1 <html devsite> 2 <head> 3 <title>Nexus Security Bulletin - February 2016</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p><em>Published February 01, 2016 | Updated March 7, 2016</em></p> 27 28 <p>We have released a security update to Nexus devices through an over-the-air 29 (OTA) update as part of our Android Security Bulletin Monthly Release process. 30 The Nexus firmware images have also been released to the 31 <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. 32 Builds LMY49G or later and Android M with Security Patch Level of February 1, 33 2016 or later address these issues. Refer to the 34 <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> 35 for instructions on how to check the security patch level.</p> 36 37 <p>Partners were notified about the issues described in the bulletin on January 4, 38 2016 or earlier. Where applicable, source code patches for these issues have been 39 released to the Android Open Source Project (AOSP) repository.</p> 40 41 <p>The most severe of these issues is a Critical security vulnerability that could 42 enable remote code execution on an affected device through multiple methods 43 such as email, web browsing, and MMS when processing media files. The Remote Code 44 Execution Vulnerability in Broadcoms Wi-Fi driver is also Critical severity as 45 it could allow remote code execution on an affected device while connected to 46 the same network as the attacker. The 47 <a href="/security/overview/updates-resources.html#severity">severity 48 assessment</a> is based on the effect that exploiting the vulnerability would 49 possibly have on an affected device, assuming the platform and service 50 mitigations are disabled for development purposes or if successfully bypassed.</p> 51 52 <p>We have had no reports of active customer exploitation of these newly reported 53 issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the 54 <a href="/security/enhancements/index.html">Android security platform protections</a> 55 and service protections such as SafetyNet, which improve the security of the 56 Android platform. We encourage all customers to accept these updates to their 57 devices.</p> 58 59 <h3 id=mitigations>Mitigations</h3> 60 61 62 <p>This is a summary of the mitigations provided by the 63 <a href="/security/enhancements/index.html">Android security platform</a> and 64 service protections such as SafetyNet. These capabilities reduce the 65 likelihood that security vulnerabilities could be successfully exploited on 66 Android.</p> 67 68 <ul> 69 <li> Exploitation for many issues on Android is made more difficult by enhancements 70 in newer versions of the Android platform. We encourage all users to update to 71 the latest version of Android where possible. 72 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 73 SafetyNet which will warn about potentially harmful applications about to be 74 installed. Device rooting tools are prohibited within Google Play. To protect 75 users who install applications from outside of Google Play, Verify Apps is 76 enabled by default and will warn users about known rooting applications. Verify 77 Apps attempts to identify and block installation of known malicious 78 applications that exploit a privilege escalation vulnerability. If such an 79 application has already been installed, Verify Apps will notify the user and 80 attempt to remove any such applications. 81 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 82 pass media to processes such as mediaserver. 83 </ul> 84 85 <h3 id=acknowledgements>Acknowledgements</h3> 86 87 88 <p>We would like to thank these researchers for their contributions:</p> 89 90 <ul> 91 <li> Android and Chrome Security Team: CVE-2016-0809, CVE-2016-0810 92 <li> Broadgate Team: CVE-2016-0801, CVE-2015-0802 93 <li> Chiachih Wu (<a 94 href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), Mingjian Zhou (<a 95 href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), and Xuxian Jiang 96 of <a href="http://c0reteam.org">C0RE Team</a>, <a 97 href="http://www.360safe.com/">Qihoo 360</a>: CVE-2016-0804 98 <li> David Riley of the Google Pixel C Team: CVE-2016-0812 99 <li> Gengjia Chen (<a href="https://twitter.com/@chengjia4574">@chengjia4574</a>) 100 of Lab IceSword, Qihoo 360: CVE-2016-0805 101 <li> Qidan He (<a href="https://twitter.com/@Flanker_hqd">@Flanker_hqd</a>) of 102 KeenLab (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-0811 103 <li> Seven Shen (<a href="https://twitter.com/@lingtongshen">@lingtongshen</a>) 104 of Trend Micro (<a href="http://www.trendmicro.com">www.trendmicro.com</a>): CVE-2016-0803 105 <li> Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of Alibaba Inc: CVE-2016-0808 106 <li> Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>) of the Android Security Team: CVE-2016-0807 107 </ul> 108 109 <h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 110 111 112 <p>In the sections below, we provide details for each of the security 113 vulnerabilities that apply to the 2016-02-01 patch level. 114 There is a description of the issue, a severity rationale, and a table 115 with the CVE, associated bug, severity, affected versions, and date reported. 116 When available, we will link the AOSP commit that addressed the issue to the 117 bug ID. When multiple changes relate to a single bug, additional AOSP 118 references are linked to numbers following the bug ID.</p> 119 120 <h3 id=remote_code_execution_vulnerability_in_broadcom_wi-fi_driver>Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver</h3> 121 122 123 <p>Multiple remote execution vulnerabilities in the Broadcom Wi-Fi driver could 124 allow a remote attacker to use specially crafted wireless control message 125 packets to corrupt kernel memory in a way that leads to remote code execution 126 in the context of the kernel. These vulnerabilities can be triggered when the 127 attacker and the victim are associated with the same network. This issue is 128 rated as a Critical severity due to the possibility of remote code execution in 129 the context of the kernel without requiring user interaction.</p> 130 <table> 131 <tr> 132 <th>CVE</th> 133 <th>Bugs</th> 134 <th>Severity</th> 135 <th>Updated versions</th> 136 <th>Date reported</th> 137 </tr> 138 <tr> 139 <td>CVE-2016-0801</td> 140 <td><a href="https://android.googlesource.com/kernel/msm/+/68cdc8df1cb6622980b791ce03e99c255c9888af%5E!">ANDROID-25662029</a><br /> 141 <a href="https://android.googlesource.com/kernel/msm/+/68cdc8df1cb6622980b791ce03e99c255c9888af%5E!">ANDROID-25662233</a></td> 142 <td>Critical</td> 143 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 144 <td>Oct 25, 2015</td> 145 </tr> 146 <tr> 147 <td>CVE-2016-0802</td> 148 <td><a href="https://android.googlesource.com/kernel/msm/+/3fffc78f70dc101add8b82af878d53457713d005%5E%21/">ANDROID-25306181</a></td> 149 <td>Critical</td> 150 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 151 <td>Oct 26,2015</td> 152 </tr> 153 </table> 154 155 <h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3> 156 157 <p>During media file and data processing of a specially crafted file, 158 vulnerabilities in mediaserver could allow an attacker to cause memory 159 corruption and remote code execution as the mediaserver process.</p> 160 161 <p>The affected functionality is provided as a core part of the operating system 162 and there are multiple applications that allow it to be reached with remote 163 content, most notably MMS and browser playback of media.</p> 164 165 <p>This issue is rated as a Critical severity due to the possibility of remote 166 code execution within the context of the mediaserver service. The mediaserver 167 service has access to audio and video streams as well as access to privileges 168 that third-party apps cannot normally access.</p> 169 <table> 170 <tr> 171 <th>CVE</th> 172 <th>Bugs with AOSP links</th> 173 <th>Severity</th> 174 <th>Updated versions</th> 175 <th>Date reported</th> 176 </tr> 177 <tr> 178 <td>CVE-2016-0803</td> 179 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/50270d98e26fa18b20ca88216c3526667b724ba7">ANDROID-25812794</a></td> 180 <td>Critical</td> 181 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 182 <td>Nov 19, 2015</td> 183 </tr> 184 <tr> 185 <td>CVE-2016-0804</td> 186 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/224858e719d045c8554856b12c4ab73d2375cf33">ANDROID-25070434</a></td> 187 <td>Critical</td> 188 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 189 <td>Oct 12, 2015</td> 190 </tr> 191 </table> 192 193 194 <h3 id=elevation_of_privilege_vulnerability_in_qualcomm_performance_module>Elevation of Privilege Vulnerability in Qualcomm Performance Module</h3> 195 196 197 <p>An elevation of privilege vulnerability in the performance event manager 198 component for ARM processors from Qualcomm could enable a local malicious 199 application to execute arbitrary code within the kernel. This issue is rated as 200 a Critical severity due to the possibility of a local permanent device 201 compromise and the device would possibly need to be repaired by re-flashing the 202 operating system.</p> 203 <table> 204 <tr> 205 <th>CVE</th> 206 <th>Bug</th> 207 <th>Severity</th> 208 <th>Updated versions</th> 209 <th>Date reported</th> 210 </tr> 211 <tr> 212 <td>CVE-2016-0805</td> 213 <td>ANDROID-25773204*</td> 214 <td>Critical</td> 215 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 216 <td>Nov 15, 2015</td> 217 </tr> 218 </table> 219 220 <p>* The patch for this issue is not in AOSP. The update is contained in the 221 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 222 223 <h3 id=elevation_of_privilege_vulnerability_in_qualcomm_wifi_driver>Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</h3> 224 225 226 <p>There is a vulnerability in the Qualcomm Wi-Fi driver that could enable a local 227 malicious application to execute arbitrary code within the context of the 228 kernel. This issue is rated as a Critical severity due to the possibility of a 229 local permanent device compromise and the device would possibly need to be 230 repaired by re-flashing the operating system.</p> 231 <table> 232 <tr> 233 <th>CVE</th> 234 <th>Bug</th> 235 <th>Severity</th> 236 <th>Updated versions</th> 237 <th>Date reported</th> 238 </tr> 239 <tr> 240 <td>CVE-2016-0806</td> 241 <td>ANDROID-25344453*</td> 242 <td>Critical</td> 243 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 244 <td>Nov 15, 2015</td> 245 </tr> 246 </table> 247 248 <p>* The patch for this issue is not in AOSP. The update is contained in the 249 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 250 251 <h3 id=elevation_of_privilege_vulnerability_in_the_debuggerd>Elevation of Privilege Vulnerability in the Debuggerd </h3> 252 253 254 <p>An elevation of privilege vulnerability in the Debuggerd component could enable 255 a local malicious application to execute arbitrary code within the device root 256 context. This issue is rated as a Critical severity due to the possibility of a 257 local permanent device compromise and the device would possibly need to be 258 repaired by re-flashing the operating system.</p> 259 <table> 260 <tr> 261 <th>CVE</th> 262 <th>Bug with AOSP link</th> 263 <th>Severity</th> 264 <th>Updated versions</th> 265 <th>Date reported</th> 266 </tr> 267 <tr> 268 <td>CVE-2016-0807</td> 269 <td><a href="https://android.googlesource.com/platform%2Fsystem%2Fcore/+/d917514bd6b270df431ea4e781a865764d406120">ANDROID-25187394</a></td> 270 <td>Critical</td> 271 <td>6.0 and 6.0.1</td> 272 <td>Google Internal</td> 273 </tr> 274 </table> 275 276 277 <h3 id=denial_of_service_vulnerability_in_minikin>Denial of Service Vulnerability in Minikin</h3> 278 279 280 <p>A denial of service vulnerability in the Minikin library could allow a local 281 attacker to temporarily block access to an affected device. An attacker could 282 cause an untrusted font to be loaded and cause an overflow in the Minikin 283 component which leads to a crash. This is rated as a high severity because 284 Denial of Service leads to a continuous reboot loop.</p> 285 <table> 286 <tr> 287 <th>CVE</th> 288 <th>Bug with AOSP link</th> 289 <th>Severity</th> 290 <th>Updated versions</th> 291 <th>Date reported</th> 292 </tr> 293 <tr> 294 <td>CVE-2016-0808</td> 295 <td><a href="https://android.googlesource.com/platform/frameworks/minikin/+/ed4c8d79153baab7f26562afb8930652dfbf853b">ANDROID-25645298</a></td> 296 <td>High</td> 297 <td>5.0, 5.1.1, 6.0, 6.0.1</td> 298 <td>Nov 3, 2015</td> 299 </tr> 300 </table> 301 302 303 <h3 id=elevation_of_privilege_vulnerability_in_wi-fi>Elevation of Privilege Vulnerability in Wi-Fi</h3> 304 305 306 <p>An elevation of privilege vulnerability in the Wi-Fi component could enable a 307 local malicious application to execute arbitrary code within the System 308 context. A device is only vulnerable to this issue while in local proximity. 309 This issue is rated as High severity because it could be used to gain <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">normal</a> capabilities remotely. Generally, these permissions are accessible only to 310 third-party applications installed locally.</p> 311 <table> 312 <tr> 313 <th>CVE</th> 314 <th>Bug with AOSP link</th> 315 <th>Severity</th> 316 <th>Updated versions</th> 317 <th>Date reported</th> 318 </tr> 319 <tr> 320 <td>CVE-2016-0809</td> 321 <td><a href="https://android.googlesource.com/platform/hardware/broadcom/wlan/+/2c5a4fac8bc8198f6a2635ede776f8de40a0c3e1%5E%21/#F0">ANDROID-25753768</a></td> 322 <td>High</td> 323 <td>6.0, 6.0.1</td> 324 <td>Google Internal</td> 325 </tr> 326 </table> 327 328 329 <h3 id=elevation_of_privilege_vulnerability_in_mediaserver>Elevation of Privilege Vulnerability in Mediaserver </h3> 330 331 332 <p>An elevation of privilege vulnerability in mediaserver could enable a local 333 malicious application to execute arbitrary code within the context of an 334 elevated system application. This issue is rated as High severity because it 335 could be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p> 336 <table> 337 <tr> 338 <th>CVE</th> 339 <th>Bug with AOSP link</th> 340 <th>Severity</th> 341 <th>Updated versions</th> 342 <th>Date reported</th> 343 </tr> 344 <tr> 345 <td>CVE-2016-0810</td> 346 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/19c47afbc402542720ddd280e1bbde3b2277b586">ANDROID-25781119</a></td> 347 <td>High</td> 348 <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> 349 <td>Google Internal</td> 350 </tr> 351 </table> 352 353 354 <h3 id=information_disclosure_vulnerability_in_libmediaplayerservice>Information Disclosure Vulnerability in libmediaplayerservice </h3> 355 356 357 <p>An information disclosure vulnerability in libmediaplayerservice could permit a 358 bypass of security measures in place to increase the difficulty of attackers 359 exploiting the platform. These issues are rated as High severity because they 360 could also be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 361 <table> 362 <tr> 363 <th>CVE</th> 364 <th>Bug with AOSP link</th> 365 <th>Severity</th> 366 <th>Updated versions</th> 367 <th>Date reported</th> 368 </tr> 369 <tr> 370 <td>CVE-2016-0811</td> 371 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/22f824feac43d5758f9a70b77f2aca840ba62c3b">ANDROID-25800375</a></td> 372 <td>High</td> 373 <td>6.0, 6.0.1</td> 374 <td>Nov 16, 2015</td> 375 </tr> 376 </table> 377 378 379 <h3 id=elevation_of_privilege_vulnerability_in_setup_wizard>Elevation of Privilege Vulnerability in Setup Wizard</h3> 380 381 382 <p>A vulnerability in the Setup Wizard could allow a malicious attacker to bypass 383 the Factory Reset Protection and gain access to the device. This is rated as a 384 Moderate severity because it potentially allows someone with physical access to 385 a device to bypass the Factory Reset Protection, which enables an attacker to 386 successfully reset a device, erasing all data.</p> 387 <table> 388 <tr> 389 <th>CVE</th> 390 <th>Bugs with AOSP links</th> 391 <th>Severity</th> 392 <th>Updated versions</th> 393 <th>Date reported</th> 394 </tr> 395 <tr> 396 <td>CVE-2016-0812</td> 397 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/84669ca8de55d38073a0dcb01074233b0a417541">ANDROID-25229538</a></td> 398 <td>Moderate</td> 399 <td>5.1.1, 6.0</td> 400 <td>Google Internal</td> 401 </tr> 402 <tr> 403 <td>CVE-2016-0813</td> 404 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/16a76dadcc23a13223e9c2216dad1fe5cad7d6e1">ANDROID-25476219</a></td> 405 <td>Moderate</td> 406 <td>5.1.1, 6.0, 6.0.1</td> 407 <td>Google Internal</td> 408 </tr> 409 </table> 410 411 <h3 id=common_questions_and_answers>Common Questions and Answers</strong></h3> 412 413 <p>This section reviews answers to common questions that may occur after reading 414 this bulletin.</p> 415 416 <p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> 417 418 <p>Builds LMY49G or later and Android 6.0 with Security Patch Level of February 1, 419 2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device 420 manufacturers that include these updates should set the patch string level to: 421 [ro.build.version.security_patch]:[2016-02-01]</p> 422 423 <h2 id=revisions>Revisions</h2> 424 425 426 <ul> 427 <li> February 01, 2016: Bulletin published. 428 <li> February 02, 2016: Bulletin revised to include AOSP links. 429 <li> March 07, 2016: Bulletin revised to include additional AOSP links. 430 431 </body> 432 </html> 433
