1 <html devsite> 2 <head> 3 <title>Nexus Security BulletinJanuary 2016</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p><em>Published January 04, 2016 | Updated April 28, 2016</em></p> 27 28 <p>We have released a security update to Nexus devices through an over-the-air 29 (OTA) update as part of our Android Security Bulletin Monthly Release process. 30 The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY49F or later and Android 6.0 with Security Patch Level of January 31 1, 2016 or later address these issues. Refer to the <a href="#common_questions_and_answers">Common Questions and Answers</a> section for more details.</p> 32 33 <p>Partners were notified about and provided updates for the issues described in 34 this bulletin on December 7, 2015 or earlier. Where applicable, source code 35 patches for these issues have been released to the Android Open Source Project (AOSP) repository.</p> 36 37 <p>The most severe of these issues is a Critical security vulnerability that could 38 enable remote code execution on an affected device through multiple methods 39 such as email, web browsing, and MMS when processing media files. The 40 <a href="/security/overview/updates-resources.html#severity">severity 41 assessment</a> is based on the effect that exploiting the vulnerability would 42 possibly have on an affected device, assuming the platform and service 43 mitigations are disabled for development purposes or if successfully bypassed.</p> 44 45 <p>We have had no reports of active customer exploitation of these newly reported 46 issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the 47 <a href="/security/enhancements/index.html">Android security platform protections</a> 48 and service protections such as SafetyNet, which improve the security of the 49 Android platform. We encourage all customers to accept these updates to their 50 devices.</p> 51 52 53 <h2 id=mitigations>Mitigations</h2> 54 55 56 <p>This is a summary of the mitigations provided by the 57 <a href="/security/enhancements/index.html">Android security platform</a> 58 and service protections such as SafetyNet. These capabilities reduce the 59 likelihood that security vulnerabilities could be successfully exploited on 60 Android.</p> 61 62 <ul> 63 <li> Exploitation for many issues on Android is made more difficult by enhancements 64 in newer versions of the Android platform. We encourage all users to update to 65 the latest version of Android where possible. 66 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 67 SafetyNet which will warn about potentially harmful applications about to be 68 installed. Device rooting tools are prohibited within Google Play. To protect 69 users who install applications from outside of Google Play, Verify Apps is 70 enabled by default and will warn users about known rooting applications. Verify 71 Apps attempts to identify and block installation of known malicious 72 applications that exploit a privilege escalation vulnerability. If such an 73 application has already been installed, Verify Apps will notify the user and 74 attempt to remove any such applications. 75 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 76 pass media to processes such as mediaserver. 77 </ul> 78 79 <h2 id=acknowledgements>Acknowledgements</h2> 80 81 82 <p>We would like to thank these researchers for their contributions:</p> 83 84 <ul> 85 <li> Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security 86 Team: CVE-2015-6636 87 <li> Sen Nie (<a href="https://twitter.com/@nforest_">@nforest_</a>) and jfang of KEEN lab, Tencent 88 (<a href="https://twitter.com/k33nteam">@K33nTeam</a>): CVE-2015-6637 89 <li> Yabin Cui from Android Bionic Team: CVE-2015-6640 90 <li> Tom Craig of Google X: CVE-2015-6641 91 <li> Jann Horn (<a href="https://thejh.net">https://thejh.net</a>): CVE-2015-6642 92 <li> Jouni Malinen PGP id EFC895FA: CVE-2015-5310 93 <li> Quan Nguyen of Google Information Security Engineer Team: CVE-2015-6644 94 <li> Gal Beniamini (<a href="https://twitter.com/@laginimaineb">@laginimaineb</a>, 95 <a href="http://bits-please.blogspot.com">http://bits-please.blogspot.com</a>): CVE-2015-6639 96 </ul> 97 98 <h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 99 100 <p>In the sections below, we provide details for each of the security 101 vulnerabilities that apply to the 2016-01-01 patch level. 102 There is a description of the issue, a severity rationale, and a table 103 with the CVE, associated bug, severity, updated versions, and date reported. 104 When available, we will link the AOSP change that addressed the issue to the 105 bug ID. When multiple changes relate to a single bug, additional AOSP 106 references are linked to numbers following the bug ID. </p> 107 108 <h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3> 109 110 111 <p>During media file and data processing of a specially crafted file, 112 vulnerabilities in mediaserver could allow an attacker to cause memory 113 corruption and remote code execution as the mediaserver process.</p> 114 115 <p>The affected functionality is provided as a core part of the operating system 116 and there are multiple applications that allow it to be reached with remote 117 content, most notably MMS and browser playback of media.</p> 118 119 <p>This issue is rated as a Critical severity due to the possibility of remote 120 code execution within the context of the mediaserver service. The mediaserver 121 service has access to audio and video streams as well as access to privileges 122 that third-party apps cannot normally access.</p> 123 <table> 124 <tr> 125 <th>CVE</th> 126 <th>Bug(s) with AOSP links</th> 127 <th>Severity</th> 128 <th>Updated versions</th> 129 <th>Date reported</th> 130 </tr> 131 <tr> 132 <td rowspan="2">CVE-2015-6636</td> 133 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Flibhevc/+/b9f7c2c45c6fe770b7daffb9a4e61522d1f12d51#">ANDROID-25070493</a></td> 134 <td>Critical</td> 135 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 136 <td>Google Internal</td> 137 </tr> 138 <tr> 139 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Flibhevc/+/e8bfec1fa41eafa1fd8e05d0fdc53ea0f2379518">ANDROID-24686670</a></td> 140 <td>Critical</td> 141 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 142 <td>Google Internal</td> 143 </tr> 144 </table> 145 146 147 <h3 id=elevation_of_privilege_vulnerability_in_misc-sd_driver>Elevation of Privilege Vulnerability in misc-sd driver</h3> 148 149 150 <p>An elevation of privilege vulnerability in the misc-sd driver from MediaTek 151 could enable a local malicious application to execute arbitrary code within the 152 kernel. This issue is rated as a Critical severity due to the possibility of a 153 local permanent device compromise, in which case the device would possibly need 154 to be repaired by re-flashing the operating system.</p> 155 <table> 156 <tr> 157 <th>CVE</th> 158 <th>Bug(s)</th> 159 <th>Severity</th> 160 <th>Updated versions</th> 161 <th>Date reported</th> 162 </tr> 163 <tr> 164 <td>CVE-2015-6637</td> 165 <td>ANDROID-25307013*</td> 166 <td>Critical</td> 167 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 168 <td>Oct 26, 2015</td> 169 </tr> 170 </table> 171 172 <p> * The patch for this issue is not in AOSP. The update is contained in the 173 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 174 175 <h3 id=elevation_of_privilege_vulnerability_in_the_imagination_technologies_driver>Elevation of Privilege Vulnerability in the Imagination Technologies driver</h3> 176 177 178 <p>An elevation of privilege vulnerability in a kernel driver from Imagination 179 Technologies could enable a local malicious application to execute arbitrary 180 code within the kernel. This issue is rated as a Critical severity due to the 181 possibility of a local permanent device compromise, in which case device would 182 possibly need to be repaired by re-flashing the operating system.</p> 183 <table> 184 <tr> 185 <th>CVE</th> 186 <th>Bug(s)</th> 187 <th>Severity</th> 188 <th>Updated versions</th> 189 <th>Date reported</th> 190 </tr> 191 <tr> 192 <td>CVE-2015-6638</td> 193 <td>ANDROID-24673908*</td> 194 <td>Critical</td> 195 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 196 <td>Google Internal</td> 197 </tr> 198 </table> 199 200 <p> * The patch for this issue is not in AOSP. The update is contained in the 201 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 202 203 <h3 id=elevation_of_privilege_vulnerabilities_in_trustzone>Elevation of Privilege Vulnerabilities in Trustzone</h3> 204 205 206 <p>Elevation of privilege vulnerabilities in the Widevine QSEE TrustZone 207 application could enable a compromise, privileged application with access to 208 QSEECOM to execute arbitrary code in the Trustzone context. This issue is rated 209 as a Critical severity due to the possibility of a local permanent device 210 compromise, in which case the device would possibly need to be repaired by 211 re-flashing the operating system.</p> 212 <table> 213 <tr> 214 <th>CVE</th> 215 <th>Bug(s)</th> 216 <th>Severity</th> 217 <th>Updated versions</th> 218 <th>Date reported</th> 219 </tr> 220 <tr> 221 <td>CVE-2015-6639</td> 222 <td>ANDROID-24446875*</td> 223 <td>Critical</td> 224 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 225 <td>Sep 23, 2015</td> 226 </tr> 227 <tr> 228 <td>CVE-2015-6647</td> 229 <td>ANDROID-24441554*</td> 230 <td>Critical</td> 231 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 232 <td>Sep 27, 2015</td> 233 </tr> 234 </table> 235 236 <p> * The patch for this issue is not in AOSP. The update is contained in the 237 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 238 239 <h3 id=elevation_of_privilege_vulnerability_in_kernel>Elevation of Privilege Vulnerability in Kernel</h3> 240 241 242 <p>An elevation of privilege vulnerability in the kernel could enable a local 243 malicious application to execute arbitrary code in the kernel. This issue is 244 rated as a Critical severity due to the possibility of a local permanent device 245 compromise, in which case the device would possibly need to be repaired by 246 re-flashing the operating system.</p> 247 <table> 248 <tr> 249 <th>CVE</th> 250 <th>Bug(s) with AOSP Link</th> 251 <th>Severity</th> 252 <th>Updated versions</th> 253 <th>Date reported</th> 254 </tr> 255 <tr> 256 <td>CVE-2015-6640</td> 257 <td><a href="https://android.googlesource.com/kernel%2Fcommon/+/69bfe2d957d903521d32324190c2754cb073be15">ANDROID-20017123</a></td> 258 <td>Critical</td> 259 <td>4.4.4, 5.0, 5.1.1, 6.0</td> 260 <td>Google Internal</td> 261 </tr> 262 </table> 263 264 265 <h3 id=elevation_of_privilege_vulnerability_in_bluetooth>Elevation of Privilege Vulnerability in Bluetooth</h3> 266 267 268 <p>An elevation of privilege vulnerability in the Bluetooth component could enable 269 a remote device paired over Bluetooth to gain access to users private 270 information (Contacts). This issue is rated as High severity because it could 271 be used to gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a> capabilities remotely, these permissions are accessible only to third-party 272 applications installed locally.</p> 273 <table> 274 <tr> 275 <th>CVE</th> 276 <th>Bug(s) with AOSP links</th> 277 <th>Severity</th> 278 <th>Updated versions</th> 279 <th>Date reported</th> 280 </tr> 281 <tr> 282 <td>CVE-2015-6641</td> 283 <td><a href="https://android.googlesource.com/platform%2Fpackages%2Fapps%2FSettings/+/98f11fd1a4752beed56b5fe7a4097ec0ae0c74b3">ANDROID-23607427</a> [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/ccbe7383e63d7d23bac6bccc8e4094fe474645ec">2</a>]</td> 284 <td>High</td> 285 <td>6.0, 6.0.1</td> 286 <td>Google Internal</td> 287 </tr> 288 </table> 289 290 291 <h3 id=information_disclosure_vulnerability_in_kernel>Information Disclosure Vulnerability in Kernel</h3> 292 293 294 <p>An information disclosure vulnerability in the kernel could permit a bypass of 295 security measures in place to increase the difficulty of attackers exploiting 296 the platform. These issues are rated as High severity because they could also 297 be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 298 <table> 299 <tr> 300 <th>CVE</th> 301 <th>Bug(s)</th> 302 <th>Severity</th> 303 <th>Updated versions</th> 304 <th>Date reported</th> 305 </tr> 306 <tr> 307 <td>CVE-2015-6642</td> 308 <td>ANDROID-24157888*</td> 309 <td>High</td> 310 <td>4.4.4, 5.0, 5.1.1, 6.0</td> 311 <td>Sep 12, 2015</td> 312 </tr> 313 </table> 314 <p> * The patch for this issue is not in AOSP. The update is contained in the 315 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 316 317 <h3 id=elevation_of_privilege_vulnerability_in_setup_wizard>Elevation of Privilege Vulnerability in Setup Wizard</h3> 318 319 320 <p>An elevation of privilege vulnerability in the Setup Wizard could enable an 321 attacker with physical access to the device to gain access to device settings 322 and perform a manual device reset. This issue is rated as Moderate severity 323 because it could be used to improperly work around the factory reset 324 protection.</p> 325 <table> 326 <tr> 327 <th>CVE</th> 328 <th>Bug(s) with AOSP links</th> 329 <th>Severity</th> 330 <th>Updated versions</th> 331 <th>Date reported</th> 332 </tr> 333 <tr> 334 <td>CVE-2015-6643</td> 335 <td><a href="https://android.googlesource.com/platform/packages/apps/Settings/+/665ac7bc29396fd5af2ecfdfda2b9de7a507daa0">ANDROID-25290269</a> [<a href="https://android.googlesource.com/platform/packages/apps/Settings/+/a7ff2e955d2509ed28deeef984347e093794f92b">2</a>]</td> 336 <td>Moderate</td> 337 <td>5.1.1, 6.0, 6.0.1</td> 338 <td>Google Internal</td> 339 </tr> 340 </table> 341 342 343 <h3 id=elevation_of_privilege_vulnerability_in_wi-fi>Elevation of Privilege Vulnerability in Wi-Fi</h3> 344 345 346 <p>An elevation of privilege vulnerability in the Wi-Fi component could enable a 347 locally proximate attacker to gain access to Wi-Fi service related information. 348 A device is only vulnerable to this issue while in local proximity. This issue 349 is rated as Moderate severity because it could be used to gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">normal</a> capabilities remotely, these permissions are accessible only to third-party 350 applications installed locally.</p> 351 <table> 352 <tr> 353 <th>CVE</th> 354 <th>Bug(s) with AOSP links</th> 355 <th>Severity</th> 356 <th>Updated versions</th> 357 <th>Date reported</th> 358 </tr> 359 <tr> 360 <td>CVE-2015-5310</td> 361 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Fwpa_supplicant_8/+/1e9857b5f1dd84ac5a0ada0150b1b9c87d44d99d">ANDROID-25266660</a></td> 362 <td>Moderate</td> 363 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 364 <td>Oct 25, 2015</td> 365 </tr> 366 </table> 367 368 369 <h3 id=information_disclosure_vulnerability_in_bouncy_castle>Information Disclosure Vulnerability in Bouncy Castle</h3> 370 371 372 <p>An information disclosure vulnerability in Bouncy Castle could enable a local 373 malicious application to gain access to users private information. This issue 374 is rated as Moderate severity because it could be used to improperly gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a> permissions.</p> 375 <table> 376 <tr> 377 <th>CVE</th> 378 <th>Bug(s) with AOSP links</th> 379 <th>Severity</th> 380 <th>Updated versions</th> 381 <th>Date reported</th> 382 </tr> 383 <tr> 384 <td>CVE-2015-6644</td> 385 <td><a href="https://android.googlesource.com/platform/external/bouncycastle/+/3e128c5fea3a0ca2d372aa09c4fd4bb0eadfbd3f">ANDROID-24106146</a></td> 386 <td>Moderate</td> 387 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 388 <td>Google Internal</td> 389 </tr> 390 </table> 391 392 393 <h3 id=denial_of_service_vulnerability_in_syncmanager>Denial of Service Vulnerability in SyncManager</h3> 394 395 396 <p>A denial of service vulnerability in the SyncManager could enable a local 397 malicious application to cause a reboot loop. This issue is rated as Moderate 398 severity because it could be used to cause a local temporary denial of service 399 that would possibly need to be fixed though a factory reset.</p> 400 <table> 401 <tr> 402 <th>CVE</th> 403 <th>Bug(s) with AOSP links</th> 404 <th>Severity</th> 405 <th>Updated versions</th> 406 <th>Date reported</th> 407 </tr> 408 <tr> 409 <td>CVE-2015-6645</td> 410 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/c0f39c1ece72a05c796f7ba30b7a2b5b580d5025">ANDROID-23591205</a></td> 411 <td>Moderate</td> 412 <td>4.4.4, 5.0, 5.1.1, 6.0</td> 413 <td>Google Internal</td> 414 </tr> 415 </table> 416 417 418 <h3 id=attack_surface_reduction_for_nexus_kernels>Attack Surface Reduction for Nexus Kernels</h3> 419 420 421 <p>SysV IPC is not supported in any Android Kernel. We have removed this from the 422 OS as it exposes additional attack surface that doesnt add functionality to 423 the system that could be exploited by malicious applications. Also, System V 424 IPCs are not compliant with Android's application lifecycle because the 425 allocated resources are not freeable by the memory manager leading to global 426 kernel resource leakage. This change addresses issue such as CVE-2015-7613.</p> 427 <table> 428 <tr> 429 <th>CVE</th> 430 <th>Bug(s)</th> 431 <th>Severity</th> 432 <th>Updated versions</th> 433 <th>Date reported</th> 434 </tr> 435 <tr> 436 <td>CVE-2015-6646</td> 437 <td>ANDROID-22300191*</td> 438 <td>Moderate</td> 439 <td>6.0</td> 440 <td>Google Internal</td> 441 </tr> 442 </table> 443 444 <p> * The patch for this issue is not in AOSP. The update is contained in the 445 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 446 447 <h3 id=common_questions_and_answers>Common Questions and Answers</h3> 448 449 450 <p>This section reviews answers to common questions that may occur after reading 451 this bulletin.</p> 452 453 <p><strong>1. How do I determine if my device is updated to address these issues? </strong></p> 454 455 <p>Builds LMY49F or later and Android 6.0 with Security Patch Level of January 1, 456 2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device 457 manufacturers that include these updates should set the patch string level to: 458 [ro.build.version.security_patch]:[2016-01-01] </p> 459 460 <h2 id=revisions>Revisions</h2> 461 462 463 <ul> 464 <li> January 04, 2016: Bulletin published. 465 <li> January 06, 2016: Bulletin revised to include AOSP links. 466 <li> April 28, 2016: Removed CVE-2015-6617 from Acknowledgements and added CVE-2015-6647 to summary table 467 468 </body> 469 </html> 470
