1 page.title=Nexus Security Bulletin - January 2016 2 @jd:body 3 4 <!-- 5 Copyright 2016 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p><em>Published January 04, 2016 | Updated January 06, 2016</em></p> 28 29 <p>We have released a security update to Nexus devices through an over-the-air 30 (OTA) update as part of our Android Security Bulletin Monthly Release process. 31 The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY49F or later and Android 6.0 with Security Patch Level of January 32 1, 2016 or later address these issues. Refer to the <a href="#common_questions_and_answers">Common Questions and Answers</a> section for more details.</p> 33 34 <p>Partners were notified about and provided updates for the issues described in 35 this bulletin on December 7, 2015 or earlier. Where applicable, source code 36 patches for these issues have been released to the Android Open Source Project (AOSP) repository.</p> 37 38 <p>The most severe of these issues is a Critical security vulnerability that could 39 enable remote code execution on an affected device through multiple methods 40 such as email, web browsing, and MMS when processing media files.</p> 41 42 <p>We have had no reports of active customer exploitation of these newly reported 43 issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="https://source.android.com/security/enhancements/">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the 44 Android platform. We encourage all customers to accept these updates to their 45 devices.</p> 46 47 <h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2> 48 49 50 <p>The table below contains a list of security vulnerabilities, the Common 51 Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="https://source.android.com/security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an 52 affected device, assuming the platform and service mitigations are disabled for 53 development purposes or if successfully bypassed.</p> 54 <table> 55 <tr> 56 <th>Issue</th> 57 <th>CVE</th> 58 <th>Severity</th> 59 </tr> 60 <tr> 61 <td>Remote Code Execution Vulnerability in Mediaserver</td> 62 <td>CVE-2015-6636</td> 63 <td>Critical</td> 64 </tr> 65 <tr> 66 <td>Elevation of Privilege Vulnerability in misc-sd driver</td> 67 <td>CVE-2015-6637</td> 68 <td>Critical</td> 69 </tr> 70 <tr> 71 <td>Elevation of Privilege Vulnerability in the Imagination Technologies driver</td> 72 <td>CVE-2015-6638</td> 73 <td>Critical</td> 74 </tr> 75 <tr> 76 <td>Elevation of Privilege Vulnerabilities in Trustzone</td> 77 <td>CVE-2015-6639</td> 78 <td>Critical</td> 79 </tr> 80 <tr> 81 <td>Elevation of Privilege Vulnerability in Kernel</td> 82 <td>CVE-2015-6640</td> 83 <td>Critical</td> 84 </tr> 85 <tr> 86 <td>Elevation of Privilege Vulnerability in Bluetooth</td> 87 <td>CVE-2015-6641</td> 88 <td>High</td> 89 </tr> 90 <tr> 91 <td>Information Disclosure Vulnerability in Kernel</td> 92 <td>CVE-2015-6642</td> 93 <td>High</td> 94 </tr> 95 <tr> 96 <td>Elevation of Privilege Vulnerability in Setup Wizard</td> 97 <td>CVE-2015-6643</td> 98 <td>Moderate</td> 99 </tr> 100 <tr> 101 <td>Elevation of Privilege Vulnerability in Wi-Fi</td> 102 <td>CVE-2015-5310</td> 103 <td>Moderate</td> 104 </tr> 105 <tr> 106 <td>Information Disclosure Vulnerability in Bouncy Castle</td> 107 <td>CVE-2015-6644</td> 108 <td>Moderate</td> 109 </tr> 110 <tr> 111 <td>Denial of Service Vulnerability in SyncManager</td> 112 <td>CVE-2015-6645</td> 113 <td>Moderate</td> 114 </tr> 115 <tr> 116 <td>Attack Surface Reduction for Nexus Kernels</td> 117 <td>CVE-2015-6646</td> 118 <td>Moderate</td> 119 </tr> 120 </table> 121 122 123 <h2 id=mitigations>Mitigations</h2> 124 125 126 <p>This is a summary of the mitigations provided by the <a href="https://source.android.com/security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the 127 likelihood that security vulnerabilities could be successfully exploited on 128 Android.</p> 129 130 <ul> 131 <li> Exploitation for many issues on Android is made more difficult by enhancements 132 in newer versions of the Android platform. We encourage all users to update to 133 the latest version of Android where possible. 134 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 135 SafetyNet which will warn about potentially harmful applications about to be 136 installed. Device rooting tools are prohibited within Google Play. To protect 137 users who install applications from outside of Google Play, Verify Apps is 138 enabled by default and will warn users about known rooting applications. Verify 139 Apps attempts to identify and block installation of known malicious 140 applications that exploit a privilege escalation vulnerability. If such an 141 application has already been installed, Verify Apps will notify the user and 142 attempt to remove any such applications. 143 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 144 pass media to processes such as mediaserver. 145 </ul> 146 147 <h2 id=acknowledgements>Acknowledgements</h2> 148 149 150 <p>We would like to thank these researchers for their contributions:</p> 151 152 <ul> 153 <li> Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security 154 Team: CVE-2015-6636, CVE-2015-6617 155 <li> Sen Nie (<a href="https://twitter.com/@nforest_">@nforest_</a>) and jfang of KEEN lab, Tencent (<a href="https://twitter.com/k33nteam">@K33nTeam</a>): CVE-2015-6637 156 <li> Yabin Cui from Android Bionic Team: CVE-2015-6640 157 <li> Tom Craig of Google X: CVE-2015-6641 158 <li> Jann Horn (<a href="https://thejh.net">https://thejh.net</a>): CVE-2015-6642 159 <li> Jouni Malinen PGP id EFC895FA: CVE-2015-5310 160 <li> Quan Nguyen of Google Information Security Engineer Team: CVE-2015-6644 161 <li> Gal Beniamini (<a href="https://twitter.com/@laginimaineb">@laginimaineb</a>, <a href="http://bits-please.blogspot.com">http://bits-please.blogspot.com</a>): CVE-2015-6639 162 </ul> 163 164 <h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 165 166 <p>In the sections below, we provide details for each of the security 167 vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> above. There is a description of the issue, a severity rationale, and a table 168 with the CVE, associated bug, severity, updated versions, and date reported. 169 When available, we will link the AOSP change that addressed the issue to the 170 bug ID. When multiple changes relate to a single bug, additional AOSP 171 references are linked to numbers following the bug ID. </p> 172 173 <h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3> 174 175 176 <p>During media file and data processing of a specially crafted file, 177 vulnerabilities in mediaserver could allow an attacker to cause memory 178 corruption and remote code execution as the mediaserver process.</p> 179 180 <p>The affected functionality is provided as a core part of the operating system 181 and there are multiple applications that allow it to be reached with remote 182 content, most notably MMS and browser playback of media.</p> 183 184 <p>This issue is rated as a Critical severity due to the possibility of remote 185 code execution within the context of the mediaserver service. The mediaserver 186 service has access to audio and video streams as well as access to privileges 187 that third-party apps cannot normally access.</p> 188 <table> 189 <tr> 190 <th>CVE</th> 191 <th>Bug(s) with AOSP links</th> 192 <th>Severity</th> 193 <th>Updated versions</th> 194 <th>Date reported</th> 195 </tr> 196 <tr> 197 <td rowspan="2">CVE-2015-6636</td> 198 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Flibhevc/+/b9f7c2c45c6fe770b7daffb9a4e61522d1f12d51#">ANDROID-25070493</a></td> 199 <td>Critical</td> 200 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 201 <td>Google Internal</td> 202 </tr> 203 <tr> 204 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Flibhevc/+/e8bfec1fa41eafa1fd8e05d0fdc53ea0f2379518">ANDROID-24686670</a></td> 205 <td>Critical</td> 206 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 207 <td>Google Internal</td> 208 </tr> 209 </table> 210 211 212 <h3 id=elevation_of_privilege_vulnerability_in_misc-sd_driver>Elevation of Privilege Vulnerability in misc-sd driver</h3> 213 214 215 <p>An elevation of privilege vulnerability in the misc-sd driver from MediaTek 216 could enable a local malicious application to execute arbitrary code within the 217 kernel. This issue is rated as a Critical severity due to the possibility of a 218 local permanent device compromise, in which case the device would possibly need 219 to be repaired by re-flashing the operating system.</p> 220 <table> 221 <tr> 222 <th>CVE</th> 223 <th>Bug(s)</th> 224 <th>Severity</th> 225 <th>Updated versions</th> 226 <th>Date reported</th> 227 </tr> 228 <tr> 229 <td>CVE-2015-6637</td> 230 <td>ANDROID-25307013*</td> 231 <td>Critical</td> 232 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 233 <td>Oct 26, 2015</td> 234 </tr> 235 </table> 236 237 <p> * The patch for this issue is not in AOSP. The update is contained in the 238 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 239 240 <h3 id=elevation_of_privilege_vulnerability_in_the_imagination_technologies_driver>Elevation of Privilege Vulnerability in the Imagination Technologies driver</h3> 241 242 243 <p>An elevation of privilege vulnerability in a kernel driver from Imagination 244 Technologies could enable a local malicious application to execute arbitrary 245 code within the kernel. This issue is rated as a Critical severity due to the 246 possibility of a local permanent device compromise, in which case device would 247 possibly need to be repaired by re-flashing the operating system.</p> 248 <table> 249 <tr> 250 <th>CVE</th> 251 <th>Bug(s)</th> 252 <th>Severity</th> 253 <th>Updated versions</th> 254 <th>Date reported</th> 255 </tr> 256 <tr> 257 <td>CVE-2015-6638</td> 258 <td>ANDROID-24673908*</td> 259 <td>Critical</td> 260 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 261 <td>Google Internal</td> 262 </tr> 263 </table> 264 265 <p> * The patch for this issue is not in AOSP. The update is contained in the 266 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 267 268 <h3 id=elevation_of_privilege_vulnerabilities_in_trustzone>Elevation of Privilege Vulnerabilities in Trustzone</h3> 269 270 271 <p>Elevation of privilege vulnerabilities in the Widevine QSEE TrustZone 272 application could enable a compromise, privileged application with access to 273 QSEECOM to execute arbitrary code in the Trustzone context. This issue is rated 274 as a Critical severity due to the possibility of a local permanent device 275 compromise, in which case the device would possibly need to be repaired by 276 re-flashing the operating system.</p> 277 <table> 278 <tr> 279 <th>CVE</th> 280 <th>Bug(s)</th> 281 <th>Severity</th> 282 <th>Updated versions</th> 283 <th>Date reported</th> 284 </tr> 285 <tr> 286 <td>CVE-2015-6639</td> 287 <td>ANDROID-24446875*</td> 288 <td>Critical</td> 289 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 290 <td>Sep 23, 2015</td> 291 </tr> 292 <tr> 293 <td>CVE-2015-6647</td> 294 <td>ANDROID-24441554*</td> 295 <td>Critical</td> 296 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 297 <td>Sep 27, 2015</td> 298 </tr> 299 </table> 300 301 <p> * The patch for this issue is not in AOSP. The update is contained in the 302 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 303 304 <h3 id=elevation_of_privilege_vulnerability_in_kernel>Elevation of Privilege Vulnerability in Kernel</h3> 305 306 307 <p>An elevation of privilege vulnerability in the kernel could enable a local 308 malicious application to execute arbitrary code in the kernel. This issue is 309 rated as a Critical severity due to the possibility of a local permanent device 310 compromise, in which case the device would possibly need to be repaired by 311 re-flashing the operating system.</p> 312 <table> 313 <tr> 314 <th>CVE</th> 315 <th>Bug(s) with AOSP Link</th> 316 <th>Severity</th> 317 <th>Updated versions</th> 318 <th>Date reported</th> 319 </tr> 320 <tr> 321 <td>CVE-2015-6640</td> 322 <td><a href="https://android.googlesource.com/kernel%2Fcommon/+/69bfe2d957d903521d32324190c2754cb073be15">ANDROID-20017123</a></td> 323 <td>Critical</td> 324 <td>4.4.4, 5.0, 5.1.1, 6.0</td> 325 <td>Google Internal</td> 326 </tr> 327 </table> 328 329 330 <h3 id=elevation_of_privilege_vulnerability_in_bluetooth>Elevation of Privilege Vulnerability in Bluetooth</h3> 331 332 333 <p>An elevation of privilege vulnerability in the Bluetooth component could enable 334 a remote device paired over Bluetooth to gain access to users private 335 information (Contacts). This issue is rated as High severity because it could 336 be used to gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a> capabilities remotely, these permissions are accessible only to third-party 337 applications installed locally.</p> 338 <table> 339 <tr> 340 <th>CVE</th> 341 <th>Bug(s) with AOSP links</th> 342 <th>Severity</th> 343 <th>Updated versions</th> 344 <th>Date reported</th> 345 </tr> 346 <tr> 347 <td>CVE-2015-6641</td> 348 <td><a href="https://android.googlesource.com/platform%2Fpackages%2Fapps%2FSettings/+/98f11fd1a4752beed56b5fe7a4097ec0ae0c74b3">ANDROID-23607427</a> [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/ccbe7383e63d7d23bac6bccc8e4094fe474645ec">2</a>]</td> 349 <td>High</td> 350 <td>6.0, 6.0.1</td> 351 <td>Google Internal</td> 352 </tr> 353 </table> 354 355 356 <h3 id=information_disclosure_vulnerability_in_kernel>Information Disclosure Vulnerability in Kernel</h3> 357 358 359 <p>An information disclosure vulnerability in the kernel could permit a bypass of 360 security measures in place to increase the difficulty of attackers exploiting 361 the platform. These issues are rated as High severity because they could also 362 be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 363 <table> 364 <tr> 365 <th>CVE</th> 366 <th>Bug(s)</th> 367 <th>Severity</th> 368 <th>Updated versions</th> 369 <th>Date reported</th> 370 </tr> 371 <tr> 372 <td>CVE-2015-6642</td> 373 <td>ANDROID-24157888*</td> 374 <td>High</td> 375 <td>4.4.4, 5.0, 5.1.1, 6.0</td> 376 <td>Sep 12, 2015</td> 377 </tr> 378 </table> 379 <p> * The patch for this issue is not in AOSP. The update is contained in the 380 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 381 382 <h3 id=elevation_of_privilege_vulnerability_in_setup_wizard>Elevation of Privilege Vulnerability in Setup Wizard</h3> 383 384 385 <p>An elevation of privilege vulnerability in the Setup Wizard could enable an 386 attacker with physical access to the device to gain access to device settings 387 and perform a manual device reset. This issue is rated as Moderate severity 388 because it could be used to improperly work around the factory reset 389 protection.</p> 390 <table> 391 <tr> 392 <th>CVE</th> 393 <th>Bug(s) with AOSP links</th> 394 <th>Severity</th> 395 <th>Updated versions</th> 396 <th>Date reported</th> 397 </tr> 398 <tr> 399 <td>CVE-2015-6643</td> 400 <td><a href="https://android.googlesource.com/platform/packages/apps/Settings/+/665ac7bc29396fd5af2ecfdfda2b9de7a507daa0">ANDROID-25290269</a> [<a href="https://android.googlesource.com/platform/packages/apps/Settings/+/a7ff2e955d2509ed28deeef984347e093794f92b">2</a>]</td> 401 <td>Moderate</td> 402 <td>5.1.1, 6.0, 6.0.1</td> 403 <td>Google Internal</td> 404 </tr> 405 </table> 406 407 408 <h3 id=elevation_of_privilege_vulnerability_in_wi-fi>Elevation of Privilege Vulnerability in Wi-Fi</h3> 409 410 411 <p>An elevation of privilege vulnerability in the Wi-Fi component could enable a 412 locally proximate attacker to gain access to Wi-Fi service related information. 413 A device is only vulnerable to this issue while in local proximity. This issue 414 is rated as Moderate severity because it could be used to gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">normal</a> capabilities remotely, these permissions are accessible only to third-party 415 applications installed locally.</p> 416 <table> 417 <tr> 418 <th>CVE</th> 419 <th>Bug(s) with AOSP links</th> 420 <th>Severity</th> 421 <th>Updated versions</th> 422 <th>Date reported</th> 423 </tr> 424 <tr> 425 <td>CVE-2015-5310</td> 426 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Fwpa_supplicant_8/+/1e9857b5f1dd84ac5a0ada0150b1b9c87d44d99d">ANDROID-25266660</a></td> 427 <td>Moderate</td> 428 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 429 <td>Oct 25, 2015</td> 430 </tr> 431 </table> 432 433 434 <h3 id=information_disclosure_vulnerability_in_bouncy_castle>Information Disclosure Vulnerability in Bouncy Castle</h3> 435 436 437 <p>An information disclosure vulnerability in Bouncy Castle could enable a local 438 malicious application to gain access to users private information. This issue 439 is rated as Moderate severity because it could be used to improperly gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a> permissions.</p> 440 <table> 441 <tr> 442 <th>CVE</th> 443 <th>Bug(s) with AOSP links</th> 444 <th>Severity</th> 445 <th>Updated versions</th> 446 <th>Date reported</th> 447 </tr> 448 <tr> 449 <td>CVE-2015-6644</td> 450 <td><a href="https://android.googlesource.com/platform/external/bouncycastle/+/3e128c5fea3a0ca2d372aa09c4fd4bb0eadfbd3f">ANDROID-24106146</a></td> 451 <td>Moderate</td> 452 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 453 <td>Google Internal</td> 454 </tr> 455 </table> 456 457 458 <h3 id=denial_of_service_vulnerability_in_syncmanager>Denial of Service Vulnerability in SyncManager</h3> 459 460 461 <p>A denial of service vulnerability in the SyncManager could enable a local 462 malicious application to cause a reboot loop. This issue is rated as Moderate 463 severity because it could be used to cause a local temporary denial of service 464 that would possibly need to be fixed though a factory reset.</p> 465 <table> 466 <tr> 467 <th>CVE</th> 468 <th>Bug(s) with AOSP links</th> 469 <th>Severity</th> 470 <th>Updated versions</th> 471 <th>Date reported</th> 472 </tr> 473 <tr> 474 <td>CVE-2015-6645</td> 475 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/c0f39c1ece72a05c796f7ba30b7a2b5b580d5025">ANDROID-23591205</a></td> 476 <td>Moderate</td> 477 <td>4.4.4, 5.0, 5.1.1, 6.0</td> 478 <td>Google Internal</td> 479 </tr> 480 </table> 481 482 483 <h3 id=attack_surface_reduction_for_nexus_kernels>Attack Surface Reduction for Nexus Kernels</h3> 484 485 486 <p>SysV IPC is not supported in any Android Kernel. We have removed this from the 487 OS as it exposes additional attack surface that doesnt add functionality to 488 the system that could be exploited by malicious applications. Also, System V 489 IPCs are not compliant with Android's application lifecycle because the 490 allocated resources are not freeable by the memory manager leading to global 491 kernel resource leakage. This change addresses issue such as CVE-2015-7613.</p> 492 <table> 493 <tr> 494 <th>CVE</th> 495 <th>Bug(s)</th> 496 <th>Severity</th> 497 <th>Updated versions</th> 498 <th>Date reported</th> 499 </tr> 500 <tr> 501 <td>CVE-2015-6646</td> 502 <td>ANDROID-22300191*</td> 503 <td>Moderate</td> 504 <td>6.0</td> 505 <td>Google Internal</td> 506 </tr> 507 </table> 508 509 <p> * The patch for this issue is not in AOSP. The update is contained in the 510 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 511 512 <h3 id=common_questions_and_answers>Common Questions and Answers</h3> 513 514 515 <p>This section reviews answers to common questions that may occur after reading 516 this bulletin.</p> 517 518 <p><strong>1. How do I determine if my device is updated to address these issues? </strong></p> 519 520 <p>Builds LMY49F or later and Android 6.0 with Security Patch Level of January 1, 521 2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device 522 manufacturers that include these updates should set the patch string level to: 523 [ro.build.version.security_patch]:[2016-01-01] </p> 524 525 <h2 id=revisions>Revisions</h2> 526 527 528 <ul> 529 <li> January 04, 2016: Bulletin published. 530 <li> January 06, 2016: Bulletin revised to include AOSP links. 531
