1 <html devsite> 2 <head> 3 <title>Nexus Security Bulletin - September 2015</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p><em>Published September 9, 2015</em></p> 27 28 <p>We have released a security update to Nexus devices through an over-the-air 29 (OTA) update as part of our Android Security Bulletin Monthly Release process 30 (Build LMY48M). The updates for Nexus devices and source code patches for these 31 issues have also been released to the Android Open Source Project (AOSP) source 32 repository. The most severe of these issues is a Critical security 33 vulnerability that could enable remote code execution on an affected device.</p> 34 35 <p>The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. 36 Builds LMY48M or later address these issues. Partners were notified about 37 these issues on August 13, 2015 or earlier.</p> 38 39 <p>We have not detected customer exploitation of the newly reported issues. The 40 exception is the existing issue (CVE-2015-3636). Refer to the <a href="#mitigations">Mitigations</a> section for details on the 41 <a href="/security/enhancements/index.html">Android security platform protections,</a> and service protections such as SafetyNet, which reduce the likelihood that 42 security vulnerabilities can be successfully exploited on Android.</p> 43 44 <p>Please note that both Critical security updates (CVE-2015-3864 and 45 CVE-2015-3686) address already disclosed vulnerabilities. There are no newly 46 disclosed Critical security vulnerabilities in this update. The 47 <a href="/security/overview/updates-resources.html#severity">severity 48 assessment</a> is based on the effect that exploiting the vulnerability would 49 possibly have on an affected device, assuming the platform and service 50 mitigations are disabled for development purposes or if successfully bypassed.</p> 51 52 <p>We encourage all customers to accept these updates to their devices.</p> 53 54 <h2 id=mitigations>Mitigations</h2> 55 56 57 <p>This is a summary of the mitigations provided by the <a href="/security/enhancements">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the 58 likelihood that security vulnerabilities can be successfully exploited on 59 Android.</p> 60 61 <ul> 62 <li> Exploitation for many issues on Android is made more difficult by enhancements 63 in newer versions of the Android platform. We encourage all users to update to 64 the latest version of Android where possible. 65 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 66 SafetyNet which will warn about potentially harmful applications about to be 67 installed. Device rooting tools are prohibited within Google Play. To protect 68 users who install applications from outside of Google Play, Verify Apps is 69 enabled by default and will warn users about known rooting applications. Verify 70 Apps attempts to identify and block installation of known malicious 71 applications that exploit a privilege escalation vulnerability. If such an 72 application has already been installed, Verify Apps will notify the user and 73 attempt to remove any such applications. 74 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 75 pass media to processes such as mediaserver. 76 </ul> 77 78 <h2 id=acknowledgements>Acknowledgements</h2> 79 80 81 <p>We would like to thank these researchers for their contributions:</p> 82 83 <ul> 84 <li> Jordan Gruskovnjak of Exodus Intelligence (@jgrusko): CVE-2015-3864 85 <li> Micha Bednarski: CVE-2015-3845 86 <li> Guang Gong of Qihoo 360 Technology Co. Ltd (@oldfresher): CVE-2015-1528, 87 CVE-2015-3849 88 <li> Brennan Lautner: CVE-2015-3863 89 <li> jgor (@indiecom): CVE-2015-3860 90 <li> Wish Wu of Trend Micro Inc. (@wish_wu): CVE-2015-3861 91 </ul> 92 93 <h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 94 95 96 <p>In the sections below, we provide details for each of the security 97 vulnerabilities in this bulletin. There is a description of the issue, a severity rationale, and a table 98 with the CVE, associated bug, severity, affected versions, and date reported. 99 Where available, weve linked the AOSP change that addressed the issue to the 100 bug ID. When multiple changes relate to a single bug, additional AOSP 101 references are linked to numbers following the bug ID.</p> 102 103 <h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3> 104 105 106 <p>During media file and data processing of a specially crafted file, 107 vulnerabilities in mediaserver could allow an attacker to cause memory 108 corruption and remote code execution as the mediaserver process.</p> 109 110 <p>The affected functionality is provided as a core part of the operating system 111 and there are multiple applications that allow it to be reached with remote 112 content, most notably MMS and browser playback of media.</p> 113 114 <p>This issue is rated as a Critical severity due to the possibility of remote 115 code execution within the context of the mediaserver service. The mediaserver 116 service has access to audio and video streams as well as access to privileges 117 that third-party apps cannot normally access.</p> 118 119 <p>This issue is related to the already reported CVE-2015-3824 (ANDROID-20923261). 120 The original security update was not sufficient to address a variant of this 121 originally reported issue.</p> 122 <table> 123 <tr> 124 <th>CVE</th> 125 <th>Bug with AOSP links</th> 126 <th>Severity</th> 127 <th>Affected Versions</th> 128 </tr> 129 <tr> 130 <td>CVE-2015-3864</td> 131 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/6fe85f7e15203e48df2cc3e8e1c4bc6ad49dc968">ANDROID-23034759</a></td> 132 <td>Critical</td> 133 <td> 5.1 and below</td> 134 </tr> 135 </table> 136 137 138 <h3 id=elevation_privilege_vulnerability_in_kernel>Elevation Privilege Vulnerability in Kernel</h3> 139 140 141 <p>An elevation of privilege vulnerability in the Linux kernel's handling of ping 142 sockets could allow a malicious application to execute arbitrary code in 143 context of the kernel.</p> 144 145 <p>This issue is rated as a Critical severity due to the possibility of code 146 execution in a privileged service that can bypass device protections, 147 potentially leading to permanent compromise (i.e., requiring re-flashing the 148 system partition) on some devices.</p> 149 150 <p>This issue was first publicly identified on May 01, 2015. An exploit of this 151 vulnerability has been included in a number of rooting tools that may be used 152 by the device owner to modify the firmware on their device.</p> 153 <table> 154 <tr> 155 <th>CVE</th> 156 <th>Bug(s) with AOSP links</th> 157 <th>Severity</th> 158 <th>Affected Versions</th> 159 </tr> 160 <tr> 161 <td>CVE-2015-3636 </td> 162 <td><a href="https://github.com/torvalds/linux/commit/a134f083e79f">ANDROID-20770158</a></td> 163 <td>Critical</td> 164 <td>5.1 and below</td> 165 </tr> 166 </table> 167 168 169 <h3 id=elevation_of_privilege_vulnerability_in_binder>Elevation of Privilege Vulnerability in Binder </h3> 170 171 172 <p>An elevation of privilege vulnerability in Binder could allow a malicious 173 application to execute arbitrary code within the context of the another apps 174 process.</p> 175 176 <p>This issue is rated as High severity because it allows a malicious application 177 to gain privileges not accessible to a third-party application.</p> 178 <table> 179 <tr> 180 <th>CVE</th> 181 <th>Bug(s) with AOSP links</th> 182 <th>Severity</th> 183 <th>Affected Versions</th> 184 </tr> 185 <tr> 186 <td>CVE-2015-3845</td> 187 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/e68cbc3e9e66df4231e70efa3e9c41abc12aea20">ANDROID-17312693</a></td> 188 <td>High</td> 189 <td>5.1 and below</td> 190 </tr> 191 <tr> 192 <td>CVE-2015-1528</td> 193 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/7dcd0ec9c91688cfa3f679804ba6e132f9811254">ANDROID-19334482</a> [<a href="https://android.googlesource.com/platform/system/core/+/e8c62fb484151f76ab88b1d5130f38de24ac8c14">2</a>]</td> 194 <td>High</td> 195 <td>5.1 and below</td> 196 </tr> 197 </table> 198 199 200 <h3 id=elevation_of_privilege_vulnerability_in_keystore>Elevation of Privilege Vulnerability in Keystore</h3> 201 202 203 <p>A elevation of privilege vulnerability in Keystore could allow a malicious 204 application to execute arbitrary code within the context of the keystore 205 service. This could allow unauthorized use of keys stored by Keystore, 206 including hardware-backed keys.</p> 207 208 <p>This issue is rated as High severity because it can be used to gain privileges 209 not accessible to a third-party application.</p> 210 <table> 211 <tr> 212 <th>CVE</th> 213 <th>Bug(s) with AOSP links</th> 214 <th>Severity</th> 215 <th>Affected Versions</th> 216 </tr> 217 <tr> 218 <td>CVE-2015-3863</td> 219 <td><a href="https://android.googlesource.com/platform/system/security/+/bb9f4392c2f1b11be3acdc1737828274ff1ec55b">ANDROID-22802399</a></td> 220 <td>High</td> 221 <td>5.1 and below</td> 222 </tr> 223 </table> 224 225 226 <h3 id=elevation_of_privilege_vulnerability_in_region>Elevation of Privilege Vulnerability in Region </h3> 227 228 229 <p>An elevation of privilege vulnerability in Region could, through creation of a 230 malicious message to a service, allow a malicious application to execute 231 arbitrary code within the context of the target service.</p> 232 233 <p>This issue is rated as High severity because it can be used to gain privileges 234 not accessible to a third-party application.</p> 235 <table> 236 <tr> 237 <th>CVE</th> 238 <th>Bug(s) with AOSP links</th> 239 <th>Severity</th> 240 <th>Affected Versions</th> 241 </tr> 242 <tr> 243 <td>CVE-2015-3849</td> 244 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/4cff1f49ff95d990d6c2614da5d5a23d02145885">ANDROID-20883006</a> [<a href="https://android.googlesource.com/platform/frameworks/base/+/1e72dc7a3074cd0b44d89afbf39bbf5000ef7cc3">2</a>]</td> 245 <td>High</td> 246 <td>5.1 and below</td> 247 </tr> 248 </table> 249 250 251 <h3 id=elevation_of_privilege_vulnerability_in_sms_enables_notification_bypass>Elevation of Privilege vulnerability in SMS enables notification bypass </h3> 252 253 254 <p>A elevation of privilege vulnerability in the way that Android processes SMS 255 messages could enable a malicious application to send an SMS message that 256 bypasses the premium-rate SMS warning notification.</p> 257 258 <p>This issue is rated as High severity because it can be used to gain privileges 259 not accessible to a third-party application.</p> 260 <table> 261 <tr> 262 <th>CVE</th> 263 <th>Bug(s) with AOSP links</th> 264 <th>Severity</th> 265 <th>Affected Versions</th> 266 </tr> 267 <tr> 268 <td>CVE-2015-3858</td> 269 <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/df31d37d285dde9911b699837c351aed2320b586">ANDROID-22314646</a></td> 270 <td>High</td> 271 <td>5.1 and below</td> 272 </tr> 273 </table> 274 275 276 <h3 id=elevation_of_privilege_vulnerability_in_lockscreen>Elevation of Privilege Vulnerability in Lockscreen</h3> 277 278 279 <p>An elevation of privilege vulnerability in Lockscreen could allow a malicious 280 user to bypass the lockscreen by causing it to crash. This issue is classified 281 as a vulnerability only on Android 5.0 and 5.1. While it's possible to cause 282 the System UI to crash from the lockscreen in a similar way on 4.4, the home 283 screen cannot be accessed and the device must be rebooted to recover.</p> 284 285 <p>This issue is rated as a Moderate severity because it potentially allows 286 someone with physical access to a device to install third-party apps without 287 the device's owner approving the permissions. It can also allow the attacker to 288 view contact data, phone logs, SMS messages, and other data that is normally 289 protected with a "dangerous" level permission.</p> 290 <table> 291 <tr> 292 <th>CVE</th> 293 <th>Bug(s) with AOSP links</th> 294 <th>Severity</th> 295 <th>Affected Versions</th> 296 </tr> 297 <tr> 298 <td>CVE-2015-3860</td> 299 <td><a href="https://android.googlesource.com/platform/frameworks/base/+/8fba7e6931245a17215e0e740e78b45f6b66d590">ANDROID-22214934</a></td> 300 <td>Moderate</td> 301 <td>5.1 and 5.0</td> 302 </tr> 303 </table> 304 305 306 <h3 id=denial_of_service_vulnerability_in_mediaserver>Denial of Service Vulnerability in Mediaserver</h3> 307 308 309 <p>A denial of service vulnerability in mediaserver could allow a local attacker 310 to temporarily block access to an affected device.</p> 311 312 <p>This issue is rated as a Low severity because a user could reboot into safe 313 mode to remove a malicious application that is exploiting this issue. It is 314 also possible to cause mediaserver to process the malicious file remotely 315 through the web or over MMS, in that case the mediaserver process crashes and 316 the device remains usable.</p> 317 <table> 318 <tr> 319 <th>CVE</th> 320 <th>Bug(s) with AOSP links</th> 321 <th>Severity</th> 322 <th>Affected Versions</th> 323 </tr> 324 <tr> 325 <td>CVE-2015-3861</td> 326 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/304ef91624e12661e7e35c2c0c235da84a73e9c0">ANDROID-21296336</a></td> 327 <td>Low</td> 328 <td>5.1 and below</td> 329 </tr> 330 </table> 331 332 333 334 </body> 335 </html> 336
