1 page.title=Nexus Security Bulletin - December 2015 2 @jd:body 3 4 <!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p><em>Published December 07, 2015 | Updated December 22, 2015</em></p> 28 29 <p>We have released a security update to Nexus devices through an over-the-air 30 (OTA) update as part of our Android Security Bulletin Monthly Release process. 31 The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY48Z or later and Android 6.0 with Security Patch Level of 32 December 1, 2015 or later address these issues. Refer to the <a href="#common_questions_and_answers">Common Questions and Answers</a> section for more details.</p> 33 34 <p>Partners were notified about and provided updates for these issues on November 35 2, 2015 or earlier. Where applicable, source code patches for these issues have been released to 36 the Android Open Source Project (AOSP) repository.</p> 37 38 <p>The most severe of these issues is a Critical security vulnerability that could 39 enable remote code execution on an affected device through multiple methods 40 such as email, web browsing, and MMS when processing media files.</p> 41 42 <p>We have had no reports of active customer exploitation of these newly reported 43 issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="{@docRoot}security/enhancements/index.html">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the 44 Android platform. We encourage all customers to accept these updates to their 45 devices.</p> 46 47 <h2 id="security_vulnerability_summary">Security Vulnerability Summary</h2> 48 49 <p>The table below contains a list of security vulnerabilities, the Common 50 Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an 51 affected device, assuming the platform and service mitigations are disabled for 52 development purposes or if successfully bypassed.</p> 53 <table> 54 <tr> 55 <th>Issue</th> 56 <th>CVE</th> 57 <th>Severity</th> 58 </tr> 59 <tr> 60 <td>Remote Code Execution Vulnerability in Mediaserver</td> 61 <td>CVE-2015-6616</td> 62 <td>Critical</td> 63 </tr> 64 <tr> 65 <td>Remote Code Execution Vulnerability in Skia</td> 66 <td>CVE-2015-6617</td> 67 <td>Critical</td> 68 </tr> 69 <tr> 70 <td>Elevation of Privilege in Kernel</td> 71 <td>CVE-2015-6619</td> 72 <td>Critical</td> 73 </tr> 74 <tr> 75 <td>Remote Code Execution Vulnerabilities in Display Driver</td> 76 <td>CVE-2015-6633<br> 77 CVE-2015-6634</td> 78 <td>Critical</td> 79 </tr> 80 <tr> 81 <td>Remote Code Execution Vulnerability in Bluetooth</td> 82 <td>CVE-2015-6618</td> 83 <td>High</td> 84 </tr> 85 <tr> 86 <td>Elevation of Privilege Vulnerabilities in libstagefright</td> 87 <td>CVE-2015-6620 </td> 88 <td>High</td> 89 </tr> 90 <tr> 91 <td>Elevation of Privilege Vulnerability in SystemUI</td> 92 <td>CVE-2015-6621</td> 93 <td>High</td> 94 </tr> 95 <tr> 96 <td>Elevation of Privilege Vulnerability in Native Frameworks Library</td> 97 <td>CVE-2015-6622</td> 98 <td>High</td> 99 </tr> 100 <tr> 101 <td>Elevation of Privilege Vulnerability in Wi-Fi</td> 102 <td>CVE-2015-6623</td> 103 <td>High</td> 104 </tr> 105 <tr> 106 <td>Elevation of Privilege Vulnerability in System Server</td> 107 <td>CVE-2015-6624</td> 108 <td>High</td> 109 </tr> 110 <tr> 111 <td>Information Disclosure Vulnerabilities in libstagefright</td> 112 <td>CVE-2015-6626<br> 113 CVE-2015-6631<br> 114 CVE-2015-6632</td> 115 <td>High</td> 116 </tr> 117 <tr> 118 <td>Information Disclosure Vulnerability in Audio</td> 119 <td>CVE-2015-6627</td> 120 <td>High</td> 121 </tr> 122 <tr> 123 <td>Information Disclosure Vulnerability in Media Framework</td> 124 <td>CVE-2015-6628</td> 125 <td>High</td> 126 </tr> 127 <tr> 128 <td>Information Disclosure Vulnerability in Wi-Fi</td> 129 <td>CVE-2015-6629</td> 130 <td>High</td> 131 </tr> 132 <tr> 133 <td>Elevation of Privilege Vulnerability in System Server</td> 134 <td>CVE-2015-6625</td> 135 <td>Moderate</td> 136 </tr> 137 <tr> 138 <td>Information Disclosure Vulnerability in SystemUI</td> 139 <td>CVE-2015-6630</td> 140 <td>Moderate</td> 141 </tr> 142 </table> 143 144 145 <h2 id="mitigations">Mitigations</h2> 146 147 148 <p>This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the 149 likelihood that security vulnerabilities could be successfully exploited on 150 Android.</p> 151 152 <ul> 153 <li> Exploitation for many issues on Android is made more difficult by enhancements 154 in newer versions of the Android platform. We encourage all users to update to 155 the latest version of Android where possible.</li> 156 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 157 SafetyNet which will warn about potentially harmful applications about to be 158 installed. Device rooting tools are prohibited within Google Play. To protect 159 users who install applications from outside of Google Play, Verify Apps is 160 enabled by default and will warn users about known rooting applications. Verify 161 Apps attempts to identify and block installation of known malicious 162 applications that exploit a privilege escalation vulnerability. If such an 163 application has already been installed, Verify Apps will notify the user and 164 attempt to remove any such applications.</li> 165 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 166 pass media to processes such as mediaserver.</li> 167 </ul> 168 169 <h2 id="acknowledgements">Acknowledgements</h2> 170 171 <p>We would like to thank these researchers for their contributions:</p> 172 173 <ul> 174 <li> Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security 175 Team: CVE-2015-6616, CVE-2015-6617, CVE-2015-6623, CVE-2015-6626, 176 CVE-2015-6619, CVE-2015-6633, CVE-2015-6634 177 <li> Flanker (<a href="https://twitter.com/flanker_hqd">@flanker_hqd</a>) of <a href="http://k33nteam.org/">KeenTeam</a> (<a href="https://twitter.com/k33nteam">@K33nTeam</a>): CVE-2015-6620 178 <li> Guang Gong () (<a href="https://twitter.com/oldfresher">@oldfresher</a>, higongguang (a] gmail.com) of <a href="http://www.360.cn">Qihoo 360 Technology Co.Ltd</a>: CVE-2015-6626 179 <li> Mark Carter (<a href="https://twitter.com/hanpingchinese">@hanpingchinese</a>) of EmberMitre Ltd: CVE-2015-6630 180 <li> Micha Bednarski (<a href="https://github.com/michalbednarski">https://github.com/michalbednarski</a>): CVE-2015-6621 181 <li> Natalie Silvanovich of Google Project Zero: CVE-2015-6616 182 <li> Peter Pi of Trend Micro: CVE-2015-6616, CVE-2015-6628 183 <li> Qidan He (<a href="https://twitter.com/flanker_hqd">@flanker_hqd</a>) and Marco Grassi (<a href="https://twitter.com/marcograss">@marcograss</a>) of <a href="http://k33nteam.org/">KeenTeam</a> (<a href="https://twitter.com/k33nteam">@K33nTeam</a>): CVE-2015-6622 184 <li> Tzu-Yin (Nina) Tai: CVE-2015-6627 185 <li> Joaqun Rinaudo (<a href="https://twitter.com/xeroxnir">@xeroxnir</a>) of Programa 186 STIC at Fundacin Dr. Manuel Sadosky, Buenos Aires, Argentina: CVE-2015-6631 187 </ul> 188 189 <h2 id="security_vulnerability_details">Security Vulnerability Details</h2> 190 191 <p>In the sections below, we provide details for each of the security 192 vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> above. There is a description of the issue, a severity rationale, and a table 193 with the CVE, associated bug, severity, updated versions, and date reported. 194 When available, we will link the AOSP change that addressed the issue to the 195 bug ID. When multiple changes relate to a single bug, additional AOSP 196 references are linked to numbers following the bug ID.</p> 197 198 <h3 id="remote_code_execution_vulnerabilities_in_mediaserver">Remote Code Execution Vulnerabilities in Mediaserver</h3> 199 200 201 <p>During media file and data processing of a specially crafted file, 202 vulnerabilities in mediaserver could allow an attacker to cause memory 203 corruption and remote code execution as the mediaserver process.</p> 204 205 <p>The affected functionality is provided as a core part of the operating system 206 and there are multiple applications that allow it to be reached with remote 207 content, most notably MMS and browser playback of media.</p> 208 209 <p>This issue is rated as a Critical severity due to the possibility of remote 210 code execution within the context of the mediaserver service. The mediaserver 211 service has access to audio and video streams as well as access to privileges 212 that third-party apps cannot normally access.</p> 213 <table> 214 <tr> 215 <th>CVE</th> 216 <th>Bug(s) with AOSP links</th> 217 <th>Severity</th> 218 <th>Updated versions</th> 219 <th>Date reported</th> 220 </tr> 221 <tr> 222 <td rowspan="5">CVE-2015-6616</td> 223 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/257b3bc581bbc65318a4cc2d3c22a07a4429dc1d">ANDROID-24630158</a></td> 224 <td>Critical</td> 225 <td>6.0 and below</td> 226 <td>Google Internal</td> 227 </tr> 228 <tr> 229 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/0d35dd2068d6422c3c77fb68f248cbabf3d0b10c">ANDROID-23882800</a></td> 230 <td>Critical</td> 231 <td>6.0 and below</td> 232 <td>Google Internal</td> 233 </tr> 234 <tr> 235 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/dedaca6f04ac9f95fabe3b64d44cd1a2050f079e">ANDROID-17769851</a></td> 236 <td>Critical</td> 237 <td>5.1 and below</td> 238 <td>Google Internal</td> 239 </tr> 240 <tr> 241 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5d101298d8b0a78a1dc5bd26dbdada411f4ecd4d">ANDROID-24441553</a></td> 242 <td>Critical</td> 243 <td>6.0 and below</td> 244 <td>Sep 22, 2015</td> 245 </tr> 246 <tr> 247 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Flibavc/+/2ee0c1bced131ffb06d1b430b08a202cd3a52005">ANDROID-24157524</a></td> 248 <td>Critical</td> 249 <td>6.0</td> 250 <td>Sep 08, 2015</td> 251 </tr> 252 </table> 253 254 <h3 id="remote_code_execution_vulnerability_in_skia">Remote Code Execution Vulnerability in Skia</h3> 255 256 <p>A vulnerability in the Skia component may be leveraged when processing a 257 specially crafted media file, that could lead to memory corruption and remote 258 code execution in a privileged process. This issue is rated as a Critical 259 severity due to the possibility of remote code execution through multiple 260 attack methods such as email, web browsing, and MMS when processing media 261 files.</p> 262 <table> 263 <tr> 264 <th>CVE</th> 265 <th>Bug(s) with AOSP links</th> 266 <th>Severity</th> 267 <th>Updated versions</th> 268 <th>Date reported</th> 269 </tr> 270 <tr> 271 <td>CVE-2015-6617</td> 272 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Fskia/+/a1d8ac0ac0af44d74fc082838936ec265216ab60">ANDROID-23648740</a></td> 273 <td>Critical</td> 274 <td>6.0 and below</td> 275 <td>Google internal</td> 276 </tr> 277 </table> 278 279 <h3 id="elevation_of_privilege_in_kernel">Elevation of Privilege in Kernel</h3> 280 281 <p>An elevation of privilege vulnerability in the system kernel could enable a 282 local malicious application to execute arbitrary code within the device root 283 context. This issue is rated as a Critical severity due to the possibility of a 284 local permanent device compromise and the device could only be repaired by 285 re-flashing the operating system.</p> 286 <table> 287 <tr> 288 <th>CVE</th> 289 <th>Bug(s) with AOSP links</th> 290 <th>Severity</th> 291 <th>Updated versions</th> 292 <th>Date reported</th> 293 </tr> 294 <tr> 295 <td>CVE-2015-6619</td> 296 <td><a href ="https://android.googlesource.com/device%2Fhtc%2Fflounder-kernel/+/25d3e5d71865a7c0324423fad87aaabb70e82ee4">ANDROID-23520714</a></td> 297 <td>Critical</td> 298 <td>6.0 and below</td> 299 <td>Jun 7, 2015</td> 300 </tr> 301 </table> 302 303 <h3 id="remote_code_execution_vulnerabilities_in_display_driver"> 304 Remote Code Execution Vulnerabilities in Display Driver</h3> 305 306 <p>There are vulnerabilities in the display drivers that, when processing a media 307 file, could cause memory corruption and potential arbitrary code execution in 308 the context of the user mode driver loaded by mediaserver. This issue is rated 309 as a Critical severity due to the possibility of remote code execution through 310 multiple attack methods such as email, web browsing, and MMS when processing 311 media files.</p> 312 <table> 313 <tr> 314 <th>CVE</th> 315 <th>Bug(s) with AOSP links</th> 316 <th>Severity</th> 317 <th>Updated versions</th> 318 <th>Date reported</th> 319 </tr> 320 <tr> 321 <td>CVE-2015-6633</td> 322 <td>ANDROID-23987307*</td> 323 <td>Critical</td> 324 <td>6.0 and below</td> 325 <td>Google Internal</td> 326 </tr> 327 <tr> 328 <td>CVE-2015-6634</td> 329 <td><a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/25016fd2865943dec1a6b2b167ef85c772fb90f7">ANDROID-24163261</a> [<a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/0787bc222a016e944f01492c2dd04bd03c1da6af">2</a>] [<a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/95c2601aab7f27505e8b086fdd1f1dce31091e5d">3</a>] [<a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/45660529af1f4063a00e84aa2361649e6a9a878c">4</a>]</td> 330 <td>Critical</td> 331 <td>5.1 and below</td> 332 <td>Google Internal</td> 333 </tr> 334 </table> 335 <p> *The patch for this issue is not in AOSP. The update is contained in the 336 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 337 338 <h3 id="remote_code_execution_vulnerability_in_bluetooth">Remote Code Execution Vulnerability in Bluetooth</h3> 339 340 <p>A vulnerability in Android's Bluetooth component could allow remote code 341 execution. However multiple manual steps are required before this could occur. 342 In order to do this it would require a successfully paired device, after the 343 personal area network (PAN) profile is enabled (for example using Bluetooth 344 Tethering) and the device is paired. The remote code execution would be at the 345 privilege of the Bluetooth service. A device is only vulnerable to this issue 346 from a successfully paired device while in local proximity.</p> 347 348 <p>This issue is rated as High severity because an attacker could remotely execute 349 arbitrary code only after multiple manual steps are taken and from a locally 350 proximate attacker that had previously been allowed to pair a device.</p> 351 <table> 352 <tr> 353 <th>CVE</th> 354 <th>Bug(s) </th> 355 <th>Severity</th> 356 <th>Updated versions</th> 357 <th>Date reported</th> 358 </tr> 359 <tr> 360 <td>CVE-2015-6618</td> 361 <td>ANDROID-24595992*</td> 362 <td>High</td> 363 <td>4.4, 5.0, and 5.1</td> 364 <td>Sep 28, 2015</td> 365 </tr> 366 </table> 367 <p> *The patch for this issue is not in AOSP. The update is contained in the 368 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 369 370 <h3 id="elevation_of_privilege_vulnerabilities_in_libstagefright"> 371 Elevation of Privilege Vulnerabilities in libstagefright</h3> 372 373 <p>There are multiple vulnerabilities in libstagefright that could enable a local 374 malicious application to execute arbitrary code within the context of the 375 mediaserver service. This issue is rated as High severity because it could be 376 used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party 377 applications.</p> 378 <table> 379 <tr> 380 <th>CVE</th> 381 <th>Bug(s) with AOSP links</th> 382 <th>Severity</th> 383 <th>Updated versions</th> 384 <th>Date reported</th> 385 </tr> 386 <tr> 387 <td rowspan="2">CVE-2015-6620</td> 388 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/2b8cd9cbb3e72ffd048ffdd1609fac74f61a22ac">ANDROID-24123723</a></td> 389 <td>High</td> 390 <td>6.0 and below</td> 391 <td>Sep 10, 2015</td> 392 </tr> 393 <tr> 394 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/77c185d5499d6174e7a97b3e1512994d3a803151">ANDROID-24445127</a></td> 395 <td>High</td> 396 <td>6.0 and below</td> 397 <td>Sep 2, 2015</td> 398 </tr> 399 </table> 400 401 <h3 id="elevation_of_privilege_vulnerability_in_systemui"> 402 Elevation of Privilege Vulnerability in SystemUI</h3> 403 404 <p>When setting an alarm using the clock application, a vulnerability in the 405 SystemUI component could allow an application to execute a task at an elevated 406 privilege level. This issue is rated as High severity because it could be used 407 to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party 408 applications.</p> 409 <table> 410 <tr> 411 <th>CVE</th> 412 <th>Bug(s) with AOSP links</th> 413 <th>Severity</th> 414 <th>Updated versions</th> 415 <th>Date reported</th> 416 </tr> 417 <tr> 418 <td>CVE-2015-6621</td> 419 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/e70e8ac93807c51240b2cd9afed35bf454ea00b3">ANDROID-23909438</a></td> 420 <td>High</td> 421 <td>5.0, 5.1, and 6.0</td> 422 <td>Sep 7, 2015</td> 423 </tr> 424 </table> 425 426 <h3 id="information_disclosure_vulnerability_in_native_frameworks_library">Information Disclosure Vulnerability in Native Frameworks Library</h3> 427 428 <p>An information disclosure vulnerability in Android Native Frameworks Library 429 could permit a bypass of security measures in place to increase the difficulty 430 of attackers exploiting the platform. These issues are rated as High severity 431 because they could also be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 432 <table> 433 <tr> 434 <th>CVE</th> 435 <th>Bug(s) with AOSP links</th> 436 <th>Severity</th> 437 <th>Updated versions</th> 438 <th>Date reported</th> 439 </tr> 440 <tr> 441 <td>CVE-2015-6622</td> 442 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fnative/+/5d17838adef13062717322e79d4db0b9bb6b2395">ANDROID-23905002</a></td> 443 <td>High</td> 444 <td>6.0 and below</td> 445 <td>Sep 7, 2015</td> 446 </tr> 447 </table> 448 449 <h3 id="elevation_of_privilege_vulnerability_in_wi-fi">Elevation of Privilege Vulnerability in Wi-Fi</h3> 450 451 <p>An elevation of privilege vulnerability in Wi-Fi could enable a local malicious 452 application to execute arbitrary code within the context of an elevated system 453 service. This issue is rated as High severity because it could be used to gain 454 elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p> 455 <table> 456 <tr> 457 <th>CVE</th> 458 <th>Bug(s) with AOSP links</th> 459 <th>Severity</th> 460 <th>Updated versions</th> 461 <th>Date reported</th> 462 </tr> 463 <tr> 464 <td>CVE-2015-6623</td> 465 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Fnet%2Fwifi/+/a15a2ee69156fa6fff09c0dd9b8182cb8fafde1c">ANDROID-24872703</a></td> 466 <td>High</td> 467 <td>6.0</td> 468 <td>Google Internal</td> 469 </tr> 470 </table> 471 472 473 <h3 id="elevation_of_privilege_vulnerability_in_system_server">Elevation of Privilege Vulnerability in System Server</h3> 474 475 476 <p>An elevation of privilege vulnerability in the System Server component could 477 enable a local malicious application to gain access to service related 478 information. This issue is rated as High severity because it could be used to 479 gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 480 <table> 481 <tr> 482 <th>CVE</th> 483 <th>Bug(s) with AOSP links</th> 484 <th>Severity</th> 485 <th>Updated versions</th> 486 <th>Date reported</th> 487 </tr> 488 <tr> 489 <td>CVE-2015-6624</td> 490 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/f86a441cb5b0dccd3106019e578c3535498e5315">ANDROID-23999740</a></td> 491 <td>High</td> 492 <td>6.0</td> 493 <td>Google internal</td> 494 </tr> 495 </table> 496 497 498 <h3 id="information_disclosure_vulnerabilities_in_libstagefright"> 499 Information Disclosure Vulnerabilities in libstagefright</h3> 500 501 <p>There are information disclosure vulnerabilities in libstagefright that during 502 communication with mediaserver, could permit a bypass of security measures in 503 place to increase the difficulty of attackers exploiting the platform. These 504 issues are rated as High severity because they could also be used to gain 505 elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 506 <table> 507 <tr> 508 <th>CVE</th> 509 <th>Bug(s) with AOSP links</th> 510 <th>Severity</th> 511 <th>Updated versions</th> 512 <th>Date reported</th> 513 </tr> 514 <tr> 515 <td>CVE-2015-6632</td> 516 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5cae16bdce77b0a3ba590b55637f7d55a2f35402">ANDROID-24346430</a></td> 517 <td>High</td> 518 <td>6.0 and below</td> 519 <td>Google Internal</td> 520 </tr> 521 <tr> 522 <td>CVE-2015-6626</td> 523 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/8dde7269a5356503d2b283234b6cb46d0c3f214e">ANDROID-24310423</a></td> 524 <td>High</td> 525 <td>6.0 and below</td> 526 <td>Sep 2, 2015</td> 527 </tr> 528 <tr> 529 <td>CVE-2015-6631</td> 530 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/7ed8d1eff9b292b3c65a875b13a549e29654534b">ANDROID-24623447</a></td> 531 <td>High</td> 532 <td>6.0 and below</td> 533 <td>Aug 21, 2015</td> 534 </tr> 535 </table> 536 537 <h3 id="information_disclosure_vulnerability_in_audio">Information Disclosure Vulnerability in Audio</h3> 538 539 <p>A vulnerability in the Audio component could be exploited during audio file 540 processing. This vulnerability could allow a local malicious application, 541 during processing of a specially crafted file, to cause information disclosure. 542 This issue is rated as High severity because it could be used to gain elevated 543 capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 544 <table> 545 <tr> 546 <th>CVE</th> 547 <th>Bug(s) with AOSP links</th> 548 <th>Severity</th> 549 <th>Updated versions</th> 550 <th>Date reported</th> 551 </tr> 552 <tr> 553 <td>CVE-2015-6627</td> 554 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/8c987fa71326eb0cc504959a5ebb440410d73180">ANDROID-24211743</a></td> 555 <td>High</td> 556 <td>6.0 and below</td> 557 <td>Google Internal</td> 558 </tr> 559 </table> 560 561 <h3 id="information_disclosure_vulnerability_in_media_framework">Information Disclosure Vulnerability in Media Framework</h3> 562 563 <p>There is an information disclosure vulnerability in Media Framework that during 564 communication with mediaserver, could permit a bypass of security measures in 565 place to increase the difficulty of attackers exploiting the platform. This 566 issue is rated as High severity because it could also be used to gain elevated 567 capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 568 <table> 569 <tr> 570 <th>CVE</th> 571 <th>Bug(s) with AOSP links</th> 572 <th>Severity</th> 573 <th>Updated versions</th> 574 <th>Date reported</th> 575 </tr> 576 <tr> 577 <td>CVE-2015-6628</td> 578 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5e7e87a383fdb1fece977097a7e3cc51b296f3a0">ANDROID-24074485</a></td> 579 <td>High</td> 580 <td>6.0 and below</td> 581 <td>Sep 8, 2015</td> 582 </tr> 583 </table> 584 585 <h3 id="information_disclosure_vulnerability_in_wi-fi">Information Disclosure Vulnerability in Wi-Fi</h3> 586 587 <p>A vulnerability in the Wi-Fi component could allow an attacker to cause the 588 Wi-Fi service to disclose information. This issue is rated as High severity 589 because it could be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party 590 applications.</p> 591 <table> 592 <tr> 593 <th>CVE</th> 594 <th>Bug(s) with AOSP links</th> 595 <th>Severity</th> 596 <th>Updated versions</th> 597 <th>Date reported</th> 598 </tr> 599 <tr> 600 <td>CVE-2015-6629</td> 601 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Fnet%2Fwifi/+/8b41627f7411306a0c42867fb526fa214f2991cd">ANDROID-22667667</a></td> 602 <td>High</td> 603 <td>5.1 and 5.0</td> 604 <td>Google Internal</td> 605 </tr> 606 </table> 607 608 <h3 id="elevation_of_privilege_vulnerability_in_system_server19">Elevation of Privilege Vulnerability in System Server</h3> 609 610 611 <p>An elevation of privilege vulnerability in the System Server could enable a 612 local malicious application to gain access to Wi-Fi service related 613 information. This issue is rated as Moderate severity because it could be used 614 to improperly gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a> permissions.</p> 615 <table> 616 <tr> 617 <th>CVE</th> 618 <th>Bug(s) with AOSP links</th> 619 <th>Severity</th> 620 <th>Updated versions</th> 621 <th>Date reported</th> 622 </tr> 623 <tr> 624 <td>CVE-2015-6625</td> 625 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Fnet%2Fwifi/+/29fa7d2ffc3bba55173969309e280328b43eeca1">ANDROID-23936840</a></td> 626 <td>Moderate</td> 627 <td>6.0</td> 628 <td>Google Internal</td> 629 </tr> 630 </table> 631 632 <h3 id="information_disclosure_vulnerability_in_systemui">Information Disclosure Vulnerability in SystemUI</h3> 633 634 <p>An information disclosure vulnerability in the SystemUI could enable a local 635 malicious application to gain access to screenshots. This issue is rated as 636 Moderate severity because it could be used to improperly gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a> permissions.</p> 637 <table> 638 <tr> 639 <th>CVE</th> 640 <th>Bug(s) with AOSP links</th> 641 <th>Severity</th> 642 <th>Updated versions</th> 643 <th>Date reported</th> 644 </tr> 645 <tr> 646 <td>CVE-2015-6630</td> 647 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/51c2619c7706575a171cf29819db14e91b815a62">ANDROID-19121797</a></td> 648 <td>Moderate</td> 649 <td>5.0, 5.1, and 6.0</td> 650 <td>Jan 22, 2015</td> 651 </tr> 652 </table> 653 654 <h3 id="common_questions_and_answers">Common Questions and Answers</h3> 655 656 <p>This section will review answers to common questions that may occur after 657 reading this bulletin.</p> 658 659 <p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> 660 661 <p>Builds LMY48Z or later and Android 6.0 with Security Patch Level of 662 December 1, 2015 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device 663 manufacturers that include these updates should set the patch string level to: 664 [ro.build.version.security_patch]:[2015-12-01]</p> 665 666 <h2 id="revisions">Revisions</h2> 667 <ul> 668 <li> December 07, 2015: Originally Published 669 <li> December 09, 2015: Bulletin revised to include AOSP links. 670 <li> December 22, 2015: Added missing credit to Acknowledgements section. 671 </ul> 672
