download and install the malicious app. Successful exploitation of this vulnerability could result in an attacker gaining non-persistent elevated local privileges on the smartphone. This vulnerability has a Common Vulnerability Scoring System (CVSSv2) score of 5.5. View the linked Common Vulnerability and Exposures (CVE) identifiers for a description of the security issue that this security advisory addresses. CVE identifier CVSSv2 score CVE-2016-5340 5.5 Mitigations Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices. This vulnerability is mitigated for all customers by the requirement that an attacker must persuade a user to install a local app running malicious code on the smartphone. An attacker cannot force the user to install a malicious app and the user can only do so if they have turned off the Verify Apps and SafetyNet features. BlackBerry is not aware of any such malicious app exploiting this vulnerability. Additionally, there are no remote vectors for this vulnerability. Further, BlackBerry powered by Android smartphones use a unique security system to prevent persistent compromise. Attempts to use this vulnerability to gain persistent local elevated privileges on a BlackBerry Android smartphone are likely to fail with an error. Any compromise would not persist after a reboot. Finally, side-loading apps on BlackBerry Android smartphones is not permitted by default; users should check the DTEK by BlackBerry application for verification of their security settings. Workarounds Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems. BlackBerry recommends that customers should only download apps from trusted sources and should not disable security features such as Verify Apps. Definitions CVE Common Vulnerability and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerability maintained by the MITRE Corporation. CVSS CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv2 in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerability that may impact them can benefit from using the same industry-recognized CVSS metrics. Change Log 08-15-2016 Initial publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV7JoAYx+lLeg9Ub1AQgc8A/+IycgIK9/HqeTAlvWd61OnwPYstGvRWzb is9oxvfdsYGGT9Pr7+eQeZVAbqTTxrhi3RpPZwoFfJNHps3SB+60MpSf614yQghU 1XWH3718xVQmN7IRNHM3H+T9dYlMcb+JhKOHEJXrgjpRcz8cSz4DjSq23OUB0PoT RoYY2PadGSe2elyTH5S1j/vVY6tQORrPhY6+UEKnI3IgDHibY3Ri7RfO7C+IcV+7 bla/7rdU2h3HYguhlthPdyWgm3lDE8rwdgEI1zA00mgt2guJ+t16sYh219FtzTer Nm9wRPXdkYI5vx7G0wX+0ZKnCJ8pSjNFIL40xviuJhS3zEE1KTMZERgM61HFMMbD fkyuXYl3XSotKJzfvNICVCpt2GH6Kd3FIxgK9KD+IwqiL/T4wHzIktpI7irb7oWG 3Mfh0h9aKq/bnsj3BSHgC9IdVNoytwsH7Qmf9+5QGFuWdzO+58+6iYdg+xhbJTAT 2O+BWaMDhytNzegnyi4LN+eK/ZOZilNYMnQ36pL+awsuS/fhKgkXjypEIOa3KCCC FbkcYOmdIsYyLrsUagwYkK+zuf5tgb6QVxuEOTjzcNfzb9lXgfN33tp3zsUkI/XV m6a8ljtckkJJygQwgJDR87+Ei3otq4n1RHYUaVX7l/hHd2zbvPt6T+ZPxIoNixEG SpLXpNuIZxs= =cXEz -----END PGP SIGNATURE-----