1 page.title=Nexus Security Bulletin - September 2015 2 @jd:body 3 4 <!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p><em>Published September 9, 2015</em></p> 28 29 <p>We have released a security update to Nexus devices through an over-the-air 30 (OTA) update as part of our Android Security Bulletin Monthly Release process 31 (Build LMY48M). The updates for Nexus devices and source code patches for these 32 issues have also been released to the Android Open Source Project (AOSP) source 33 repository. The most severe of these issues is a Critical security 34 vulnerability that could enable remote code execution on an affected device.</p> 35 36 <p>The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. 37 Builds LMY48M or later address these issues. Partners were notified about 38 these issues on August 13, 2015 or earlier.</p> 39 40 <p>We have not detected customer exploitation of the newly reported issues. The 41 exception is the existing issue (CVE-2015-3636). Refer to the <a href="#mitigations">Mitigations</a> section for details on the 42 <a href="{@docRoot}security/enhancements/index.html">Android security platform protections,</a> and service protections such as SafetyNet, which reduce the likelihood that 43 security vulnerabilities can be successfully exploited on Android.</p> 44 45 <p>Please note that both Critical security updates (CVE-2015-3864 and 46 CVE-2015-3686) address already disclosed vulnerabilities. There are no newly 47 disclosed Critical security vulnerabilities in this update. We encourage all 48 customers to accept these updates to their devices.</p> 49 50 <h2 id=security_vulnerability_summary>Security vulnerability summary</h2> 51 52 53 <p>The table below contains a list of security vulnerabilities, the Common 54 Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an 55 affected device, assuming the platform and service mitigations are disabled for 56 development purposes or if successfully bypassed.</p> 57 <table> 58 <tr> 59 <th>Issue</th> 60 <th>CVE</th> 61 <th>Severity</th> 62 </tr> 63 <tr> 64 <td>Remote Code Execution Vulnerability in Mediaserver</td> 65 <td>CVE-2015-3864 </td> 66 <td>Critical</td> 67 </tr> 68 <tr> 69 <td>Elevation of Privilege Vulnerability in Kernel</td> 70 <td>CVE-2015-3636</td> 71 <td>Critical</td> 72 </tr> 73 <tr> 74 <td>Elevation of Privilege Vulnerability in Binder</td> 75 <td>CVE-2015-3845<br /> 76 CVE-2015-1528</td> 77 <td>High</td> 78 </tr> 79 <tr> 80 <td>Elevation of Privilege Vulnerability in Keystore </td> 81 <td>CVE-2015-3863</td> 82 <td>High</td> 83 </tr> 84 <tr> 85 <td>Elevation of Privilege Vulnerability in Region</td> 86 <td>CVE-2015-3849</td> 87 <td>High</td> 88 </tr> 89 <tr> 90 <td>Elevation of Privilege vulnerability in SMS enables notification bypass.</td> 91 <td>CVE-2015-3858</td> 92 <td>High</td> 93 </tr> 94 <tr> 95 <td>Elevation of Privilege Vulnerability in Lockscreen</td> 96 <td>CVE-2015-3860</td> 97 <td>Moderate</td> 98 </tr> 99 <tr> 100 <td>Denial of Service Vulnerability in Mediaserver </td> 101 <td>CVE-2015-3861</td> 102 <td>Low</td> 103 </tr> 104 </table> 105 106 107 <h2 id=mitigations>Mitigations</h2> 108 109 110 <p>This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the 111 likelihood that security vulnerabilities can be successfully exploited on 112 Android.</p> 113 114 <ul> 115 <li> Exploitation for many issues on Android is made more difficult by enhancements 116 in newer versions of the Android platform. We encourage all users to update to 117 the latest version of Android where possible. 118 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 119 SafetyNet which will warn about potentially harmful applications about to be 120 installed. Device rooting tools are prohibited within Google Play. To protect 121 users who install applications from outside of Google Play, Verify Apps is 122 enabled by default and will warn users about known rooting applications. Verify 123 Apps attempts to identify and block installation of known malicious 124 applications that exploit a privilege escalation vulnerability. If such an 125 application has already been installed, Verify Apps will notify the user and 126 attempt to remove any such applications. 127 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 128 pass media to processes such as mediaserver. 129 </ul> 130 131 <h2 id=acknowledgements>Acknowledgements</h2> 132 133 134 <p>We would like to thank these researchers for their contributions:</p> 135 136 <ul> 137 <li> Jordan Gruskovnjak of Exodus Intelligence (@jgrusko): CVE-2015-3864 138 <li> Micha Bednarski: CVE-2015-3845 139 <li> Guang Gong of Qihoo 360 Technology Co. Ltd (@oldfresher): CVE-2015-1528 140 <li> Brennan Lautner: CVE-2015-3863 141 <li> jgor (@indiecom): CVE-2015-3860 142 <li> Wish Wu of Trend Micro Inc. (@wish_wu): CVE-2015-3861 143 </ul> 144 145 <h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 146 147 148 <p>In the sections below, we provide details for each of the security 149 vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> above. There is a description of the issue, a severity rationale, and a table 150 with the CVE, associated bug, severity, affected versions, and date reported. 151 Where available, weve linked the AOSP change that addressed the issue to the 152 bug ID. When multiple changes relate to a single bug, additional AOSP 153 references are linked to numbers following the bug ID.</p> 154 155 <h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3> 156 157 158 <p>During media file and data processing of a specially crafted file, 159 vulnerabilities in mediaserver could allow an attacker to cause memory 160 corruption and remote code execution as the mediaserver process.</p> 161 162 <p>The affected functionality is provided as a core part of the operating system 163 and there are multiple applications that allow it to be reached with remote 164 content, most notably MMS and browser playback of media.</p> 165 166 <p>This issue is rated as a Critical severity due to the possibility of remote 167 code execution within the context of the mediaserver service. The mediaserver 168 service has access to audio and video streams as well as access to privileges 169 that third-party apps cannot normally access.</p> 170 171 <p>This issue is related to the already reported CVE-2015-3824 (ANDROID-20923261). 172 The original security update was not sufficient to address a variant of this 173 originally reported issue.</p> 174 <table> 175 <tr> 176 <th>CVE</th> 177 <th>Bug with AOSP links</th> 178 <th>Severity</th> 179 <th>Affected Versions</th> 180 </tr> 181 <tr> 182 <td>CVE-2015-3864</td> 183 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/6fe85f7e15203e48df2cc3e8e1c4bc6ad49dc968">ANDROID-23034759</a></td> 184 <td>Critical</td> 185 <td> 5.1 and below</td> 186 </tr> 187 </table> 188 189 190 <h3 id=elevation_privilege_vulnerability_in_kernel>Elevation Privilege Vulnerability in Kernel</h3> 191 192 193 <p>An elevation of privilege vulnerability in the Linux kernel's handling of ping 194 sockets could allow a malicious application to execute arbitrary code in 195 context of the kernel.</p> 196 197 <p>This issue is rated as a Critical severity due to the possibility of code 198 execution in a privileged service that can bypass device protections, 199 potentially leading to permanent compromise (i.e., requiring re-flashing the 200 system partition) on some devices.</p> 201 202 <p>This issue was first publicly identified on May 01, 2015. An exploit of this 203 vulnerability has been included in a number of rooting tools that may be used 204 by the device owner to modify the firmware on their device.</p> 205 <table> 206 <tr> 207 <th>CVE</th> 208 <th>Bug(s) with AOSP links</th> 209 <th>Severity</th> 210 <th>Affected Versions</th> 211 </tr> 212 <tr> 213 <td>CVE-2015-3636 </td> 214 <td><a href="https://github.com/torvalds/linux/commit/a134f083e79f">ANDROID-20770158</a></td> 215 <td>Critical</td> 216 <td>5.1 and below</td> 217 </tr> 218 </table> 219 220 221 <h3 id=elevation_of_privilege_vulnerability_in_binder>Elevation of Privilege Vulnerability in Binder </h3> 222 223 224 <p>An elevation of privilege vulnerability in Binder could allow a malicious 225 application to execute arbitrary code within the context of the another apps 226 process.</p> 227 228 <p>This issue is rated as High severity because it allows a malicious application 229 to gain privileges not accessible to a third-party application.</p> 230 <table> 231 <tr> 232 <th>CVE</th> 233 <th>Bug(s) with AOSP links</th> 234 <th>Severity</th> 235 <th>Affected Versions</th> 236 </tr> 237 <tr> 238 <td>CVE-2015-3845</td> 239 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/e68cbc3e9e66df4231e70efa3e9c41abc12aea20">ANDROID-17312693</a></td> 240 <td>High</td> 241 <td>5.1 and below</td> 242 </tr> 243 <tr> 244 <td>CVE-2015-1528</td> 245 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/7dcd0ec9c91688cfa3f679804ba6e132f9811254">ANDROID-19334482</a> [<a href="https://android.googlesource.com/platform/system/core/+/e8c62fb484151f76ab88b1d5130f38de24ac8c14">2</a>]</td> 246 <td>High</td> 247 <td>5.1 and below</td> 248 </tr> 249 </table> 250 251 252 <h3 id=elevation_of_privilege_vulnerability_in_keystore>Elevation of Privilege Vulnerability in Keystore</h3> 253 254 255 <p>A elevation of privilege vulnerability in Keystore could allow a malicious 256 application to execute arbitrary code within the context of the keystore 257 service. This could allow unauthorized use of keys stored by Keystore, 258 including hardware-backed keys.</p> 259 260 <p>This issue is rated as High severity because it can be used to gain privileges 261 not accessible to a third-party application.</p> 262 <table> 263 <tr> 264 <th>CVE</th> 265 <th>Bug(s) with AOSP links</th> 266 <th>Severity</th> 267 <th>Affected Versions</th> 268 </tr> 269 <tr> 270 <td>CVE-2015-3863</td> 271 <td><a href="https://android.googlesource.com/platform/system/security/+/bb9f4392c2f1b11be3acdc1737828274ff1ec55b">ANDROID-22802399</a></td> 272 <td>High</td> 273 <td>5.1 and below</td> 274 </tr> 275 </table> 276 277 278 <h3 id=elevation_of_privilege_vulnerability_in_region>Elevation of Privilege Vulnerability in Region </h3> 279 280 281 <p>An elevation of privilege vulnerability in Region could, through creation of a 282 malicious message to a service, allow a malicious application to execute 283 arbitrary code within the context of the target service.</p> 284 285 <p>This issue is rated as High severity because it can be used to gain privileges 286 not accessible to a third-party application.</p> 287 <table> 288 <tr> 289 <th>CVE</th> 290 <th>Bug(s) with AOSP links</th> 291 <th>Severity</th> 292 <th>Affected Versions</th> 293 </tr> 294 <tr> 295 <td>CVE-2015-3849</td> 296 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/4cff1f49ff95d990d6c2614da5d5a23d02145885">ANDROID-20883006</a> [<a href="https://android.googlesource.com/platform/frameworks/base/+/1e72dc7a3074cd0b44d89afbf39bbf5000ef7cc3">2</a>]</td> 297 <td>High</td> 298 <td>5.1 and below</td> 299 </tr> 300 </table> 301 302 303 <h3 id=elevation_of_privilege_vulnerability_in_sms_enables_notification_bypass>Elevation of Privilege vulnerability in SMS enables notification bypass </h3> 304 305 306 <p>A elevation of privilege vulnerability in the way that Android processes SMS 307 messages could enable a malicious application to send an SMS message that 308 bypasses the premium-rate SMS warning notification.</p> 309 310 <p>This issue is rated as High severity because it can be used to gain privileges 311 not accessible to a third-party application.</p> 312 <table> 313 <tr> 314 <th>CVE</th> 315 <th>Bug(s) with AOSP links</th> 316 <th>Severity</th> 317 <th>Affected Versions</th> 318 </tr> 319 <tr> 320 <td>CVE-2015-3858</td> 321 <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/df31d37d285dde9911b699837c351aed2320b586">ANDROID-22314646</a></td> 322 <td>High</td> 323 <td>5.1 and below</td> 324 </tr> 325 </table> 326 327 328 <h3 id=elevation_of_privilege_vulnerability_in_lockscreen>Elevation of Privilege Vulnerability in Lockscreen</h3> 329 330 331 <p>An elevation of privilege vulnerability in Lockscreen could allow a malicious 332 user to bypass the lockscreen by causing it to crash. This issue is classified 333 as a vulnerability only on Android 5.0 and 5.1. While it's possible to cause 334 the System UI to crash from the lockscreen in a similar way on 4.4, the home 335 screen cannot be accessed and the device must be rebooted to recover.</p> 336 337 <p>This issue is rated as a Moderate severity because it potentially allows 338 someone with physical access to a device to install third-party apps without 339 the device's owner approving the permissions. It can also allow the attacker to 340 view contact data, phone logs, SMS messages, and other data that is normally 341 protected with a "dangerous" level permission.</p> 342 <table> 343 <tr> 344 <th>CVE</th> 345 <th>Bug(s) with AOSP links</th> 346 <th>Severity</th> 347 <th>Affected Versions</th> 348 </tr> 349 <tr> 350 <td>CVE-2015-3860</td> 351 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/8fba7e6931245a17215e0e740e78b45f6b66d590">ANDROID-22214934</a></td> 352 <td>Moderate</td> 353 <td>5.1 and 5.0</td> 354 </tr> 355 </table> 356 357 358 <h3 id=denial_of_service_vulnerability_in_mediaserver>Denial of Service Vulnerability in Mediaserver</h3> 359 360 361 <p>A denial of service vulnerability in mediaserver could allow a local attacker 362 to temporarily block access to an affected device.</p> 363 364 <p>This issue is rated as a Low severity because a user could reboot into safe 365 mode to remove a malicious application that is exploiting this issue. It is 366 also possible to cause mediaserver to process the malicious file remotely 367 through the web or over MMS, in that case the mediaserver process crashes and 368 the device remains usable.</p> 369 <table> 370 <tr> 371 <th>CVE</th> 372 <th>Bug(s) with AOSP links</th> 373 <th>Severity</th> 374 <th>Affected Versions</th> 375 </tr> 376 <tr> 377 <td>CVE-2015-3861</td> 378 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/304ef91624e12661e7e35c2c0c235da84a73e9c0">ANDROID-21296336</a></td> 379 <td>Low</td> 380 <td>5.1 and below</td> 381 </tr> 382 </table> 383 384 385
