1 <html devsite> 2 <head> 3 <title>Nexus Security Bulletin - December 2015</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p><em>Published December 07, 2015 | Updated March 7, 2016</em></p> 27 28 <p>We have released a security update to Nexus devices through an over-the-air 29 (OTA) update as part of our Android Security Bulletin Monthly Release process. 30 The Nexus firmware images have also been released to the 31 <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. 32 Builds LMY48Z or later and Android 6.0 with Security Patch Level of 33 December 1, 2015 or later address these issues. Refer to the <a href="#common_questions_and_answers">Common Questions and Answers</a> section for more details.</p> 34 35 <p>Partners were notified about and provided updates for these issues on November 36 2, 2015 or earlier. Where applicable, source code patches for these issues have been released to 37 the Android Open Source Project (AOSP) repository.</p> 38 39 <p>The most severe of these issues is a Critical security vulnerability that could 40 enable remote code execution on an affected device through multiple methods 41 such as email, web browsing, and MMS when processing media files. The 42 <a href="/security/overview/updates-resources.html#severity">severity 43 assessment</a> is based on the effect that exploiting the vulnerability would 44 possibly have on an affected device, assuming the platform and service 45 mitigations are disabled for development purposes or if successfully bypassed.</p> 46 47 <p>We have had no reports of active customer exploitation of these newly reported 48 issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="/security/enhancements/index.html">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the 49 Android platform. We encourage all customers to accept these updates to their 50 devices.</p> 51 52 53 <h2 id="mitigations">Mitigations</h2> 54 55 56 <p>This is a summary of the mitigations provided by the <a href="/security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the 57 likelihood that security vulnerabilities could be successfully exploited on 58 Android.</p> 59 60 <ul> 61 <li> Exploitation for many issues on Android is made more difficult by enhancements 62 in newer versions of the Android platform. We encourage all users to update to 63 the latest version of Android where possible.</li> 64 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 65 SafetyNet which will warn about potentially harmful applications about to be 66 installed. Device rooting tools are prohibited within Google Play. To protect 67 users who install applications from outside of Google Play, Verify Apps is 68 enabled by default and will warn users about known rooting applications. Verify 69 Apps attempts to identify and block installation of known malicious 70 applications that exploit a privilege escalation vulnerability. If such an 71 application has already been installed, Verify Apps will notify the user and 72 attempt to remove any such applications.</li> 73 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 74 pass media to processes such as mediaserver.</li> 75 </ul> 76 77 <h2 id="acknowledgements">Acknowledgements</h2> 78 79 <p>We would like to thank these researchers for their contributions:</p> 80 81 <ul> 82 <li> Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security 83 Team: CVE-2015-6616, CVE-2015-6617, CVE-2015-6623, CVE-2015-6626, 84 CVE-2015-6619, CVE-2015-6633, CVE-2015-6634 85 <li> Flanker (<a href="https://twitter.com/flanker_hqd">@flanker_hqd</a>) of <a href="http://k33nteam.org/">KeenTeam</a> (<a href="https://twitter.com/k33nteam">@K33nTeam</a>): CVE-2015-6620 86 <li> Guang Gong () (<a href="https://twitter.com/oldfresher">@oldfresher</a>, higongguang (a] gmail.com) of <a href="http://www.360.cn">Qihoo 360 Technology Co.Ltd</a>: CVE-2015-6626 87 <li> Mark Carter (<a href="https://twitter.com/hanpingchinese">@hanpingchinese</a>) of EmberMitre Ltd: CVE-2015-6630 88 <li> Micha Bednarski (<a href="https://github.com/michalbednarski">https://github.com/michalbednarski</a>): CVE-2015-6621 89 <li> Natalie Silvanovich of Google Project Zero: CVE-2015-6616 90 <li> Peter Pi of Trend Micro: CVE-2015-6616, CVE-2015-6628 91 <li> Qidan He (<a href="https://twitter.com/flanker_hqd">@flanker_hqd</a>) and Marco Grassi (<a href="https://twitter.com/marcograss">@marcograss</a>) of <a href="http://k33nteam.org/">KeenTeam</a> (<a href="https://twitter.com/k33nteam">@K33nTeam</a>): CVE-2015-6622 92 <li> Tzu-Yin (Nina) Tai: CVE-2015-6627 93 <li> Joaqun Rinaudo (<a href="https://twitter.com/xeroxnir">@xeroxnir</a>) of Programa 94 STIC at Fundacin Dr. Manuel Sadosky, Buenos Aires, Argentina: CVE-2015-6631 95 <li>Wangtao (neobyte) of Baidu X-Team: CVE-2015-6626 96 </ul> 97 98 <h2 id="security_vulnerability_details">Security Vulnerability Details</h2> 99 100 <p>In the sections below, we provide details for each of the security 101 vulnerabilities that apply to the 2015-12-01 patch level. 102 There is a description of the issue, a severity rationale, and a table 103 with the CVE, associated bug, severity, updated versions, and date reported. 104 When available, we will link the AOSP change that addressed the issue to the 105 bug ID. When multiple changes relate to a single bug, additional AOSP 106 references are linked to numbers following the bug ID.</p> 107 108 <h3 id="remote_code_execution_vulnerabilities_in_mediaserver">Remote Code Execution Vulnerabilities in Mediaserver</h3> 109 110 111 <p>During media file and data processing of a specially crafted file, 112 vulnerabilities in mediaserver could allow an attacker to cause memory 113 corruption and remote code execution as the mediaserver process.</p> 114 115 <p>The affected functionality is provided as a core part of the operating system 116 and there are multiple applications that allow it to be reached with remote 117 content, most notably MMS and browser playback of media.</p> 118 119 <p>This issue is rated as a Critical severity due to the possibility of remote 120 code execution within the context of the mediaserver service. The mediaserver 121 service has access to audio and video streams as well as access to privileges 122 that third-party apps cannot normally access.</p> 123 <table> 124 <tr> 125 <th>CVE</th> 126 <th>Bug(s) with AOSP links</th> 127 <th>Severity</th> 128 <th>Updated versions</th> 129 <th>Date reported</th> 130 </tr> 131 <tr> 132 <td rowspan="5">CVE-2015-6616</td> 133 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/257b3bc581bbc65318a4cc2d3c22a07a4429dc1d">ANDROID-24630158</a></td> 134 <td>Critical</td> 135 <td>6.0 and below</td> 136 <td>Google Internal</td> 137 </tr> 138 <tr> 139 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/0d35dd2068d6422c3c77fb68f248cbabf3d0b10c">ANDROID-23882800</a></td> 140 <td>Critical</td> 141 <td>6.0 and below</td> 142 <td>Google Internal</td> 143 </tr> 144 <tr> 145 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/dedaca6f04ac9f95fabe3b64d44cd1a2050f079e">ANDROID-17769851</a></td> 146 <td>Critical</td> 147 <td>5.1 and below</td> 148 <td>Google Internal</td> 149 </tr> 150 <tr> 151 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5d101298d8b0a78a1dc5bd26dbdada411f4ecd4d">ANDROID-24441553</a></td> 152 <td>Critical</td> 153 <td>6.0 and below</td> 154 <td>Sep 22, 2015</td> 155 </tr> 156 <tr> 157 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Flibavc/+/2ee0c1bced131ffb06d1b430b08a202cd3a52005">ANDROID-24157524</a></td> 158 <td>Critical</td> 159 <td>6.0</td> 160 <td>Sep 08, 2015</td> 161 </tr> 162 </table> 163 164 <h3 id="remote_code_execution_vulnerability_in_skia">Remote Code Execution Vulnerability in Skia</h3> 165 166 <p>A vulnerability in the Skia component may be leveraged when processing a 167 specially crafted media file, that could lead to memory corruption and remote 168 code execution in a privileged process. This issue is rated as a Critical 169 severity due to the possibility of remote code execution through multiple 170 attack methods such as email, web browsing, and MMS when processing media 171 files.</p> 172 <table> 173 <tr> 174 <th>CVE</th> 175 <th>Bug(s) with AOSP links</th> 176 <th>Severity</th> 177 <th>Updated versions</th> 178 <th>Date reported</th> 179 </tr> 180 <tr> 181 <td>CVE-2015-6617</td> 182 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Fskia/+/a1d8ac0ac0af44d74fc082838936ec265216ab60">ANDROID-23648740</a></td> 183 <td>Critical</td> 184 <td>6.0 and below</td> 185 <td>Google internal</td> 186 </tr> 187 </table> 188 189 <h3 id="elevation_of_privilege_in_kernel">Elevation of Privilege in Kernel</h3> 190 191 <p>An elevation of privilege vulnerability in the system kernel could enable a 192 local malicious application to execute arbitrary code within the device root 193 context. This issue is rated as a Critical severity due to the possibility of a 194 local permanent device compromise and the device could only be repaired by 195 re-flashing the operating system.</p> 196 <table> 197 <tr> 198 <th>CVE</th> 199 <th>Bug(s) with AOSP links</th> 200 <th>Severity</th> 201 <th>Updated versions</th> 202 <th>Date reported</th> 203 </tr> 204 <tr> 205 <td>CVE-2015-6619</td> 206 <td><a href ="https://android.googlesource.com/device%2Fhtc%2Fflounder-kernel/+/25d3e5d71865a7c0324423fad87aaabb70e82ee4">ANDROID-23520714</a></td> 207 <td>Critical</td> 208 <td>6.0 and below</td> 209 <td>Jun 7, 2015</td> 210 </tr> 211 </table> 212 213 <h3 id="remote_code_execution_vulnerabilities_in_display_driver"> 214 Remote Code Execution Vulnerabilities in Display Driver</h3> 215 216 <p>There are vulnerabilities in the display drivers that, when processing a media 217 file, could cause memory corruption and potential arbitrary code execution in 218 the context of the user mode driver loaded by mediaserver. This issue is rated 219 as a Critical severity due to the possibility of remote code execution through 220 multiple attack methods such as email, web browsing, and MMS when processing 221 media files.</p> 222 <table> 223 <tr> 224 <th>CVE</th> 225 <th>Bug(s) with AOSP links</th> 226 <th>Severity</th> 227 <th>Updated versions</th> 228 <th>Date reported</th> 229 </tr> 230 <tr> 231 <td>CVE-2015-6633</td> 232 <td>ANDROID-23987307*</td> 233 <td>Critical</td> 234 <td>6.0 and below</td> 235 <td>Google Internal</td> 236 </tr> 237 <tr> 238 <td>CVE-2015-6634</td> 239 <td><a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/25016fd2865943dec1a6b2b167ef85c772fb90f7">ANDROID-24163261</a> [<a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/0787bc222a016e944f01492c2dd04bd03c1da6af">2</a>] [<a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/95c2601aab7f27505e8b086fdd1f1dce31091e5d">3</a>] [<a href="https://android.googlesource.com/platform%2Fhardware%2Fqcom%2Fdisplay/+/45660529af1f4063a00e84aa2361649e6a9a878c">4</a>]</td> 240 <td>Critical</td> 241 <td>5.1 and below</td> 242 <td>Google Internal</td> 243 </tr> 244 </table> 245 <p> *The patch for this issue is not in AOSP. The update is contained in the 246 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 247 248 <h3 id="remote_code_execution_vulnerability_in_bluetooth">Remote Code Execution Vulnerability in Bluetooth</h3> 249 250 <p>A vulnerability in Android's Bluetooth component could allow remote code 251 execution. However multiple manual steps are required before this could occur. 252 In order to do this it would require a successfully paired device, after the 253 personal area network (PAN) profile is enabled (for example using Bluetooth 254 Tethering) and the device is paired. The remote code execution would be at the 255 privilege of the Bluetooth service. A device is only vulnerable to this issue 256 from a successfully paired device while in local proximity.</p> 257 258 <p>This issue is rated as High severity because an attacker could remotely execute 259 arbitrary code only after multiple manual steps are taken and from a locally 260 proximate attacker that had previously been allowed to pair a device.</p> 261 <table> 262 <tr> 263 <th>CVE</th> 264 <th>Bug(s) </th> 265 <th>Severity</th> 266 <th>Updated versions</th> 267 <th>Date reported</th> 268 </tr> 269 <tr> 270 <td>CVE-2015-6618</td> 271 <td>ANDROID-24595992*</td> 272 <td>High</td> 273 <td>4.4, 5.0, and 5.1</td> 274 <td>Sep 28, 2015</td> 275 </tr> 276 </table> 277 <p> *The patch for this issue is not in AOSP. The update is contained in the 278 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 279 280 <h3 id="elevation_of_privilege_vulnerabilities_in_libstagefright"> 281 Elevation of Privilege Vulnerabilities in libstagefright</h3> 282 283 <p>There are multiple vulnerabilities in libstagefright that could enable a local 284 malicious application to execute arbitrary code within the context of the 285 mediaserver service. This issue is rated as High severity because it could be 286 used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party 287 applications.</p> 288 <table> 289 <tr> 290 <th>CVE</th> 291 <th>Bug(s) with AOSP links</th> 292 <th>Severity</th> 293 <th>Updated versions</th> 294 <th>Date reported</th> 295 </tr> 296 <tr> 297 <td rowspan="2">CVE-2015-6620</td> 298 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/2b8cd9cbb3e72ffd048ffdd1609fac74f61a22ac">ANDROID-24123723</a></td> 299 <td>High</td> 300 <td>6.0 and below</td> 301 <td>Sep 10, 2015</td> 302 </tr> 303 <tr> 304 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/77c185d5499d6174e7a97b3e1512994d3a803151">ANDROID-24445127</a></td> 305 <td>High</td> 306 <td>6.0 and below</td> 307 <td>Sep 2, 2015</td> 308 </tr> 309 </table> 310 311 <h3 id="elevation_of_privilege_vulnerability_in_systemui"> 312 Elevation of Privilege Vulnerability in SystemUI</h3> 313 314 <p>When setting an alarm using the clock application, a vulnerability in the 315 SystemUI component could allow an application to execute a task at an elevated 316 privilege level. This issue is rated as High severity because it could be used 317 to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party 318 applications.</p> 319 <table> 320 <tr> 321 <th>CVE</th> 322 <th>Bug(s) with AOSP links</th> 323 <th>Severity</th> 324 <th>Updated versions</th> 325 <th>Date reported</th> 326 </tr> 327 <tr> 328 <td>CVE-2015-6621</td> 329 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/e70e8ac93807c51240b2cd9afed35bf454ea00b3">ANDROID-23909438</a></td> 330 <td>High</td> 331 <td>5.0, 5.1, and 6.0</td> 332 <td>Sep 7, 2015</td> 333 </tr> 334 </table> 335 336 <h3 id="information_disclosure_vulnerability_in_native_frameworks_library">Information Disclosure Vulnerability in Native Frameworks Library</h3> 337 338 <p>An information disclosure vulnerability in Android Native Frameworks Library 339 could permit a bypass of security measures in place to increase the difficulty 340 of attackers exploiting the platform. These issues are rated as High severity 341 because they could also be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 342 <table> 343 <tr> 344 <th>CVE</th> 345 <th>Bug(s) with AOSP links</th> 346 <th>Severity</th> 347 <th>Updated versions</th> 348 <th>Date reported</th> 349 </tr> 350 <tr> 351 <td>CVE-2015-6622</td> 352 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fnative/+/5d17838adef13062717322e79d4db0b9bb6b2395">ANDROID-23905002</a></td> 353 <td>High</td> 354 <td>6.0 and below</td> 355 <td>Sep 7, 2015</td> 356 </tr> 357 </table> 358 359 <h3 id="elevation_of_privilege_vulnerability_in_wi-fi">Elevation of Privilege Vulnerability in Wi-Fi</h3> 360 361 <p>An elevation of privilege vulnerability in Wi-Fi could enable a local malicious 362 application to execute arbitrary code within the context of an elevated system 363 service. This issue is rated as High severity because it could be used to gain 364 elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p> 365 <table> 366 <tr> 367 <th>CVE</th> 368 <th>Bug(s) with AOSP links</th> 369 <th>Severity</th> 370 <th>Updated versions</th> 371 <th>Date reported</th> 372 </tr> 373 <tr> 374 <td>CVE-2015-6623</td> 375 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Fnet%2Fwifi/+/a15a2ee69156fa6fff09c0dd9b8182cb8fafde1c">ANDROID-24872703</a></td> 376 <td>High</td> 377 <td>6.0</td> 378 <td>Google Internal</td> 379 </tr> 380 </table> 381 382 383 <h3 id="elevation_of_privilege_vulnerability_in_system_server">Elevation of Privilege Vulnerability in System Server</h3> 384 385 386 <p>An elevation of privilege vulnerability in the System Server component could 387 enable a local malicious application to gain access to service related 388 information. This issue is rated as High severity because it could be used to 389 gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 390 <table> 391 <tr> 392 <th>CVE</th> 393 <th>Bug(s) with AOSP links</th> 394 <th>Severity</th> 395 <th>Updated versions</th> 396 <th>Date reported</th> 397 </tr> 398 <tr> 399 <td>CVE-2015-6624</td> 400 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/f86a441cb5b0dccd3106019e578c3535498e5315">ANDROID-23999740</a></td> 401 <td>High</td> 402 <td>6.0</td> 403 <td>Google internal</td> 404 </tr> 405 </table> 406 407 408 <h3 id="information_disclosure_vulnerabilities_in_libstagefright"> 409 Information Disclosure Vulnerabilities in libstagefright</h3> 410 411 <p>There are information disclosure vulnerabilities in libstagefright that during 412 communication with mediaserver, could permit a bypass of security measures in 413 place to increase the difficulty of attackers exploiting the platform. These 414 issues are rated as High severity because they could also be used to gain 415 elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 416 <table> 417 <tr> 418 <th>CVE</th> 419 <th>Bug(s) with AOSP links</th> 420 <th>Severity</th> 421 <th>Updated versions</th> 422 <th>Date reported</th> 423 </tr> 424 <tr> 425 <td>CVE-2015-6632</td> 426 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5cae16bdce77b0a3ba590b55637f7d55a2f35402">ANDROID-24346430</a></td> 427 <td>High</td> 428 <td>6.0 and below</td> 429 <td>Google Internal</td> 430 </tr> 431 <tr> 432 <td>CVE-2015-6626</td> 433 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/8dde7269a5356503d2b283234b6cb46d0c3f214e">ANDROID-24310423</a></td> 434 <td>High</td> 435 <td>6.0 and below</td> 436 <td>Sep 2, 2015</td> 437 </tr> 438 <tr> 439 <td>CVE-2015-6631</td> 440 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/7ed8d1eff9b292b3c65a875b13a549e29654534b">ANDROID-24623447</a></td> 441 <td>High</td> 442 <td>6.0 and below</td> 443 <td>Aug 21, 2015</td> 444 </tr> 445 </table> 446 447 <h3 id="information_disclosure_vulnerability_in_audio">Information Disclosure Vulnerability in Audio</h3> 448 449 <p>A vulnerability in the Audio component could be exploited during audio file 450 processing. This vulnerability could allow a local malicious application, 451 during processing of a specially crafted file, to cause information disclosure. 452 This issue is rated as High severity because it could be used to gain elevated 453 capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 454 <table> 455 <tr> 456 <th>CVE</th> 457 <th>Bug(s) with AOSP links</th> 458 <th>Severity</th> 459 <th>Updated versions</th> 460 <th>Date reported</th> 461 </tr> 462 <tr> 463 <td>CVE-2015-6627</td> 464 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/8c987fa71326eb0cc504959a5ebb440410d73180">ANDROID-24211743</a></td> 465 <td>High</td> 466 <td>6.0 and below</td> 467 <td>Google Internal</td> 468 </tr> 469 </table> 470 471 <h3 id="information_disclosure_vulnerability_in_media_framework">Information Disclosure Vulnerability in Media Framework</h3> 472 473 <p>There is an information disclosure vulnerability in Media Framework that during 474 communication with mediaserver, could permit a bypass of security measures in 475 place to increase the difficulty of attackers exploiting the platform. This 476 issue is rated as High severity because it could also be used to gain elevated 477 capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 478 <table> 479 <tr> 480 <th>CVE</th> 481 <th>Bug(s) with AOSP links</th> 482 <th>Severity</th> 483 <th>Updated versions</th> 484 <th>Date reported</th> 485 </tr> 486 <tr> 487 <td>CVE-2015-6628</td> 488 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5e7e87a383fdb1fece977097a7e3cc51b296f3a0">ANDROID-24074485</a></td> 489 <td>High</td> 490 <td>6.0 and below</td> 491 <td>Sep 8, 2015</td> 492 </tr> 493 </table> 494 495 <h3 id="information_disclosure_vulnerability_in_wi-fi">Information Disclosure Vulnerability in Wi-Fi</h3> 496 497 <p>A vulnerability in the Wi-Fi component could allow an attacker to cause the 498 Wi-Fi service to disclose information. This issue is rated as High severity 499 because it could be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party 500 applications.</p> 501 <table> 502 <tr> 503 <th>CVE</th> 504 <th>Bug(s) with AOSP links</th> 505 <th>Severity</th> 506 <th>Updated versions</th> 507 <th>Date reported</th> 508 </tr> 509 <tr> 510 <td>CVE-2015-6629</td> 511 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Fnet%2Fwifi/+/8b41627f7411306a0c42867fb526fa214f2991cd">ANDROID-22667667</a></td> 512 <td>High</td> 513 <td>5.1 and 5.0</td> 514 <td>Google Internal</td> 515 </tr> 516 </table> 517 518 <h3 id="elevation_of_privilege_vulnerability_in_system_server19">Elevation of Privilege Vulnerability in System Server</h3> 519 520 521 <p>An elevation of privilege vulnerability in the System Server could enable a 522 local malicious application to gain access to Wi-Fi service related 523 information. This issue is rated as Moderate severity because it could be used 524 to improperly gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a> permissions.</p> 525 <table> 526 <tr> 527 <th>CVE</th> 528 <th>Bug(s) with AOSP links</th> 529 <th>Severity</th> 530 <th>Updated versions</th> 531 <th>Date reported</th> 532 </tr> 533 <tr> 534 <td>CVE-2015-6625</td> 535 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Fnet%2Fwifi/+/29fa7d2ffc3bba55173969309e280328b43eeca1">ANDROID-23936840</a></td> 536 <td>Moderate</td> 537 <td>6.0</td> 538 <td>Google Internal</td> 539 </tr> 540 </table> 541 542 <h3 id="information_disclosure_vulnerability_in_systemui">Information Disclosure Vulnerability in SystemUI</h3> 543 544 <p>An information disclosure vulnerability in the SystemUI could enable a local 545 malicious application to gain access to screenshots. This issue is rated as 546 Moderate severity because it could be used to improperly gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a> permissions.</p> 547 <table> 548 <tr> 549 <th>CVE</th> 550 <th>Bug(s) with AOSP links</th> 551 <th>Severity</th> 552 <th>Updated versions</th> 553 <th>Date reported</th> 554 </tr> 555 <tr> 556 <td>CVE-2015-6630</td> 557 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/51c2619c7706575a171cf29819db14e91b815a62">ANDROID-19121797</a></td> 558 <td>Moderate</td> 559 <td>5.0, 5.1, and 6.0</td> 560 <td>Jan 22, 2015</td> 561 </tr> 562 </table> 563 564 <h3 id="common_questions_and_answers">Common Questions and Answers</h3> 565 566 <p>This section will review answers to common questions that may occur after 567 reading this bulletin.</p> 568 569 <p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> 570 571 <p>Builds LMY48Z or later and Android 6.0 with Security Patch Level of 572 December 1, 2015 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device 573 manufacturers that include these updates should set the patch string level to: 574 [ro.build.version.security_patch]:[2015-12-01]</p> 575 576 <h2 id="revisions">Revisions</h2> 577 <ul> 578 <li> December 07, 2015: Originally Published 579 <li> December 09, 2015: Bulletin revised to include AOSP links. 580 <li> December 22, 2015: Added missing credit to Acknowledgements section. 581 <li> March 07, 2016: Added missing credit to Acknowledgements section. 582 </ul> 583 584 </body> 585 </html> 586
