Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1970
BSRT-2016-007 Vulnerability in Qualcomm kernel driver
impacts BlackBerry powered by Android smartphones
16 August 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry powered by Android
Publisher: BlackBerry
Operating System: BlackBerry Device
Android
Impact/Access: Root Compromise -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-5340
Original Bulletin:
http://support.blackberry.com/kb/articleDetail?articleNumber=000038385
- --------------------------BEGIN INCLUDED TEXT--------------------
BSRT-2016-007 Vulnerability in Qualcomm kernel driver impacts BlackBerry
powered by Android smartphones
Article Number: 000038385
First Published: August 15, 2016
Last Modified: August 15, 2016
Type: Security Advisory
Overview
This advisory addresses an industry-wide local elevation of privilege
vulnerability (ASHmenian Devil) that has been discovered in BlackBerry powered
by Android smartphones. BlackBerry is not aware of any exploitation of this
vulnerability. BlackBerry customer risk is limited by the inability of a
potential attacker to force exploitation of the vulnerability without customer
interaction. Successful exploitation requires an attacker craft a malicious
application (app) and that a user install the malicious app. If the
requirements are met for exploitation, an attacker could potentially gain
non-persistent locally elevated privileges. After installing the recommended
software update, affected customers will be fully protected from this
vulnerability.
Who Should Read This Advisory?
- - BlackBerry powered by Android smartphone users
- - IT administrators who deploy BlackBerry powered by Android smartphones
Who Should Apply The Software Fix(es)?
- - BlackBerry powered by Android smartphone users
- - IT administrators who deploy BlackBerry powered by Android smartphones
More Information
What is the ASHmenian Devil vulnerability?
The vulnerability known as ASHmenian Devil is one of four vulnerabilities
(collectively known as QuadRooter) that were disclosed at the DefCon 24
security conference. Three of the four QuadRooter vulnerabilities were fixed
at, or before, the August 5, 2016 Android security patch level on the
BlackBerry PRIV. The same vulnerabilities are fixed in all software versions
on BlackBerry DTEK50.
Have any BlackBerry customers been subject to an attack that exploits this
vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry smartphone
customers using this vulnerability.
What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability. BlackBerry publishes
details of a software update in a security advisory after the fix is
available. Publishing this advisory ensures that our customers can protect
themselves by updating their software or employing available workarounds if
updating is not possible.
Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit www.blackberry.com/security
and www.blackberry.com/bbsirt.
Affected Products and Resolutions
Read the following to determine if your BlackBerry powered by Android
smartphone is affected.
Affected Products
- - BlackBerry powered by Android smartphones running builds earlier than AAG111
Non Affected Products
- - BlackBerry powered by Android smartphones running build AAG111 and later
Resolution
An updated software version is available immediately for affected BlackBerry
smartphones that have been purchased from ShopBlackBerry.com. The updated
software version can be identified with the following build ID:
- - Build AAG111 and later
If your BlackBerry PRIV or DTEK50 smartphone was purchased from a source other
than ShopBlackBerry.com, please contact that retailer or carrier directly for
availability information.
A third party application reports a software version as vulnerable when the
advisory document lists it as not affected. Why is this?
BlackBerry is not responsible for third party applications but is aware that
some applications check component versions rather than attempting to reproduce
a vulnerability. Since this approach does not account for differences in
specific implementations, it is possible for these tests to give a false
positive response. BlackBerry has extensively tested these patches and can
confirm that the fix versions that are listed in this advisory are unaffected
by the QuadRooter issues, including ASHmenian Devil.
Vulnerability Information
A local elevation of privilege vulnerability exists in a Qualcomm kernel
driver used in affected versions of BlackBerry powered by Android smartphones.
The kernel driver allows shared memory regions to be created for inter-process
communication.
In order to exploit this vulnerability, an attacker must craft a specifically
designed malicious app. The attacker must then persuade a user to download and
install the malicious app.
Successful exploitation of this vulnerability could result in an attacker
gaining non-persistent elevated local privileges on the smartphone.
This vulnerability has a Common Vulnerability Scoring System (CVSSv2) score of
5.5. View the linked Common Vulnerability and Exposures (CVE) identifiers for
a description of the security issue that this security advisory addresses.
CVE identifier CVSSv2 score
CVE-2016-5340 5.5
Mitigations
Mitigations are existing conditions that a potential attacker would need to
overcome to mount a successful attack or that would limit the severity of an
attack. Examples of such conditions include default settings, common
configurations, and general best practices.
This vulnerability is mitigated for all customers by the requirement that an
attacker must persuade a user to install a local app running malicious code on
the smartphone. An attacker cannot force the user to install a malicious app
and the user can only do so if they have turned off the Verify Apps and
SafetyNet features. BlackBerry is not aware of any such malicious app
exploiting this vulnerability.
Additionally, there are no remote vectors for this vulnerability.
Further, BlackBerry powered by Android smartphones use a unique security
system to prevent persistent compromise. Attempts to use this vulnerability to
gain persistent local elevated privileges on a BlackBerry Android smartphone
are likely to fail with an error. Any compromise would not persist after a
reboot.
Finally, side-loading apps on BlackBerry Android smartphones is not permitted
by default; users should check the DTEK by BlackBerry application for
verification of their security settings.
Workarounds
Workarounds are settings or configuration changes that a user or administrator
can apply to help protect against an attack. BlackBerry recommends that all
users apply the available software update to fully protect their system. All
workarounds should be considered temporary measures for customers to apply if
they cannot install the update immediately or must perform standard testing
and risk analysis.
BlackBerry recommends that customers who are able to do so install the update
to secure their systems. BlackBerry recommends that customers should only
download apps from trusted sources and should not disable security features
such as Verify Apps.
Definitions
CVE
Common Vulnerability and Exposures (CVE) is a dictionary of common names (CVE
Identifiers) for publicly known information security vulnerability maintained
by the MITRE Corporation.
CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the
severity of vulnerability. CVSS scores may be used to determine the urgency
for update deployment within an organization. CVSS scores can range from 0.0
(no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv2 in vulnerability
assessments to present an immutable characterization of security issues.
BlackBerry assigns all relevant security issues a non-zero score. Customers
performing their own risk assessments of vulnerability that may impact them
can benefit from using the same industry-recognized CVSS metrics.
Change Log
08-15-2016
Initial publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV7JoAYx+lLeg9Ub1AQgc8A/+IycgIK9/HqeTAlvWd61OnwPYstGvRWzb
is9oxvfdsYGGT9Pr7+eQeZVAbqTTxrhi3RpPZwoFfJNHps3SB+60MpSf614yQghU
1XWH3718xVQmN7IRNHM3H+T9dYlMcb+JhKOHEJXrgjpRcz8cSz4DjSq23OUB0PoT
RoYY2PadGSe2elyTH5S1j/vVY6tQORrPhY6+UEKnI3IgDHibY3Ri7RfO7C+IcV+7
bla/7rdU2h3HYguhlthPdyWgm3lDE8rwdgEI1zA00mgt2guJ+t16sYh219FtzTer
Nm9wRPXdkYI5vx7G0wX+0ZKnCJ8pSjNFIL40xviuJhS3zEE1KTMZERgM61HFMMbD
fkyuXYl3XSotKJzfvNICVCpt2GH6Kd3FIxgK9KD+IwqiL/T4wHzIktpI7irb7oWG
3Mfh0h9aKq/bnsj3BSHgC9IdVNoytwsH7Qmf9+5QGFuWdzO+58+6iYdg+xhbJTAT
2O+BWaMDhytNzegnyi4LN+eK/ZOZilNYMnQ36pL+awsuS/fhKgkXjypEIOa3KCCC
FbkcYOmdIsYyLrsUagwYkK+zuf5tgb6QVxuEOTjzcNfzb9lXgfN33tp3zsUkI/XV
m6a8ljtckkJJygQwgJDR87+Ei3otq4n1RHYUaVX7l/hHd2zbvPt6T+ZPxIoNixEG
SpLXpNuIZxs=
=cXEz
-----END PGP SIGNATURE-----