1 page.title=Nexus Security Bulletin - November 2015 2 @jd:body 3 4 <!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p><em>Published November 02, 2015</em></p> 28 29 <p>We have released a security update to Nexus devices through an over-the-air 30 (OTA) update as part of our Android Security Bulletin Monthly Release process. 31 The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY48X or later and Android Marshmallow with Security Patch Level of 32 November 1, 2015 or later address these issues. Refer to the <a href="#common_questions_and_answers">Common Questions and Answers</a> section for more details.</p> 33 34 <p>Partners were notified about these issues on October 5, 2015 or earlier. Source 35 code patches for these issues will be released to the Android Open Source 36 Project (AOSP) repository over the next 48 hours. We will revise this bulletin 37 with the AOSP links when they are available.</p> 38 39 <p>The most severe of these issues is a Critical security vulnerability that could 40 enable remote code execution on an affected device through multiple methods 41 such as email, web browsing, and MMS when processing media files.</p> 42 43 <p>We have had no reports of active customer exploitation of these newly reported 44 issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="{@docRoot}security/enhancements/index.html">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the 45 Android platform. We encourage all customers to accept these updates to their 46 devices.</p> 47 48 <h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2> 49 50 51 <p>The table below contains a list of security vulnerabilities, the Common 52 Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an 53 affected device, assuming the platform and service mitigations are disabled for 54 development purposes or if successfully bypassed. </p> 55 <table> 56 <tr> 57 <th>Issue</th> 58 <th>CVE</th> 59 <th>Severity</th> 60 </tr> 61 <tr> 62 <td>Remote Code Execution Vulnerabilities in Mediaserver</td> 63 <td>CVE-2015-6608</td> 64 <td>Critical</td> 65 </tr> 66 <tr> 67 <td>Remote Code Execution Vulnerability in libutils</td> 68 <td>CVE-2015-6609</td> 69 <td>Critical</td> 70 </tr> 71 <tr> 72 <td>Information Disclosure Vulnerabilities in Mediaserver </td> 73 <td>CVE-2015-6611</td> 74 <td>High</td> 75 </tr> 76 <tr> 77 <td>Elevation of Privilege Vulnerability in libstagefright</td> 78 <td>CVE-2015-6610</td> 79 <td>High</td> 80 </tr> 81 <tr> 82 <td>Elevation of Privilege Vulnerability in libmedia</td> 83 <td>CVE-2015-6612</td> 84 <td>High</td> 85 </tr> 86 <tr> 87 <td>Elevation of Privilege Vulnerability in Bluetooth</td> 88 <td>CVE-2015-6613</td> 89 <td>High</td> 90 </tr> 91 <tr> 92 <td>Elevation of Privilege Vulnerability in Telephony</td> 93 <td>CVE-2015-6614</td> 94 <td>Moderate</td> 95 </tr> 96 </table> 97 98 99 <p>The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an 100 affected device, assuming the platform and service mitigations are disabled for 101 development purposes or if successfully bypassed. </p> 102 103 <h2 id=mitigations>Mitigations</h2> 104 105 106 <p>This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the 107 likelihood that security vulnerabilities can be successfully exploited on 108 Android. </p> 109 110 <ul> 111 <li> Exploitation for many issues on Android is made more difficult by enhancements 112 in newer versions of the Android platform. We encourage all users to update to 113 the latest version of Android where possible. 114 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 115 SafetyNet which will warn about potentially harmful applications about to be 116 installed. Device rooting tools are prohibited within Google Play. To protect 117 users who install applications from outside of Google Play, Verify Apps is 118 enabled by default and will warn users about known rooting applications. Verify 119 Apps attempts to identify and block installation of known malicious 120 applications that exploit a privilege escalation vulnerability. If such an 121 application has already been installed, Verify Apps will notify the user and 122 attempt to remove any such applications. 123 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 124 pass media to processes such as mediaserver. 125 </ul> 126 127 <h2 id=acknowledgements>Acknowledgements</h2> 128 129 130 <p>We would like to thank these researchers for their contributions:</p> 131 132 <ul> 133 <li> Abhishek Arya, Oliver Chang and Martin Barbella, Google Chrome Security Team: 134 CVE-2015-6608 135 <li> Daniel Micay (daniel.micay (a] copperhead.co) at Copperhead Security: CVE-2015-6609 136 <li> Dongkwan Kim of System Security Lab, KAIST (dkay (a] kaist.ac.kr): CVE-2015-6614 137 <li> Hongil Kim of System Security Lab, KAIST (hongilk (a] kaist.ac.kr): CVE-2015-6614 138 <li> Jack Tang of Trend Micro (@jacktang310): CVE-2015-6611 139 <li> Peter Pi of Trend Micro: CVE-2015-6611 140 <li> Natalie Silvanovich of Google Project Zero: CVE-2015-6608 141 <li> Qidan He (@flanker_hqd) and Wen Xu (@antlr7) from KeenTeam (@K33nTeam, 142 http://k33nteam.org/): CVE-2015-6612 143 <li> Guang Gong (龚广) (<a href="https://twitter.com/oldfresher">@oldfresher</a>, higongguang (a] gmail.com) of <a href="http://www.360.cn">Qihoo 360 Technology CC 144 o.Ltd</a>: CVE-2015-6612 145 <li> Seven Shen of Trend Micro: CVE-2015-6610 146 </ul> 147 148 <h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 149 150 151 <p>In the sections below, we provide details for each of the security 152 vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> above. There is a description of the issue, a severity rationale, and a table 153 with the CVE, associated bug, severity, affected versions, and date reported. 154 Where available, weve linked the AOSP change that addressed the issue to the 155 bug ID. When multiple changes relate to a single bug, additional AOSP 156 references are linked to numbers following the bug ID.</p> 157 158 <h3 id=remote_code_execution_vulnerabilities_in_mediaserver>Remote Code Execution Vulnerabilities in Mediaserver</h3> 159 160 161 <p>During media file and data processing of a specially crafted file, 162 vulnerabilities in mediaserver could allow an attacker to cause memory 163 corruption and remote code execution as the mediaserver process.</p> 164 165 <p>The affected functionality is provided as a core part of the operating system 166 and there are multiple applications that allow it to be reached with remote 167 content, most notably MMS and browser playback of media.</p> 168 169 <p>This issue is rated as a Critical severity due to the possibility of remote 170 code execution within the context of the mediaserver service. The mediaserver 171 service has access to audio and video streams as well as access to privileges 172 that third-party apps cannot normally access.</p> 173 <table> 174 <tr> 175 <th>CVE</th> 176 <th>Bug(s) with AOSP links</th> 177 <th>Severity</th> 178 <th>Affected versions</th> 179 <th>Date reported</th> 180 </tr> 181 <tr> 182 <td rowspan="6">CVE-2015-6608</td> 183 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/8ec845c8fe0f03bc57c901bc484541bdd6a7cf80">ANDROID-19779574</a></td> 184 <td rowspan="3">Critical</td> 185 <td rowspan="3">5.0, 5.1, 6.0</td> 186 <td rowspan="3">Google Internal</td> 187 </tr> 188 <tr> 189 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/c6a2815eadfce62702d58b3fa3887f24c49e1864">ANDROID-23680780</a></td> 190 </tr> 191 <tr> 192 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Faac/+/b3c5a4bb8442ab3158fa1f52b790fadc64546f46">ANDROID-23876444</a></td> 193 </tr> 194 <tr> 195 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Ftremolo/+/3830d0b585ada64ee75dea6da267505b19c622fd">ANDROID-23881715</a></td> 196 <td>Critical</td> 197 <td>4.4, 5.0, 5.1, 6.0</td> 198 <td>Google Internal</td> 199 </tr> 200 <tr> 201 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3878b990f7d53eae7c2cf9246b6ef2db5a049872">ANDROID-14388161</a></td> 202 <td>Critical</td> 203 <td>4.4 and 5.1</td> 204 <td>Google Internal</td> 205 </tr> 206 <tr> 207 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/f3eb82683a80341f5ac23057aab733a57963cab2">ANDROID-23658148</a></td> 208 <td>Critical</td> 209 <td>5.0, 5.1, 6.0</td> 210 <td>Google Internal</td> 211 </tr> 212 </table> 213 214 215 <h3 id=remote_code_execution_vulnerability_in_libutils>Remote Code Execution Vulnerability in libutils</h3> 216 217 218 <p>A vulnerability in libutils, a generic library, can be exploited during audio 219 file processing. This vulnerability could allow an attacker, during processing 220 of a specially crafted file, to cause memory corruption and remote code 221 execution.</p> 222 223 <p>The affected functionality is provided as an API and there are multiple 224 applications that allow it to be reached with remote content, most notably MMS 225 and browser playback of media. This issue is rated as a Critical severity issue 226 due to the possibility of remote code execution in a privileged service. The 227 affected component has access to audio and video streams as well as access to 228 privileges that third-party apps cannot normally access.</p> 229 230 <table> 231 <tr> 232 <th>CVE</th> 233 <th>Bug(s) with AOSP links</th> 234 <th>Severity</th> 235 <th>Affected versions</th> 236 <th>Date reported</th> 237 </tr> 238 <tr> 239 <td>CVE-2015-6609</td> 240 <td><a href="https://android.googlesource.com/platform%2Fbootable%2Frecovery/+/ec63d564a86ad5b30f75aa307b4bd271f6a96a56">ANDROID-22953624</a> 241 [<a href="https://android.googlesource.com/platform%2Fsystem%2Fcore/+/419e6c3c68413bd6dbb6872340b2ae0d69a0fd60">2</a>]</td> 242 <td>Critical</td> 243 <td>6.0 and below</td> 244 <td>Aug 3, 2015</td> 245 </tr> 246 </table> 247 248 249 <h3 id=information_disclosure_vulnerabilities_in_mediaserver>Information Disclosure Vulnerabilities in Mediaserver</h3> 250 251 252 <p>There are information disclosure vulnerabilities in mediaserver that can permit 253 a bypass of security measures in place to increase the difficulty of attackers 254 exploiting the platform.</p> 255 <table> 256 <tr> 257 <th>CVE</th> 258 <th>Bug(s) with AOSP links</th> 259 <th>Severity</th> 260 <th>Affected versions</th> 261 <th>Date reported</th> 262 </tr> 263 <tr> 264 <td rowspan="12">CVE-2015-6611</td> 265 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/1c7719820359f4190cd4bfd1a24d521face7b4f8">ANDROID-23905951</a> 266 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3b76870d146b1350db8a2f7797e06897c8c92dc2">2</a>] 267 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/40715a2ee896edd2df4023d9f6f586977887d34c">3</a>] </td> 268 <td rowspan="3">High</td> 269 <td rowspan="3">6.0 and below</td> 270 <td rowspan="3">Sep 07, 2015</td> 271 </tr> 272 <tr> 273 <td>ANDROID-23912202*</td> 274 </tr> 275 <tr> 276 <td>ANDROID-23953967*</td> 277 </tr> 278 <tr> 279 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fnative/+/b414255f53b560a06e642251535b019327ba0d7b">ANDROID-23696300</a></td> 280 <td>High</td> 281 <td>6.0 and below</td> 282 <td>Aug 31, 2015</td> 283 </tr> 284 <tr> 285 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/09ed70fab1f1424971ccc105dcdf5be5ce2e2643">ANDROID-23600291</a></td> 286 <td>High</td> 287 <td>6.0 and below</td> 288 <td>Aug 26, 2015</td> 289 </tr> 290 <tr> 291 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/892354335d49f0b9fcd10e20e0c13e3cd0f1f1cb">ANDROID-23756261</a> 292 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/a946d844a77906072f5eb7093d41db465d6514bb">2</a>]</td> 293 <td>High</td> 294 <td>6.0 and below</td> 295 <td>Aug 26, 2015</td> 296 </tr> 297 <tr> 298 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/57bed83a539535bb64a33722fb67231119cb0618">ANDROID-23540907</a> [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/25a634427dec455b79d73562131985ae85b98c43">2</a>]</td> 299 <td>High</td> 300 <td>5.1 and below</td> 301 <td>Aug 25, 2015</td> 302 </tr> 303 <tr> 304 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/d53aced041b7214a92b1f2fd5970d895bb9934e5">ANDROID-23541506</a></td> 305 <td rowspan="4">High</td> 306 <td rowspan="4">6.0 and below</td> 307 <td rowspan="4">Aug 25, 2015</td> 308 </tr> 309 <tr> 310 <td>ANDROID-23284974*</td> 311 </tr> 312 <tr> 313 <td>ANDROID-23542351*</td> 314 </tr> 315 <tr> 316 <td>ANDROID-23542352*</td> 317 </tr> 318 <tr> 319 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/0981df6e3db106bfb7a56a2b668c012fcc34dd2c">ANDROID-23515142</a></td> 320 <td>High</td> 321 <td>5.1 and below</td> 322 <td>Aug 19, 2015</td> 323 </tr> 324 </table> 325 <p>* The patch for this bug is included in other provided AOSP links.</p> 326 327 <h3 id=elevation_of_privilege_vulnerability_in_libstagefright>Elevation of Privilege Vulnerability in libstagefright</h3> 328 329 330 <p>There is an elevation of privilege vulnerability in libstagefright that can 331 enable a local malicious application to cause memory corruption and arbitrary 332 code execution within the context of the mediaserver service. While this issue 333 would normally be rated Critical, we have assessed this issue as High 334 severity because of a lower likelihood that it can be exploited remotely.</p> 335 <table> 336 <tr> 337 <th>CVE</th> 338 <th>Bug(s) with AOSP links</th> 339 <th>Severity</th> 340 <th>Affected versions</th> 341 <th>Date reported</th> 342 </tr> 343 <tr> 344 <td>CVE-2015-6610</td> 345 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/d26052738f7b095b7e318c8dde7f32db0a48450c">ANDROID-23707088</a> 346 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/820c105f7a4dc0971ee563caea4c9b346854a2f7">2</a>]</td> 347 <td>High</td> 348 <td>6.0 and below</td> 349 <td>Aug 19, 2015</td> 350 </tr> 351 </table> 352 353 354 <h3 id=elevation_of_privilege_vulnerability_in_libmedia>Elevation of Privilege Vulnerability in libmedia</h3> 355 356 357 <p>There is a vulnerability in libmedia that can enable a local malicious 358 application to execute arbitrary code within the context of the mediaserver 359 service. This issue is rated as High severity because it can be used to access 360 privileges which are not directly accessible to a third-party application. </p> 361 <table> 362 <tr> 363 <th>CVE</th> 364 <th>Bug(s) with AOSP links</th> 365 <th>Severity</th> 366 <th>Affected versions</th> 367 <th>Date reported</th> 368 </tr> 369 <tr> 370 <td>CVE-2015-6612</td> 371 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/4b219e9e5ab237eec9931497cf10db4d78982d84">ANDROID-23540426</a></td> 372 <td>High</td> 373 <td>6.0 and below</td> 374 <td>Aug 23, 2015</td> 375 </tr> 376 </table> 377 378 379 <h3 id=elevation_of_privilege_vulnerability_in_bluetooth>Elevation of Privilege Vulnerability in Bluetooth</h3> 380 381 382 <p>There is a vulnerability in Bluetooth that can enable a local application to 383 send commands to a listening debug port on the device. This issue is rated as 384 High severity because it can be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p> 385 <table> 386 <tr> 387 <th>CVE</th> 388 <th>Bug(s) with AOSP links</th> 389 <th>Severity</th> 390 <th>Affected versions</th> 391 <th>Date reported</th> 392 </tr> 393 <tr> 394 <td>CVE-2015-6613</td> 395 <td><a href="https://android.googlesource.com/platform%2Fsystem%2Fbt/+/74dad51510f7d7b05c6617ef88168bf0bbdf3fcd">ANDROID-24371736</a></td> 396 <td>High</td> 397 <td>6.0</td> 398 <td>Google Internal</td> 399 </tr> 400 </table> 401 402 403 <h3 id=elevation_of_privilege_vulnerability_in_telephony> 404 Elevation Of Privilege Vulnerability in Telephony</h3> 405 406 407 <p>A vulnerability in the Telephony component that can enable a local malicious 408 application to pass unauthorized data to the restricted network interfaces, 409 potentially impacting data charges. It could also prevent the device from 410 receiving calls as well as allowing an attacker to control the mute settings of 411 calls. This issue is rated as Moderate severity because it can be used to 412 improperly gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a> permissions. </p> 413 <table> 414 <tr> 415 <th>CVE</th> 416 <th>Bug(s) with AOSP links</th> 417 <th>Severity</th> 418 <th>Affected versions</th> 419 <th>Date reported</th> 420 </tr> 421 <tr> 422 <td>CVE-2015-6614</td> 423 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Ftelephony/+/70dd1f77873913635288e513564a6c93ae4d0a26">ANDROID-21900139</a> 424 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/a12044215b1148826ea9a88d5d1102378b13922f">2</a>] 425 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/2b6af396ad14def9a967f62cccc87ee715823bb1">3</a>]</td> 426 <td>Moderate</td> 427 <td>5.0, 5.1</td> 428 <td>Jun 8, 2015</td> 429 </tr> 430 </table> 431 432 433 <h3 id=common_questions_and_answers>Common Questions and Answers</h3> 434 435 436 <p>This section will review answers to common questions that may occur after 437 reading this bulletin.</p> 438 439 <p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> 440 441 <p>Builds LMY48X or later and Android Marshmallow with Security Patch Level of 442 November 1, 2015 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device 443 manufacturers that include these updates should set the patch string level to: 444 [ro.build.version.security_patch]:[2015-11-01]</p> 445 446 <h2 id=revisions>Revisions</h2> 447 448 <ul> 449 <li> November 02, 2015: Originally Published 450 </ul> 451
