1 page.title=Nexus Security Bulletin - March 2016 2 @jd:body 3 4 <!-- 5 Copyright 2016 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p><em>Published March 07, 2016 | Updated March 08, 2016</em></p> 28 29 <p>We have released a security update to Nexus devices through an over-the-air 30 (OTA) update as part of our Android Security Bulletin Monthly Release process. 31 The Nexus firmware images have also been released to the 32 <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. 33 Builds LMY49H or later and Android M with Security Patch Level of March 01, 2016 or later 34 address these issues. Refer to the 35 <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> 36 for instructions on how to check the security patch level.</p> 37 38 <p>Partners were notified about the issues described in the bulletin on February 39 1, 2016 or earlier. Where applicable, source code patches for these issues have been 40 released to the Android Open Source Project (AOSP) repository.</p> 41 42 <p>The most severe of these issues is a Critical security vulnerability that could 43 enable remote code execution on an affected device through multiple methods 44 such as email, web browsing, and MMS when processing media files.</p> 45 46 <p>We have had no reports of active customer exploitation of these newly reported 47 issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the 48 <a href="{@docRoot}security/enhancements/index.html">Android security platform protections</a> 49 and service protections such as SafetyNet, which improve the security of the 50 Android platform. We encourage all customers to accept these updates to their 51 devices.</p> 52 53 <h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2> 54 55 <p>The table below contains a list of security vulnerabilities, the Common 56 Vulnerability and Exposures ID (CVE), and their assessed severity. The 57 <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> 58 is based on the effect that exploiting the vulnerability would possibly have 59 on an affected device, assuming the platform and service mitigations are 60 disabled for development purposes or if successfully bypassed.</p> 61 <table> 62 <tr> 63 <th>Issue</th> 64 <th>CVE</th> 65 <th>Severity</th> 66 </tr> 67 <tr> 68 <td>Remote Code Execution Vulnerability in Mediaserver </td> 69 <td>CVE-2016-0815<br /> 70 CVE-2016-0816</td> 71 <td>Critical</td> 72 </tr> 73 <tr> 74 <td>Remote Code Execution Vulnerabilities in libvpx</td> 75 <td>CVE-2016-1621</td> 76 <td>Critical</td> 77 </tr> 78 <tr> 79 <td>Elevation of Privilege in Conscrypt</td> 80 <td>CVE-2016-0818</td> 81 <td>Critical</td> 82 </tr> 83 <tr> 84 <td>Elevation of Privilege Vulnerability in the Qualcomm<br /> 85 Performance Component</td> 86 <td>CVE-2016-0819</td> 87 <td>Critical</td> 88 </tr> 89 <tr> 90 <td>Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver</td> 91 <td>CVE-2016-0820</td> 92 <td>Critical</td> 93 </tr> 94 <tr> 95 <td>Elevation of Privilege Vulnerability in Keyring Component</td> 96 <td>CVE-2016-0728</td> 97 <td>Critical</td> 98 </tr> 99 <tr> 100 <td>Mitigation Bypass Vulnerability in the Kernel</td> 101 <td>CVE-2016-0821</td> 102 <td>High</td> 103 </tr> 104 <tr> 105 <td>Elevation of Privilege in MediaTek Connectivity Driver</td> 106 <td>CVE-2016-0822</td> 107 <td>High</td> 108 </tr> 109 <tr> 110 <td>Information Disclosure Vulnerability in Kernel</td> 111 <td>CVE-2016-0823</td> 112 <td>High</td> 113 </tr> 114 <tr> 115 <td>Information Disclosure Vulnerability in libstagefright</td> 116 <td>CVE-2016-0824</td> 117 <td>High</td> 118 </tr> 119 <tr> 120 <td>Information Disclosure Vulnerability in Widevine</td> 121 <td>CVE-2016-0825</td> 122 <td>High</td> 123 </tr> 124 <tr> 125 <td>Elevation of Privilege Vulnerability in Mediaserver</td> 126 <td>CVE-2016-0826<br /> 127 CVE-2016-0827</td> 128 <td>High</td> 129 </tr> 130 <tr> 131 <td>Information Disclosure Vulnerability in Mediaserver</td> 132 <td>CVE-2016-0828<br /> 133 CVE-2016-0829</td> 134 <td>High</td> 135 </tr> 136 <tr> 137 <td>Remote Denial of Service Vulnerability in Bluetooth</td> 138 <td>CVE-2016-0830</td> 139 <td>High</td> 140 </tr> 141 <tr> 142 <td>Information Disclosure Vulnerability in Telephony</td> 143 <td>CVE-2016-0831</td> 144 <td>Moderate</td> 145 </tr> 146 <tr> 147 <td>Elevation of Privilege Vulnerability in Setup Wizard</td> 148 <td>CVE-2016-0832</td> 149 <td>Moderate</td> 150 </tr> 151 </table> 152 153 154 <h3 id=mitigations>Mitigations</h3> 155 156 157 <p>This is a summary of the mitigations provided by the 158 <a href="{@docRoot}security/enhancements/index.html">Android security platform</a> 159 and service protections such as SafetyNet. These capabilities reduce the 160 likelihood that security vulnerabilities could be successfully exploited on 161 Android.</p> 162 163 <ul> 164 <li> Exploitation for many issues on Android is made more difficult by enhancements 165 in newer versions of the Android platform. We encourage all users to update to 166 the latest version of Android where possible. 167 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 168 SafetyNet which will warn about potentially harmful applications about to be 169 installed. Device rooting tools are prohibited within Google Play. To protect 170 users who install applications from outside of Google Play, Verify Apps is 171 enabled by default and will warn users about known rooting applications. Verify 172 Apps attempts to identify and block installation of known malicious 173 applications that exploit a privilege escalation vulnerability. If such an 174 application has already been installed, Verify Apps will notify the user and 175 attempt to remove any such applications. 176 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 177 pass media to processes such as mediaserver. 178 </ul> 179 180 <h3 id=acknowledgements>Acknowledgements</h3> 181 182 183 <p>We would like to thank these researchers for their contributions:</p> 184 185 <ul> 186 <li> Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security 187 Team: CVE-2016-0815 188 <li> Anestis Bechtsoudis (<a href="https://twitter.com/anestisb">@anestisb</a>) of CENSUS S.A.: CVE-2016-0816, CVE-2016-0824 189 <li> Chad Brubaker from Android Security: CVE-2016-0818 190 <li> Mark Brand of Google Project Zero: CVE-2016-0820 191 <li> Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a> from <a href="http://www.360safe.com">Qihoo 360</a>: CVE-2016-0826 192 <li> Peter Pi (<a href="https://twitter.com/heisecode">@heisecode</a>) of Trend Micro: CVE-2016-0827, CVE-2016-0828, CVE-2016-0829 193 <li> Scott Bauer (<a href="mailto:sbauer (a] eng.utah.edu">sbauer (a] eng.utah.edu</a>, <a href="mailto:sbauer (a] plzdonthack.me">sbauer (a] plzdonthack.me</a>): CVE-2016-0822 194 <li> Wish Wu (<a href="https://twitter.com/@wish_wu">@wish_wu</a>) of Trend Micro Inc.: CVE-2016-0819 195 <li> Yongzheng Wu and Tieyan Li of Huawei: CVE-2016-0831 196 <li> Su Mon Kywe and Yingjiu Li of Singapore Management University: CVE-2016-0831 197 <li> Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>) of the Android Security Team: CVE-2016-0821 198 </ul> 199 200 <h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 201 202 203 <p>In the sections below, we provide details for each of the security 204 vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> above. There is a description of the issue, a severity rationale, and a table 205 with the CVE, associated bug, severity, affected versions, and date reported. 206 When available, we will link the AOSP change that addressed the issue to the 207 bug ID. When multiple changes relate to a single bug, additional AOSP 208 references are linked to numbers following the bug ID.</p> 209 210 <h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3> 211 212 213 <p>During media file and data processing of a specially crafted file, 214 vulnerabilities in mediaserver could allow an attacker to cause memory 215 corruption and remote code execution as the mediaserver process.</p> 216 217 <p>The affected functionality is provided as a core part of the operating system, 218 and there are multiple applications that allow it to be reached with remote 219 content, most notably MMS and browser playback of media.</p> 220 221 <p>This issue is rated as a Critical severity due to the possibility of remote 222 code execution within the context of the mediaserver service. The mediaserver 223 service has access to audio and video streams as well as access to privileges 224 that third-party apps could not normally access.</p> 225 <table> 226 <tr> 227 <th>CVE</th> 228 <th>Bugs with AOSP links</th> 229 <th>Severity</th> 230 <th>Updated versions</th> 231 <th>Date reported</th> 232 </tr> 233 <tr> 234 <td>CVE-2016-0815</td> 235 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5403587a74aee2fb57076528c3927851531c8afb">ANDROID-26365349</a> 236 </td> 237 <td>Critical</td> 238 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 239 <td>Google Internal</td> 240 </tr> 241 <tr> 242 <td>CVE-2016-0816</td> 243 <td><a href="https://android.googlesource.com/platform/external/libavc/+/4a524d3a8ae9aa20c36430008e6bd429443f8f1d">ANDROID-25928803</a> 244 </td> 245 <td>Critical</td> 246 <td>6.0, 6.0.1</td> 247 <td>Google Internal</td> 248 </tr> 249 </table> 250 251 252 <h3 id=remote_code_execution_vulnerabilities_in_libvpx>Remote Code Execution Vulnerabilities in libvpx</h3> 253 254 255 <p>During media file and data processing of a specially crafted file, 256 vulnerabilities in mediaserver could allow an attacker to cause memory 257 corruption and remote code execution as the mediaserver process.</p> 258 259 <p>The affected functionality is provided as a core part of the operating system 260 and there are multiple applications that allow it to be reached with remote 261 content, most notably MMS and browser playback of media.</p> 262 263 <p>The issues are rated as Critical severity because they could be used for remote 264 code execution within the context of the mediaserver service. The mediaserver 265 service has access to audio and video streams as well as access to privileges 266 that third-party apps cannot normally access.</p> 267 <table> 268 <tr> 269 <th>CVE</th> 270 <th>Bug with AOSP links</th> 271 <th>Severity</th> 272 <th>Updated versions</th> 273 <th>Date reported</th> 274 </tr> 275 <tr> 276 <td>CVE-2016-1621</td> 277 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/5a6788730acfc6fd8f4a6ef89d2c376572a26b55">ANDROID-23452792</a> 278 <a href="https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d">[2]</a> 279 <a href="https://android.googlesource.com/platform/external/libvpx/+/5a9753fca56f0eeb9f61e342b2fccffc364f9426">[3]</a> 280 </td> 281 <td>Critical</td> 282 <td>4.4.4, 5.0.2, 5.1.1, 6.0</td> 283 <td>Google Internal</td> 284 </tr> 285 </table> 286 287 288 <h3 id=elevation_of_privilege_in_conscrypt>Elevation of Privilege in Conscrypt</h3> 289 290 <p>A vulnerability in Conscrypt could allow a specific type of invalid certificate, issued by an intermediate Certificate Authority (CA), to be incorrectly trusted. This may enable a man-in-the-middle attack. This issue is rated as a Critical severity due to the possibility of an elevation of privilege and remote arbitrary code execution.</p> 291 292 <table> 293 <tr> 294 <th>CVE</th> 295 <th>Bug with AOSP links</th> 296 <th>Severity</th> 297 <th>Updated versions</th> 298 <th>Date reported</th> 299 </tr> 300 <tr> 301 <td>CVE-2016-0818</td> 302 <td><a href="https://android.googlesource.com/platform/external/conscrypt/+/c4ab1b959280413fb11bf4fd7f6b4c2ba38bd779">ANDROID-26232830</a> 303 <a href="https://android.googlesource.com/platform/external/conscrypt/+/4c9f9c2201116acf790fca25af43995d29980ee0">[2]</a> 304 </td> 305 <td>Critical</td> 306 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 307 <td>Google Internal</td> 308 </tr> 309 </table> 310 311 312 <h3 id=elevation_of_privilege_vulnerability_in_the_qualcomm_performance_component>Elevation of Privilege Vulnerability in the Qualcomm Performance Component</h3> 313 314 315 <p>An elevation of privilege vulnerability in the Qualcomm performance component 316 could enable a local malicious application to execute arbitrary code in the 317 kernel. This issue is rated as a Critical severity due to the possibility of a 318 local permanent device compromise, and the device could only be repaired by 319 re-flashing the operating system.</p> 320 <table> 321 <tr> 322 <th>CVE</th> 323 <th>Bug</th> 324 <th>Severity</th> 325 <th>Updated versions</th> 326 <th>Date reported</th> 327 </tr> 328 <tr> 329 <td>CVE-2016-0819</td> 330 <td>ANDROID-25364034*</td> 331 <td>Critical</td> 332 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 333 <td>Oct 29, 2015</td> 334 </tr> 335 </table> 336 337 338 <p>* The patch for this issue is not in AOSP. The update is contained in the 339 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 340 341 <h3 id=elevation_of_privilege_vulnerability_in_mediatek_wi-fi_kernel_driver>Elevation of Privilege Vulnerability in MediaTek Wi-Fi Kernel Driver</h3> 342 343 344 <p>There is a vulnerability in the MediaTek Wi-Fi kernel driver that could enable 345 a local malicious application to execute arbitrary code within the context of 346 the kernel. This issue is rated as a Critical severity due to the possibility 347 of elevation of privilege and arbitrary code execution in the context of the 348 kernel.</p> 349 <table> 350 <tr> 351 <th>CVE</th> 352 <th>Bug</th> 353 <th>Severity</th> 354 <th>Updated versions</th> 355 <th>Date reported</th> 356 </tr> 357 <tr> 358 <td>CVE-2016-0820</td> 359 <td>ANDROID-26267358*</td> 360 <td>Critical</td> 361 <td>6.0.1</td> 362 <td>Dec 18, 2015</td> 363 </tr> 364 </table> 365 366 367 <p>* The patch for this issue is not in AOSP. The update is contained in the 368 latest binary drivers for Nexus devices available from the 369 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 370 371 <h3 id=elevation_of_privilege_vulnerability_in_kernel_keyring_component>Elevation of Privilege Vulnerability in Kernel Keyring Component</h3> 372 373 374 <p>An elevation of privilege vulnerability in the Kernel Keyring Component could 375 enable a local malicious application to execute arbitrary code within the 376 kernel. This issue is rated as a Critical severity due to the possibility of a 377 local permanent device compromise and the device could potentially only be 378 repaired by re-flashing the operating system. However, in Android versions 5.0 379 and above, SELinux rules prevents third-party applications from reaching the 380 affected code.</p> 381 382 <p><strong>Note:</strong> For reference, the patch in AOSP is available for specific kernel versions: 383 <a href="https://android.googlesource.com/kernel/common/+/8a8431507f8f5910db5ac85b72dbdc4ed8f6b308">4.1</a>, 384 <a href="https://android.googlesource.com/kernel/common/+/ba8bb5774ca7b1acc314c98638cf678ce0beb19a">3.18</a>, 385 <a href="https://android.googlesource.com/kernel/common/+/93faf7ad3d603c33b33e49318e81cf00f3a24a73">3.14</a>, 386 and <a href="https://android.googlesource.com/kernel/common/+/9fc5f368bb89b65b591c4f800dfbcc7432e49de5">3.10</a>.</p> 387 <table> 388 <tr> 389 <th>CVE</th> 390 <th>Bug</th> 391 <th>Severity</th> 392 <th>Updated versions</th> 393 <th>Date reported</th> 394 </tr> 395 <tr> 396 <td>CVE-2016-0728</td> 397 <td>ANDROID-26636379 </td> 398 <td>Critical</td> 399 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 </td> 400 <td>Jan 11, 2016</td> 401 </tr> 402 </table> 403 404 405 <h3 id=mitigation_bypass_vulnerability_in_the_kernel>Mitigation Bypass Vulnerability in the Kernel</h3> 406 407 408 <p>A mitigation bypass vulnerability in the kernel could permit a bypass of 409 security measures in place to increase the difficulty of attackers exploiting 410 the platform. This issue is rated as High severity because it could permit a 411 bypass of security measures in place to increase the difficulty of attackers 412 exploiting the platform.</p> 413 414 <p><strong>Note:</strong> The update for this issue is 415 <a href="https://github.com/torvalds/linux/commit/8a5e5e02fc83aaf67053ab53b359af08c6c49aaf">located in the Linux upstream</a>.</p> 416 417 <table> 418 <tr> 419 <th>CVE</th> 420 <th>Bug</th> 421 <th>Severity</th> 422 <th>Updated versions</th> 423 <th>Date reported</th> 424 </tr> 425 <tr> 426 <td>CVE-2016-0821</td> 427 <td>ANDROID-26186802</td> 428 <td>High</td> 429 <td>6.0.1</td> 430 <td>Google Internal</td> 431 </tr> 432 </table> 433 434 435 <h3 id=elevation_of_privilege_in_mediatek_connectivity_kernel_driver>Elevation of Privilege in MediaTek Connectivity Kernel Driver</h3> 436 437 438 <p>There is an elevation of privilege vulnerability in a MediaTek connectivity 439 kernel driver that could enable a local malicious application to execute 440 arbitrary code within the context of the kernel. Normally a kernel code execution 441 bug like this would be rated critical, but because it requires first compromising 442 the conn_launcher service, it justifies a downgrade to High severity rating. 443 </p> 444 <table> 445 <tr> 446 <th>CVE</th> 447 <th>Bug</th> 448 <th>Severity</th> 449 <th>Updated versions</th> 450 <th>Date reported</th> 451 </tr> 452 <tr> 453 <td>CVE-2016-0822</td> 454 <td>ANDROID-25873324*</td> 455 <td>High</td> 456 <td>6.0.1</td> 457 <td>Nov 24, 2015</td> 458 </tr> 459 </table> 460 461 462 <p>* The patch for this issue is not in AOSP. The update is contained in the 463 latest binary drivers for Nexus devices available from the 464 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 465 466 <h3 id=information_disclosure_vulnerability_in_kernel>Information Disclosure Vulnerability in Kernel</h3> 467 468 469 <p>An information disclosure vulnerability in the kernel could permit a bypass of 470 security measures in place to increase the difficulty of attackers exploiting 471 the platform. These issues are rated as High severity because they could allow 472 a local bypass of exploit mitigation technologies such as ASLR in a privileged 473 process.</p> 474 475 <p><strong>Note:</strong> The fix for this issue is 476 <a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce">located in Linux upstream</a>.</p> 477 <table> 478 <tr> 479 <th>CVE</th> 480 <th>Bug</th> 481 <th>Severity</th> 482 <th>Updated versions</th> 483 <th>Date reported</th> 484 </tr> 485 <tr> 486 <td>CVE-2016-0823</td> 487 <td>ANDROID-25739721*</td> 488 <td>High</td> 489 <td>6.0.1</td> 490 <td>Google Internal</td> 491 </tr> 492 </table> 493 <p>* The patch for this issue is not in AOSP. The update is contained in the 494 latest binary drivers for Nexus devices available from the 495 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 496 497 <h3 id=information_disclosure_vulnerability_in_libstagefright>Information Disclosure Vulnerability in libstagefright</h3> 498 499 500 <p>An information disclosure vulnerability in libstagefright could permit a bypass 501 of security measures in place to increase the difficulty of attackers 502 exploiting the platform. These issues are rated as High severity because they 503 could also be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 504 <table> 505 <tr> 506 <th>CVE</th> 507 <th>Bug with AOSP link</th> 508 <th>Severity</th> 509 <th>Updated versions</th> 510 <th>Date reported</th> 511 </tr> 512 <tr> 513 <td>CVE-2016-0824</td> 514 <td><a href="https://android.googlesource.com/platform/external/libmpeg2/+/ffab15eb80630dc799eb410855c93525b75233c3">ANDROID-25765591</a> 515 </td> 516 <td>High</td> 517 <td>6.0, 6.0.1</td> 518 <td>Nov 18, 2015</td> 519 </tr> 520 </table> 521 522 523 <h3 id=information_disclosure_vulnerability_in_widevine>Information Disclosure Vulnerability in Widevine</h3> 524 525 526 <p>An information disclosure vulnerability in the Widevine Trusted Application 527 could allow code running in the kernel context to access information in 528 TrustZone secure storage. This issue is rated as High severity because it could 529 be used to gain elevated capabilities, such as 530 <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or 531 <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> 532 permissions privileges.</p> 533 <table> 534 <tr> 535 <th>CVE</th> 536 <th>Bug(s)</th> 537 <th>Severity</th> 538 <th>Updated versions</th> 539 <th>Date reported</th> 540 </tr> 541 <tr> 542 <td>CVE-2016-0825</td> 543 <td>ANDROID-20860039*</td> 544 <td>High</td> 545 <td>6.0.1</td> 546 <td>Google Internal</td> 547 </tr> 548 </table> 549 550 551 <p>* The patch for this issue is not in AOSP. The update is contained in the 552 latest binary drivers for Nexus devices available from the 553 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 554 555 <h3 id=elevation_of_privilege_vulnerability_in_mediaserver>Elevation of Privilege Vulnerability in Mediaserver </h3> 556 557 558 <p>An elevation of privilege vulnerability in mediaserver could enable a local 559 malicious application to execute arbitrary code within the context of an 560 elevated system application. This issue is rated as High severity because it 561 could be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p> 562 <table> 563 <tr> 564 <th>CVE</th> 565 <th>Bugs with AOSP links</th> 566 <th>Severity</th> 567 <th>Updated versions</th> 568 <th>Date reported</th> 569 </tr> 570 <tr> 571 <td>CVE-2016-0826</td> 572 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c9ab2b0bb05a7e19fb057e79b36e232809d70122">ANDROID-26265403</a> 573 <a href="https://android.googlesource.com/platform/frameworks/av/+/899823966e78552bb6dfd7772403a4f91471d2b0">[2]</a> 574 </td> 575 <td>High</td> 576 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 577 <td>Dec 17, 2015</td> 578 </tr> 579 <tr> 580 <td>CVE-2016-0827</td> 581 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/9e29523b9537983b4c4b205ff868d0b3bca0383b">ANDROID-26347509</a></td> 582 <td>High</td> 583 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 584 <td>Dec 28, 2015</td> 585 </tr> 586 </table> 587 588 589 <h3 id=information_disclosure_vulnerability_in_mediaserver>Information Disclosure Vulnerability in Mediaserver </h3> 590 591 592 <p>An information disclosure vulnerability in mediaserver could permit a bypass of 593 security measures in place to increase the difficulty of attackers exploiting 594 the platform. These issues are rated as High severity because they could also 595 be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 596 <table> 597 <tr> 598 <th>CVE</th> 599 <th>Bugs with AOSP links</th> 600 <th>Severity</th> 601 <th>Updated versions</th> 602 <th>Date reported</th> 603 </tr> 604 <tr> 605 <td>CVE-2016-0828</td> 606 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/dded8fdbb700d6cc498debc69a780915bc34d755">ANDROID-26338113</a> 607 </td> 608 <td>High</td> 609 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 610 <td>Dec 27, 2015</td> 611 </tr> 612 <tr> 613 <td>CVE-2016-0829</td> 614 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/d06421fd37fbb7fd07002e6738fac3a223cb1a62">ANDROID-26338109</a></td> 615 <td>High</td> 616 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 617 <td>Dec 27, 2015</td> 618 </tr> 619 </table> 620 621 622 <h3 id=remote_denial_of_service_vulnerability_in_bluetooth>Remote Denial of Service Vulnerability in Bluetooth</h3> 623 624 625 <p>A remote denial of service vulnerability in the Bluetooth component could allow 626 a proximal attacker to block access to an affected device. An attacker could 627 cause an overflow of identified Bluetooth devices in the Bluetooth component, 628 which leads to memory corruption and service stop. This is rated as a High 629 severity because it leads to a Denial of Service to the Bluetooth service, which 630 could potentially only be fixed with a flash of the device.</p> 631 <table> 632 <tr> 633 <th>CVE</th> 634 <th>Bug with AOSP link</th> 635 <th>Severity</th> 636 <th>Updated versions</th> 637 <th>Date reported</th> 638 </tr> 639 <tr> 640 <td>CVE-2016-0830</td> 641 <td><a href="https://android.googlesource.com/platform/system/bt/+/d77f1999ecece56c1cbb333f4ddc26f0b5bac2c5">ANDROID-26071376</a></td> 642 <td>High</td> 643 <td>6.0, 6.0.1</td> 644 <td>Google Internal</td> 645 </tr> 646 </table> 647 648 649 <h3 id=information_disclosure_vulnerability_in_telephony>Information Disclosure Vulnerability in Telephony</h3> 650 651 652 <p>An information disclosure vulnerability in the Telephony component could allow 653 an application to access sensitive information. This issue is rated Moderate 654 severity because it could be used to improperly access data without 655 permission.</p> 656 <table> 657 <tr> 658 <th>CVE</th> 659 <th>Bug with AOSP link</th> 660 <th>Severity</th> 661 <th>Updated versions</th> 662 <th>Date reported</th> 663 </tr> 664 <tr> 665 <td>CVE-2016-0831</td> 666 <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/79eecef63f3ea99688333c19e22813f54d4a31b1">ANDROID-25778215</a></td> 667 <td>Moderate</td> 668 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 669 <td>Nov 16, 2015</td> 670 </tr> 671 </table> 672 673 674 <h3 id=elevation_of_privilege_vulnerability_in_setup_wizard>Elevation of Privilege Vulnerability in Setup Wizard</h3> 675 676 677 <p>A vulnerability in the Setup Wizard could enable an attacker who had physical 678 access to the device to gain access to device settings and perform a manual 679 device reset. This issue is rated as Moderate severity because it could be used 680 to improperly work around the factory reset protection.</p> 681 <table> 682 <tr> 683 <th>CVE</th> 684 <th>Bug(s)</th> 685 <th>Severity</th> 686 <th>Updated versions</th> 687 <th>Date reported</th> 688 </tr> 689 <tr> 690 <td>CVE-2016-0832</td> 691 <td>ANDROID-25955042*</td> 692 <td>Moderate</td> 693 <td>5.1.1, 6.0, 6.0.1</td> 694 <td>Google Internal</td> 695 </tr> 696 </table> 697 698 699 <p>* There is no source code patch provided for this update.</p> 700 701 <h2 id=common_questions_and_answers>Common Questions and Answers</h2> 702 703 704 <p>This section reviews answers to common questions that may occur after reading 705 this bulletin.</p> 706 707 <p><strong>1. How do I determine if my device is updated to address these issues? </strong></p> 708 709 <p>Builds LMY49H or later and Android 6.0 with Security Patch Level of March 1, 710 2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device 711 manufacturers that include these updates should set the patch string level to: 712 [ro.build.version.security_patch]:[2016-03-01]</p> 713 714 <h2 id=revisions>Revisions</h2> 715 716 717 <ul> 718 <li> March 07, 2016: Bulletin published. 719 <li> March 08, 2016: Bulletin revised to include AOSP links. 720 </ul> 721
