1 <html devsite> 2 <head> 3 <title>Nexus Security Bulletin - November 2015</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p><em>Published November 02, 2015</em></p> 27 28 <p>We have released a security update to Nexus devices through an over-the-air 29 (OTA) update as part of our Android Security Bulletin Monthly Release process. 30 The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY48X or later and Android Marshmallow with Security Patch Level of 31 November 1, 2015 or later address these issues. Refer to the <a href="#common_questions_and_answers">Common Questions and Answers</a> section for more details.</p> 32 33 <p>Partners were notified about these issues on October 5, 2015 or earlier. Source 34 code patches for these issues will be released to the Android Open Source 35 Project (AOSP) repository over the next 48 hours. We will revise this bulletin 36 with the AOSP links when they are available.</p> 37 38 <p>The most severe of these issues is a Critical security vulnerability that could 39 enable remote code execution on an affected device through multiple methods 40 such as email, web browsing, and MMS when processing media files. The 41 <a href="/security/overview/updates-resources.html#severity">severity 42 assessment</a> is based on the effect that exploiting the vulnerability would 43 possibly have on an affected device, assuming the platform and service 44 mitigations are disabled for development purposes or if successfully bypassed.</p> 45 46 <p>We have had no reports of active customer exploitation of these newly reported 47 issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="/security/enhancements/index.html">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the 48 Android platform. We encourage all customers to accept these updates to their 49 devices.</p> 50 51 <h2 id=mitigations>Mitigations</h2> 52 53 54 <p>This is a summary of the mitigations provided by the <a href="/security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the 55 likelihood that security vulnerabilities can be successfully exploited on 56 Android. </p> 57 58 <ul> 59 <li> Exploitation for many issues on Android is made more difficult by enhancements 60 in newer versions of the Android platform. We encourage all users to update to 61 the latest version of Android where possible. 62 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 63 SafetyNet which will warn about potentially harmful applications about to be 64 installed. Device rooting tools are prohibited within Google Play. To protect 65 users who install applications from outside of Google Play, Verify Apps is 66 enabled by default and will warn users about known rooting applications. Verify 67 Apps attempts to identify and block installation of known malicious 68 applications that exploit a privilege escalation vulnerability. If such an 69 application has already been installed, Verify Apps will notify the user and 70 attempt to remove any such applications. 71 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 72 pass media to processes such as mediaserver. 73 </ul> 74 75 <h2 id=acknowledgements>Acknowledgements</h2> 76 77 78 <p>We would like to thank these researchers for their contributions:</p> 79 80 <ul> 81 <li> Abhishek Arya, Oliver Chang and Martin Barbella, Google Chrome Security Team: 82 CVE-2015-6608 83 <li> Daniel Micay (daniel.micay (a] copperhead.co) at Copperhead Security: CVE-2015-6609 84 <li> Dongkwan Kim of System Security Lab, KAIST (dkay (a] kaist.ac.kr): CVE-2015-6614 85 <li> Hongil Kim of System Security Lab, KAIST (hongilk (a] kaist.ac.kr): CVE-2015-6614 86 <li> Jack Tang of Trend Micro (@jacktang310): CVE-2015-6611 87 <li> Peter Pi of Trend Micro: CVE-2015-6611 88 <li> Natalie Silvanovich of Google Project Zero: CVE-2015-6608 89 <li> Qidan He (@flanker_hqd) and Wen Xu (@antlr7) from KeenTeam (@K33nTeam, 90 http://k33nteam.org/): CVE-2015-6612 91 <li> Guang Gong (龚广) (<a href="https://twitter.com/oldfresher">@oldfresher</a>, higongguang (a] gmail.com) of <a href="http://www.360.cn">Qihoo 360 Technology CC 92 o.Ltd</a>: CVE-2015-6612 93 <li> Seven Shen of Trend Micro: CVE-2015-6610 94 </ul> 95 96 <h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 97 98 99 <p>In the sections below, we provide details for each of the security 100 vulnerabilities that apply to the 2015-11-01 patch level. 101 There is a description of the issue, a severity rationale, and a table 102 with the CVE, associated bug, severity, affected versions, and date reported. 103 Where available, weve linked the AOSP change that addressed the issue to the 104 bug ID. When multiple changes relate to a single bug, additional AOSP 105 references are linked to numbers following the bug ID.</p> 106 107 <h3 id=remote_code_execution_vulnerabilities_in_mediaserver>Remote Code Execution Vulnerabilities in Mediaserver</h3> 108 109 110 <p>During media file and data processing of a specially crafted file, 111 vulnerabilities in mediaserver could allow an attacker to cause memory 112 corruption and remote code execution as the mediaserver process.</p> 113 114 <p>The affected functionality is provided as a core part of the operating system 115 and there are multiple applications that allow it to be reached with remote 116 content, most notably MMS and browser playback of media.</p> 117 118 <p>This issue is rated as a Critical severity due to the possibility of remote 119 code execution within the context of the mediaserver service. The mediaserver 120 service has access to audio and video streams as well as access to privileges 121 that third-party apps cannot normally access.</p> 122 <table> 123 <tr> 124 <th>CVE</th> 125 <th>Bug(s) with AOSP links</th> 126 <th>Severity</th> 127 <th>Affected versions</th> 128 <th>Date reported</th> 129 </tr> 130 <tr> 131 <td rowspan="6">CVE-2015-6608</td> 132 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/8ec845c8fe0f03bc57c901bc484541bdd6a7cf80">ANDROID-19779574</a></td> 133 <td rowspan="3">Critical</td> 134 <td rowspan="3">5.0, 5.1, 6.0</td> 135 <td rowspan="3">Google Internal</td> 136 </tr> 137 <tr> 138 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/c6a2815eadfce62702d58b3fa3887f24c49e1864">ANDROID-23680780</a></td> 139 </tr> 140 <tr> 141 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Faac/+/b3c5a4bb8442ab3158fa1f52b790fadc64546f46">ANDROID-23876444</a></td> 142 </tr> 143 <tr> 144 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Ftremolo/+/3830d0b585ada64ee75dea6da267505b19c622fd">ANDROID-23881715</a></td> 145 <td>Critical</td> 146 <td>4.4, 5.0, 5.1, 6.0</td> 147 <td>Google Internal</td> 148 </tr> 149 <tr> 150 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3878b990f7d53eae7c2cf9246b6ef2db5a049872">ANDROID-14388161</a></td> 151 <td>Critical</td> 152 <td>4.4 and 5.1</td> 153 <td>Google Internal</td> 154 </tr> 155 <tr> 156 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/f3eb82683a80341f5ac23057aab733a57963cab2">ANDROID-23658148</a></td> 157 <td>Critical</td> 158 <td>5.0, 5.1, 6.0</td> 159 <td>Google Internal</td> 160 </tr> 161 </table> 162 163 164 <h3 id=remote_code_execution_vulnerability_in_libutils>Remote Code Execution Vulnerability in libutils</h3> 165 166 167 <p>A vulnerability in libutils, a generic library, can be exploited during audio 168 file processing. This vulnerability could allow an attacker, during processing 169 of a specially crafted file, to cause memory corruption and remote code 170 execution.</p> 171 172 <p>The affected functionality is provided as an API and there are multiple 173 applications that allow it to be reached with remote content, most notably MMS 174 and browser playback of media. This issue is rated as a Critical severity issue 175 due to the possibility of remote code execution in a privileged service. The 176 affected component has access to audio and video streams as well as access to 177 privileges that third-party apps cannot normally access.</p> 178 179 <table> 180 <tr> 181 <th>CVE</th> 182 <th>Bug(s) with AOSP links</th> 183 <th>Severity</th> 184 <th>Affected versions</th> 185 <th>Date reported</th> 186 </tr> 187 <tr> 188 <td>CVE-2015-6609</td> 189 <td><a href="https://android.googlesource.com/platform%2Fbootable%2Frecovery/+/ec63d564a86ad5b30f75aa307b4bd271f6a96a56">ANDROID-22953624</a> 190 [<a href="https://android.googlesource.com/platform%2Fsystem%2Fcore/+/419e6c3c68413bd6dbb6872340b2ae0d69a0fd60">2</a>]</td> 191 <td>Critical</td> 192 <td>6.0 and below</td> 193 <td>Aug 3, 2015</td> 194 </tr> 195 </table> 196 197 198 <h3 id=information_disclosure_vulnerabilities_in_mediaserver>Information Disclosure Vulnerabilities in Mediaserver</h3> 199 200 201 <p>There are information disclosure vulnerabilities in mediaserver that can permit 202 a bypass of security measures in place to increase the difficulty of attackers 203 exploiting the platform.</p> 204 <table> 205 <tr> 206 <th>CVE</th> 207 <th>Bug(s) with AOSP links</th> 208 <th>Severity</th> 209 <th>Affected versions</th> 210 <th>Date reported</th> 211 </tr> 212 <tr> 213 <td rowspan="12">CVE-2015-6611</td> 214 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/1c7719820359f4190cd4bfd1a24d521face7b4f8">ANDROID-23905951</a> 215 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3b76870d146b1350db8a2f7797e06897c8c92dc2">2</a>] 216 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/40715a2ee896edd2df4023d9f6f586977887d34c">3</a>] </td> 217 <td rowspan="3">High</td> 218 <td rowspan="3">6.0 and below</td> 219 <td rowspan="3">Sep 07, 2015</td> 220 </tr> 221 <tr> 222 <td>ANDROID-23912202*</td> 223 </tr> 224 <tr> 225 <td>ANDROID-23953967*</td> 226 </tr> 227 <tr> 228 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fnative/+/b414255f53b560a06e642251535b019327ba0d7b">ANDROID-23696300</a></td> 229 <td>High</td> 230 <td>6.0 and below</td> 231 <td>Aug 31, 2015</td> 232 </tr> 233 <tr> 234 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/09ed70fab1f1424971ccc105dcdf5be5ce2e2643">ANDROID-23600291</a></td> 235 <td>High</td> 236 <td>6.0 and below</td> 237 <td>Aug 26, 2015</td> 238 </tr> 239 <tr> 240 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/892354335d49f0b9fcd10e20e0c13e3cd0f1f1cb">ANDROID-23756261</a> 241 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/a946d844a77906072f5eb7093d41db465d6514bb">2</a>]</td> 242 <td>High</td> 243 <td>6.0 and below</td> 244 <td>Aug 26, 2015</td> 245 </tr> 246 <tr> 247 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/57bed83a539535bb64a33722fb67231119cb0618">ANDROID-23540907</a> [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/25a634427dec455b79d73562131985ae85b98c43">2</a>]</td> 248 <td>High</td> 249 <td>5.1 and below</td> 250 <td>Aug 25, 2015</td> 251 </tr> 252 <tr> 253 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/d53aced041b7214a92b1f2fd5970d895bb9934e5">ANDROID-23541506</a></td> 254 <td rowspan="4">High</td> 255 <td rowspan="4">6.0 and below</td> 256 <td rowspan="4">Aug 25, 2015</td> 257 </tr> 258 <tr> 259 <td>ANDROID-23284974*</td> 260 </tr> 261 <tr> 262 <td>ANDROID-23542351*</td> 263 </tr> 264 <tr> 265 <td>ANDROID-23542352*</td> 266 </tr> 267 <tr> 268 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/0981df6e3db106bfb7a56a2b668c012fcc34dd2c">ANDROID-23515142</a></td> 269 <td>High</td> 270 <td>5.1 and below</td> 271 <td>Aug 19, 2015</td> 272 </tr> 273 </table> 274 <p>* The patch for this bug is included in other provided AOSP links.</p> 275 276 <h3 id=elevation_of_privilege_vulnerability_in_libstagefright>Elevation of Privilege Vulnerability in libstagefright</h3> 277 278 279 <p>There is an elevation of privilege vulnerability in libstagefright that can 280 enable a local malicious application to cause memory corruption and arbitrary 281 code execution within the context of the mediaserver service. While this issue 282 would normally be rated Critical, we have assessed this issue as High 283 severity because of a lower likelihood that it can be exploited remotely.</p> 284 <table> 285 <tr> 286 <th>CVE</th> 287 <th>Bug(s) with AOSP links</th> 288 <th>Severity</th> 289 <th>Affected versions</th> 290 <th>Date reported</th> 291 </tr> 292 <tr> 293 <td>CVE-2015-6610</td> 294 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/d26052738f7b095b7e318c8dde7f32db0a48450c">ANDROID-23707088</a> 295 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/820c105f7a4dc0971ee563caea4c9b346854a2f7">2</a>]</td> 296 <td>High</td> 297 <td>6.0 and below</td> 298 <td>Aug 19, 2015</td> 299 </tr> 300 </table> 301 302 303 <h3 id=elevation_of_privilege_vulnerability_in_libmedia>Elevation of Privilege Vulnerability in libmedia</h3> 304 305 306 <p>There is a vulnerability in libmedia that can enable a local malicious 307 application to execute arbitrary code within the context of the mediaserver 308 service. This issue is rated as High severity because it can be used to access 309 privileges which are not directly accessible to a third-party application. </p> 310 <table> 311 <tr> 312 <th>CVE</th> 313 <th>Bug(s) with AOSP links</th> 314 <th>Severity</th> 315 <th>Affected versions</th> 316 <th>Date reported</th> 317 </tr> 318 <tr> 319 <td>CVE-2015-6612</td> 320 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/4b219e9e5ab237eec9931497cf10db4d78982d84">ANDROID-23540426</a></td> 321 <td>High</td> 322 <td>6.0 and below</td> 323 <td>Aug 23, 2015</td> 324 </tr> 325 </table> 326 327 328 <h3 id=elevation_of_privilege_vulnerability_in_bluetooth>Elevation of Privilege Vulnerability in Bluetooth</h3> 329 330 331 <p>There is a vulnerability in Bluetooth that can enable a local application to 332 send commands to a listening debug port on the device. This issue is rated as 333 High severity because it can be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p> 334 <table> 335 <tr> 336 <th>CVE</th> 337 <th>Bug(s) with AOSP links</th> 338 <th>Severity</th> 339 <th>Affected versions</th> 340 <th>Date reported</th> 341 </tr> 342 <tr> 343 <td>CVE-2015-6613</td> 344 <td><a href="https://android.googlesource.com/platform%2Fsystem%2Fbt/+/74dad51510f7d7b05c6617ef88168bf0bbdf3fcd">ANDROID-24371736</a></td> 345 <td>High</td> 346 <td>6.0</td> 347 <td>Google Internal</td> 348 </tr> 349 </table> 350 351 352 <h3 id=elevation_of_privilege_vulnerability_in_telephony> 353 Elevation Of Privilege Vulnerability in Telephony</h3> 354 355 356 <p>A vulnerability in the Telephony component that can enable a local malicious 357 application to pass unauthorized data to the restricted network interfaces, 358 potentially impacting data charges. It could also prevent the device from 359 receiving calls as well as allowing an attacker to control the mute settings of 360 calls. This issue is rated as Moderate severity because it can be used to 361 improperly gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a> permissions. </p> 362 <table> 363 <tr> 364 <th>CVE</th> 365 <th>Bug(s) with AOSP links</th> 366 <th>Severity</th> 367 <th>Affected versions</th> 368 <th>Date reported</th> 369 </tr> 370 <tr> 371 <td>CVE-2015-6614</td> 372 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Ftelephony/+/70dd1f77873913635288e513564a6c93ae4d0a26">ANDROID-21900139</a> 373 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/a12044215b1148826ea9a88d5d1102378b13922f">2</a>] 374 [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/2b6af396ad14def9a967f62cccc87ee715823bb1">3</a>]</td> 375 <td>Moderate</td> 376 <td>5.0, 5.1</td> 377 <td>Jun 8, 2015</td> 378 </tr> 379 </table> 380 381 382 <h3 id=common_questions_and_answers>Common Questions and Answers</h3> 383 384 385 <p>This section will review answers to common questions that may occur after 386 reading this bulletin.</p> 387 388 <p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> 389 390 <p>Builds LMY48X or later and Android Marshmallow with Security Patch Level of 391 November 1, 2015 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device 392 manufacturers that include these updates should set the patch string level to: 393 [ro.build.version.security_patch]:[2015-11-01]</p> 394 395 <h2 id=revisions>Revisions</h2> 396 397 <ul> 398 <li> November 02, 2015: Originally Published 399 </ul> 400 401 </body> 402 </html> 403
