1 page.title=Nexus Security Bulletin - February 2016 2 @jd:body 3 4 <!-- 5 Copyright 2016 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p><em>Published February 01, 2016 | Updated February 2, 2016</em></p> 28 29 <p>We have released a security update to Nexus devices through an over-the-air 30 (OTA) update as part of our Android Security Bulletin Monthly Release process. 31 The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY49G or later and Android M with Security Patch Level of February 1, 32 2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level.</p> 33 34 <p>Partners were notified about the issues described in the bulletin on January 4, 35 2016 or earlier. Where applicable, source code patches for these issues have been 36 released to the Android Open Source Project (AOSP) repository.</p> 37 38 <p>The most severe of these issues is a Critical security vulnerability that could 39 enable remote code execution on an affected device through multiple methods 40 such as email, web browsing, and MMS when processing media files. The Remote Code 41 Execution Vulnerability in Broadcoms Wi-Fi driver is also Critical severity as 42 it could allow remote code execution on an affected device while connected to 43 the same network as the attacker.</p> 44 45 <p>We have had no reports of active customer exploitation of these newly reported 46 issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="https://source.android.com/security/enhancements/">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the 47 Android platform. We encourage all customers to accept these updates to their 48 devices.</p> 49 50 <h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2> 51 52 53 <p>The table below contains a list of security vulnerabilities, the Common 54 Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="https://source.android.com/security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would possibly have 55 on an affected device, assuming the platform and service mitigations are 56 disabled for development purposes or if successfully bypassed.</p> 57 <table> 58 <tr> 59 <th>Issue</th> 60 <th>CVE</th> 61 <th>Severity</th> 62 </tr> 63 <tr> 64 <td>Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver</td> 65 <td>CVE-2016-0801<br /> 66 CVE-2016-0802</td> 67 <td>Critical</td> 68 </tr> 69 <tr> 70 <td>Remote Code Execution Vulnerability in Mediaserver</td> 71 <td>CVE-2016-0803<br /> 72 CVE-2016-0804</td> 73 <td>Critical</td> 74 </tr> 75 <tr> 76 <td>Elevation of Privilege Vulnerability in Qualcomm Performance Module</td> 77 <td>CVE-2016-0805</td> 78 <td>Critical</td> 79 </tr> 80 <tr> 81 <td>Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</td> 82 <td>CVE-2016-0806</td> 83 <td>Critical</td> 84 </tr> 85 <tr> 86 <td>Elevation of Privilege Vulnerability in the Debugger Daemon</td> 87 <td>CVE-2016-0807</td> 88 <td>Critical</td> 89 </tr> 90 <tr> 91 <td>Denial of Service Vulnerability in Minikin</td> 92 <td>CVE-2016-0808</td> 93 <td>High</td> 94 </tr> 95 <tr> 96 <td>Elevation of Privilege Vulnerability in Wi-Fi</td> 97 <td>CVE-2016-0809</td> 98 <td>High</td> 99 </tr> 100 <tr> 101 <td>Elevation of Privilege Vulnerability in Mediaserver</td> 102 <td>CVE-2016-0810</td> 103 <td>High</td> 104 </tr> 105 <tr> 106 <td>Information Disclosure Vulnerability in libmediaplayerservice</td> 107 <td>CVE-2016-0811</td> 108 <td>High</td> 109 </tr> 110 <tr> 111 <td>Elevation of Privilege Vulnerability in Setup Wizard</td> 112 <td>CVE-2016-0812<br /> 113 CVE-2016-0813</td> 114 <td>Moderate</td> 115 </tr> 116 </table> 117 118 119 <h3 id=mitigations>Mitigations</h3> 120 121 122 <p>This is a summary of the mitigations provided by the <a href="https://source.android.com/security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the 123 likelihood that security vulnerabilities could be successfully exploited on 124 Android.</p> 125 126 <ul> 127 <li> Exploitation for many issues on Android is made more difficult by enhancements 128 in newer versions of the Android platform. We encourage all users to update to 129 the latest version of Android where possible. 130 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 131 SafetyNet which will warn about potentially harmful applications about to be 132 installed. Device rooting tools are prohibited within Google Play. To protect 133 users who install applications from outside of Google Play, Verify Apps is 134 enabled by default and will warn users about known rooting applications. Verify 135 Apps attempts to identify and block installation of known malicious 136 applications that exploit a privilege escalation vulnerability. If such an 137 application has already been installed, Verify Apps will notify the user and 138 attempt to remove any such applications. 139 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 140 pass media to processes such as mediaserver. 141 </ul> 142 143 <h3 id=acknowledgements>Acknowledgements</h3> 144 145 146 <p>We would like to thank these researchers for their contributions:</p> 147 148 <ul> 149 <li> Android and Chrome Security Team: CVE-2016-0809, CVE-2016-0810 150 <li> Broadgate Team: CVE-2016-0801, CVE-2015-0802 151 <li> David Riley of the Google Pixel C Team: CVE-2016-0812 152 <li> Dongkwan Kim (<a href="mailto:dkay (a] kaist.ac.kr">dkay (a] kaist.ac.kr</a>) of System Security Lab, KAIST: CVE-2015-6614 153 <li> Gengjia Chen (<a href="https://twitter.com/@chengjia4574">@chengjia4574</a>) 154 of Lab IceSword, Qihoo 360: CVE-2016-0805 155 <li> Hongil Kim (<a href="mailto:hongilk (a] kaist.ac.kr">hongilk (a] kaist.ac.kr</a>) of System Security Lab, KAIST: CVE-2015-6614 156 <li> Qidan He (<a href="https://twitter.com/@Flanker_hqd">@Flanker_hqd</a>) of 157 KeenLab (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-0811 158 <li> Seven Shen (<a href="https://twitter.com/@lingtongshen">@lingtongshen</a>) 159 of Trend Micro (<a href="http://www.trendmicro.com">www.trendmicro.com</a>): CVE-2016-0803 160 <li> Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of Alibaba Inc: CVE-2016-0808 161 <li> Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>) of the Android Security Team: CVE-2016-0807 162 </ul> 163 164 <h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 165 166 167 <p>In the sections below, we provide details for each of the security 168 vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> 169 above. There is a description of the issue, a severity rationale, and a table 170 with the CVE, associated bug, severity, affected versions, and date reported. 171 When available, we will link the AOSP commit that addressed the issue to the 172 bug ID. When multiple changes relate to a single bug, additional AOSP 173 references are linked to numbers following the bug ID.</p> 174 175 <h3 id=remote_code_execution_vulnerability_in_broadcom_wi-fi_driver>Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver</h3> 176 177 178 <p>Multiple remote execution vulnerabilities in the Broadcom Wi-Fi driver could 179 allow a remote attacker to use specially crafted wireless control message 180 packets to corrupt kernel memory in a way that leads to remote code execution 181 in the context of the kernel. These vulnerabilities can be triggered when the 182 attacker and the victim are associated with the same network. This issue is 183 rated as a Critical severity due to the possibility of remote code execution in 184 the context of the kernel without requiring user interaction.</p> 185 <table> 186 <tr> 187 <th>CVE</th> 188 <th>Bugs</th> 189 <th>Severity</th> 190 <th>Updated versions</th> 191 <th>Date reported</th> 192 </tr> 193 <tr> 194 <td>CVE-2016-0801</td> 195 <td>ANDROID-25662029*</td> 196 <td>Critical</td> 197 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 198 <td>Oct 25, 2015</td> 199 </tr> 200 <tr> 201 <td>CVE-2016-0802</td> 202 <td>ANDROID-25306181*</td> 203 <td>Critical</td> 204 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 205 <td>Oct 26,2015</td> 206 </tr> 207 </table> 208 <p>* The patch for this issue is not in AOSP. The update is contained in the 209 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 210 211 <h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3> 212 213 214 <p>During media file and data processing of a specially crafted file, 215 vulnerabilities in mediaserver could allow an attacker to cause memory 216 corruption and remote code execution as the mediaserver process.</p> 217 218 <p>The affected functionality is provided as a core part of the operating system 219 and there are multiple applications that allow it to be reached with remote 220 content, most notably MMS and browser playback of media.</p> 221 222 <p>This issue is rated as a Critical severity due to the possibility of remote 223 code execution within the context of the mediaserver service. The mediaserver 224 service has access to audio and video streams as well as access to privileges 225 that third-party apps cannot normally access.</p> 226 <table> 227 <tr> 228 <th>CVE</th> 229 <th>Bugs with AOSP links</th> 230 <th>Severity</th> 231 <th>Updated versions</th> 232 <th>Date reported</th> 233 </tr> 234 <tr> 235 <td>CVE-2016-0803</td> 236 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/50270d98e26fa18b20ca88216c3526667b724ba7">ANDROID-25812794</a></td> 237 <td>Critical</td> 238 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 239 <td>Nov 19, 2015</td> 240 </tr> 241 <tr> 242 <td>CVE-2016-0804</td> 243 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/224858e719d045c8554856b12c4ab73d2375cf33">ANDROID-25070434</a></td> 244 <td>Critical</td> 245 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 246 <td>Oct 12, 2015</td> 247 </tr> 248 </table> 249 250 251 <h3 id=elevation_of_privilege_vulnerability_in_qualcomm_performance_module>Elevation of Privilege Vulnerability in Qualcomm Performance Module</h3> 252 253 254 <p>An elevation of privilege vulnerability in the performance event manager 255 component for ARM processors from Qualcomm could enable a local malicious 256 application to execute arbitrary code within the kernel. This issue is rated as 257 a Critical severity due to the possibility of a local permanent device 258 compromise and the device would possibly need to be repaired by re-flashing the 259 operating system.</p> 260 <table> 261 <tr> 262 <th>CVE</th> 263 <th>Bug</th> 264 <th>Severity</th> 265 <th>Updated versions</th> 266 <th>Date reported</th> 267 </tr> 268 <tr> 269 <td>CVE-2016-0805</td> 270 <td>ANDROID-25773204*</td> 271 <td>Critical</td> 272 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 273 <td>Nov 15, 2015</td> 274 </tr> 275 </table> 276 277 <p>* The patch for this issue is not in AOSP. The update is contained in the 278 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 279 280 <h3 id=elevation_of_privilege_vulnerability_in_qualcomm_wifi_driver>Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</h3> 281 282 283 <p>There is a vulnerability in the Qualcomm Wi-Fi driver that could enable a local 284 malicious application to execute arbitrary code within the context of the 285 kernel. This issue is rated as a Critical severity due to the possibility of a 286 local permanent device compromise and the device would possibly need to be 287 repaired by re-flashing the operating system.</p> 288 <table> 289 <tr> 290 <th>CVE</th> 291 <th>Bug</th> 292 <th>Severity</th> 293 <th>Updated versions</th> 294 <th>Date reported</th> 295 </tr> 296 <tr> 297 <td>CVE-2016-0806</td> 298 <td>ANDROID-25344453*</td> 299 <td>Critical</td> 300 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 301 <td>Nov 15, 2015</td> 302 </tr> 303 </table> 304 305 <p>* The patch for this issue is not in AOSP. The update is contained in the 306 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 307 308 <h3 id=elevation_of_privilege_vulnerability_in_the_debuggerd>Elevation of Privilege Vulnerability in the Debuggerd </h3> 309 310 311 <p>An elevation of privilege vulnerability in the Debuggerd component could enable 312 a local malicious application to execute arbitrary code within the device root 313 context. This issue is rated as a Critical severity due to the possibility of a 314 local permanent device compromise and the device would possibly need to be 315 repaired by re-flashing the operating system.</p> 316 <table> 317 <tr> 318 <th>CVE</th> 319 <th>Bug with AOSP link</th> 320 <th>Severity</th> 321 <th>Updated versions</th> 322 <th>Date reported</th> 323 </tr> 324 <tr> 325 <td>CVE-2016-0807</td> 326 <td><a href="https://android.googlesource.com/platform%2Fsystem%2Fcore/+/d917514bd6b270df431ea4e781a865764d406120">ANDROID-25187394</a></td> 327 <td>Critical</td> 328 <td>6.0 and 6.0.1</td> 329 <td>Google Internal</td> 330 </tr> 331 </table> 332 333 334 <h3 id=denial_of_service_vulnerability_in_minikin>Denial of Service Vulnerability in Minikin</h3> 335 336 337 <p>A denial of service vulnerability in the Minikin library could allow a local 338 attacker to temporarily block access to an affected device. An attacker could 339 cause an untrusted font to be loaded and cause an overflow in the Minikin 340 component which leads to a crash. This is rated as a high severity because 341 Denial of Service leads to a continuous reboot loop.</p> 342 <table> 343 <tr> 344 <th>CVE</th> 345 <th>Bug with AOSP link</th> 346 <th>Severity</th> 347 <th>Updated versions</th> 348 <th>Date reported</th> 349 </tr> 350 <tr> 351 <td>CVE-2016-0808</td> 352 <td><a href="https://android.googlesource.com/platform/frameworks/minikin/+/ed4c8d79153baab7f26562afb8930652dfbf853b">ANDROID-25645298</a></td> 353 <td>High</td> 354 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 355 <td>Nov 3, 2015</td> 356 </tr> 357 </table> 358 359 360 <h3 id=elevation_of_privilege_vulnerability_in_wi-fi>Elevation of Privilege Vulnerability in Wi-Fi</h3> 361 362 363 <p>An elevation of privilege vulnerability in the Wi-Fi component could enable a 364 local malicious application to execute arbitrary code within the System 365 context. A device is only vulnerable to this issue while in local proximity. 366 This issue is rated as High severity because it could be used to gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">normal</a> capabilities remotely. Generally, these permissions are accessible only to 367 third-party applications installed locally.</p> 368 <table> 369 <tr> 370 <th>CVE</th> 371 <th>Bug with AOSP link</th> 372 <th>Severity</th> 373 <th>Updated versions</th> 374 <th>Date reported</th> 375 </tr> 376 <tr> 377 <td>CVE-2016-0809</td> 378 <td><a href="https://android.googlesource.com/platform/hardware/broadcom/wlan/+/2c5a4fac8bc8198f6a2635ede776f8de40a0c3e1%5E%21/#F0">ANDROID-25753768</a></td> 379 <td>High</td> 380 <td>6.0, 6.0.1</td> 381 <td>Google Internal</td> 382 </tr> 383 </table> 384 385 386 <h3 id=elevation_of_privilege_vulnerability_in_mediaserver>Elevation of Privilege Vulnerability in Mediaserver </h3> 387 388 389 <p>An elevation of privilege vulnerability in mediaserver could enable a local 390 malicious application to execute arbitrary code within the context of an 391 elevated system application. This issue is rated as High severity because it 392 could be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p> 393 <table> 394 <tr> 395 <th>CVE</th> 396 <th>Bug with AOSP link</th> 397 <th>Severity</th> 398 <th>Updated versions</th> 399 <th>Date reported</th> 400 </tr> 401 <tr> 402 <td>CVE-2016-0810</td> 403 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/19c47afbc402542720ddd280e1bbde3b2277b586">ANDROID-25781119</a></td> 404 <td>High</td> 405 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 406 <td>Google Internal</td> 407 </tr> 408 </table> 409 410 411 <h3 id=information_disclosure_vulnerability_in_libmediaplayerservice>Information Disclosure Vulnerability in libmediaplayerservice </h3> 412 413 414 <p>An information disclosure vulnerability in libmediaplayerservice could permit a 415 bypass of security measures in place to increase the difficulty of attackers 416 exploiting the platform. These issues are rated as High severity because they 417 could also be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 418 <table> 419 <tr> 420 <th>CVE</th> 421 <th>Bug with AOSP link</th> 422 <th>Severity</th> 423 <th>Updated versions</th> 424 <th>Date reported</th> 425 </tr> 426 <tr> 427 <td>CVE-2016-0811</td> 428 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/22f824feac43d5758f9a70b77f2aca840ba62c3b">ANDROID-25800375</a></td> 429 <td>High</td> 430 <td>6.0, 6.0.1</td> 431 <td>Nov 16, 2015</td> 432 </tr> 433 </table> 434 435 436 <h3 id=elevation_of_privilege_vulnerability_in_setup_wizard>Elevation of Privilege Vulnerability in Setup Wizard</h3> 437 438 439 <p>A vulnerability in the Setup Wizard could allow a malicious attacker to bypass 440 the Factory Reset Protection and gain access to the device. This is rated as a 441 Moderate severity because it potentially allows someone with physical access to 442 a device to bypass the Factory Reset Protection, which enables an attacker to 443 successfully reset a device, erasing all data.</p> 444 <table> 445 <tr> 446 <th>CVE</th> 447 <th>Bugs with AOSP links</th> 448 <th>Severity</th> 449 <th>Updated versions</th> 450 <th>Date reported</th> 451 </tr> 452 <tr> 453 <td>CVE-2016-0812</td> 454 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/84669ca8de55d38073a0dcb01074233b0a417541">ANDROID-25229538</a></td> 455 <td>Moderate</td> 456 <td>5.1.1, 6.0</td> 457 <td>Google Internal</td> 458 </tr> 459 <tr> 460 <td>CVE-2016-0813</td> 461 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/16a76dadcc23a13223e9c2216dad1fe5cad7d6e1">ANDROID-25476219</a></td> 462 <td>Moderate</td> 463 <td>5.1.1, 6.0, 6.0.1</td> 464 <td>Google Internal</td> 465 </tr> 466 </table> 467 468 <h3 id=common_questions_and_answers>Common Questions and Answers</strong></h3> 469 470 <p>This section reviews answers to common questions that may occur after reading 471 this bulletin.</p> 472 473 <p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> 474 475 <p>Builds LMY49G or later and Android 6.0 with Security Patch Level of February 1, 476 2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device 477 manufacturers that include these updates should set the patch string level to: 478 [ro.build.version.security_patch]:[2016-02-01]</p> 479 480 <h2 id=revisions>Revisions</h2> 481 482 483 <ul> 484 <li> February 01, 2016: Bulletin published. 485 <li> February 02, 2016: Bulletin revised to include AOSP links. 486
