Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

           BSRT-2016-007 Vulnerability in Qualcomm kernel driver
             impacts BlackBerry powered by Android smartphones
                              16 August 2016


        AusCERT Security Bulletin Summary

Product:           BlackBerry powered by Android
Publisher:         BlackBerry
Operating System:  BlackBerry Device
Impact/Access:     Root Compromise -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5340  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

BSRT-2016-007 Vulnerability in Qualcomm kernel driver impacts BlackBerry 
powered by Android smartphones

Article Number: 000038385

First Published: August 15, 2016

Last Modified: August 15, 2016

Type: Security Advisory


This advisory addresses an industry-wide local elevation of privilege 
vulnerability (ASHmenian Devil) that has been discovered in BlackBerry powered
by Android smartphones. BlackBerry is not aware of any exploitation of this 
vulnerability. BlackBerry customer risk is limited by the inability of a 
potential attacker to force exploitation of the vulnerability without customer
interaction. Successful exploitation requires an attacker craft a malicious 
application (app) and that a user install the malicious app. If the 
requirements are met for exploitation, an attacker could potentially gain 
non-persistent locally elevated privileges. After installing the recommended 
software update, affected customers will be fully protected from this 

Who Should Read This Advisory?

- - BlackBerry powered by Android smartphone users

- - IT administrators who deploy BlackBerry powered by Android smartphones

Who Should Apply The Software Fix(es)?

- - BlackBerry powered by Android smartphone users

- - IT administrators who deploy BlackBerry powered by Android smartphones

More Information

What is the ASHmenian Devil vulnerability?

The vulnerability known as ASHmenian Devil is one of four vulnerabilities 
(collectively known as QuadRooter) that were disclosed at the DefCon 24 
security conference. Three of the four QuadRooter vulnerabilities were fixed 
at, or before, the August 5, 2016 Android security patch level on the 
BlackBerry PRIV. The same vulnerabilities are fixed in all software versions 
on BlackBerry DTEK50.

Have any BlackBerry customers been subject to an attack that exploits this 

BlackBerry is not aware of any attacks targeting BlackBerry smartphone 
customers using this vulnerability.

What factors affected the release of this security advisory?

This advisory addresses a publicly known vulnerability. BlackBerry publishes 
details of a software update in a security advisory after the fix is 
available. Publishing this advisory ensures that our customers can protect 
themselves by updating their software or employing available workarounds if 
updating is not possible.

Where can I read more about the security of BlackBerry products and solutions?

For more information on BlackBerry security, visit www.blackberry.com/security
and www.blackberry.com/bbsirt.

Affected Products and Resolutions

Read the following to determine if your BlackBerry powered by Android 
smartphone is affected.

Affected Products

- - BlackBerry powered by Android smartphones running builds earlier than AAG111

Non Affected Products

- - BlackBerry powered by Android smartphones running build AAG111 and later


An updated software version is available immediately for affected BlackBerry 
smartphones that have been purchased from ShopBlackBerry.com. The updated 
software version can be identified with the following build ID:

- - Build AAG111 and later

If your BlackBerry PRIV or DTEK50 smartphone was purchased from a source other
than ShopBlackBerry.com, please contact that retailer or carrier directly for
availability information.

A third party application reports a software version as vulnerable when the 
advisory document lists it as not affected. Why is this?

BlackBerry is not responsible for third party applications but is aware that 
some applications check component versions rather than attempting to reproduce
a vulnerability. Since this approach does not account for differences in 
specific implementations, it is possible for these tests to give a false 
positive response. BlackBerry has extensively tested these patches and can 
confirm that the fix versions that are listed in this advisory are unaffected
by the QuadRooter issues, including ASHmenian Devil.

Vulnerability Information

A local elevation of privilege vulnerability exists in a Qualcomm kernel 
driver used in affected versions of BlackBerry powered by Android smartphones.
The kernel driver allows shared memory regions to be created for inter-process

In order to exploit this vulnerability, an attacker must craft a specifically
designed malicious app. The attacker must then persuade a user to download and
install the malicious app.

Successful exploitation of this vulnerability could result in an attacker 
gaining non-persistent elevated local privileges on the smartphone.

This vulnerability has a Common Vulnerability Scoring System (CVSSv2) score of
5.5. View the linked Common Vulnerability and Exposures (CVE) identifiers for
a description of the security issue that this security advisory addresses.

CVE identifier 	CVSSv2 score

CVE-2016-5340 	5.5


Mitigations are existing conditions that a potential attacker would need to 
overcome to mount a successful attack or that would limit the severity of an 
attack. Examples of such conditions include default settings, common 
configurations, and general best practices.

This vulnerability is mitigated for all customers by the requirement that an 
attacker must persuade a user to install a local app running malicious code on
the smartphone. An attacker cannot force the user to install a malicious app 
and the user can only do so if they have turned off the Verify Apps and 
SafetyNet features. BlackBerry is not aware of any such malicious app 
exploiting this vulnerability.

Additionally, there are no remote vectors for this vulnerability.

Further, BlackBerry powered by Android smartphones use a unique security 
system to prevent persistent compromise. Attempts to use this vulnerability to
gain persistent local elevated privileges on a BlackBerry Android smartphone 
are likely to fail with an error. Any compromise would not persist after a 

Finally, side-loading apps on BlackBerry Android smartphones is not permitted
by default; users should check the DTEK by BlackBerry application for 
verification of their security settings.


Workarounds are settings or configuration changes that a user or administrator
can apply to help protect against an attack. BlackBerry recommends that all 
users apply the available software update to fully protect their system. All 
workarounds should be considered temporary measures for customers to apply if
they cannot install the update immediately or must perform standard testing 
and risk analysis.

BlackBerry recommends that customers who are able to do so install the update
to secure their systems. BlackBerry recommends that customers should only 
download apps from trusted sources and should not disable security features 
such as Verify Apps.



Common Vulnerability and Exposures (CVE) is a dictionary of common names (CVE
Identifiers) for publicly known information security vulnerability maintained
by the MITRE Corporation.


CVSS is a vendor agnostic, industry open standard designed to convey the 
severity of vulnerability. CVSS scores may be used to determine the urgency 
for update deployment within an organization. CVSS scores can range from 0.0 
(no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv2 in vulnerability
assessments to present an immutable characterization of security issues. 
BlackBerry assigns all relevant security issues a non-zero score. Customers 
performing their own risk assessments of vulnerability that may impact them 
can benefit from using the same industry-recognized CVSS metrics.

Change Log


Initial publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967