1 <html devsite> 2 <head> 3 <title>Nexus Security Bulletin - March 2016</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p><em>Published March 07, 2016 | Updated March 08, 2016</em></p> 27 28 <p>We have released a security update to Nexus devices through an over-the-air 29 (OTA) update as part of our Android Security Bulletin Monthly Release process. 30 The Nexus firmware images have also been released to the 31 <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. 32 Builds LMY49H or later and Android M with Security Patch Level of March 01, 2016 or later 33 address these issues. Refer to the 34 <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> 35 for instructions on how to check the security patch level.</p> 36 37 <p>Partners were notified about the issues described in the bulletin on February 38 1, 2016 or earlier. Where applicable, source code patches for these issues have been 39 released to the Android Open Source Project (AOSP) repository.</p> 40 41 <p>The most severe of these issues is a Critical security vulnerability that could 42 enable remote code execution on an affected device through multiple methods 43 such as email, web browsing, and MMS when processing media files. The 44 <a href="/security/overview/updates-resources.html#severity">severity 45 assessment</a> is based on the effect that exploiting the vulnerability would 46 possibly have on an affected device, assuming the platform and service 47 mitigations are disabled for development purposes or if successfully bypassed.</p> 48 49 <p>We have had no reports of active customer exploitation of these newly reported 50 issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the 51 <a href="/security/enhancements/index.html">Android security platform protections</a> 52 and service protections such as SafetyNet, which improve the security of the 53 Android platform. We encourage all customers to accept these updates to their 54 devices.</p> 55 56 <h3 id=mitigations>Mitigations</h3> 57 58 59 <p>This is a summary of the mitigations provided by the 60 <a href="/security/enhancements/index.html">Android security platform</a> 61 and service protections such as SafetyNet. These capabilities reduce the 62 likelihood that security vulnerabilities could be successfully exploited on 63 Android.</p> 64 65 <ul> 66 <li> Exploitation for many issues on Android is made more difficult by enhancements 67 in newer versions of the Android platform. We encourage all users to update to 68 the latest version of Android where possible. 69 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 70 SafetyNet which will warn about potentially harmful applications about to be 71 installed. Device rooting tools are prohibited within Google Play. To protect 72 users who install applications from outside of Google Play, Verify Apps is 73 enabled by default and will warn users about known rooting applications. Verify 74 Apps attempts to identify and block installation of known malicious 75 applications that exploit a privilege escalation vulnerability. If such an 76 application has already been installed, Verify Apps will notify the user and 77 attempt to remove any such applications. 78 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 79 pass media to processes such as mediaserver. 80 </ul> 81 82 <h3 id=acknowledgements>Acknowledgements</h3> 83 84 85 <p>We would like to thank these researchers for their contributions:</p> 86 87 <ul> 88 <li> Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security 89 Team: CVE-2016-0815 90 <li> Anestis Bechtsoudis (<a href="https://twitter.com/anestisb">@anestisb</a>) of CENSUS S.A.: CVE-2016-0816, CVE-2016-0824 91 <li> Chad Brubaker from Android Security: CVE-2016-0818 92 <li> Mark Brand of Google Project Zero: CVE-2016-0820 93 <li> Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a> from <a href="http://www.360safe.com">Qihoo 360</a>: CVE-2016-0826 94 <li> Peter Pi (<a href="https://twitter.com/heisecode">@heisecode</a>) of Trend Micro: CVE-2016-0827, CVE-2016-0828, CVE-2016-0829 95 <li> Scott Bauer (<a href="mailto:sbauer (a] eng.utah.edu">sbauer (a] eng.utah.edu</a>, <a href="mailto:sbauer (a] plzdonthack.me">sbauer (a] plzdonthack.me</a>): CVE-2016-0822 96 <li> Wish Wu (<a href="https://twitter.com/@wish_wu">@wish_wu</a>) of Trend Micro Inc.: CVE-2016-0819 97 <li> Yongzheng Wu and Tieyan Li of Huawei: CVE-2016-0831 98 <li> Su Mon Kywe and Yingjiu Li of Singapore Management University: CVE-2016-0831 99 <li> Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>) of the Android Security Team: CVE-2016-0821 100 </ul> 101 102 <h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 103 104 105 <p>In the sections below, we provide details for each of the security 106 vulnerabilities that apply to the 2016-03-01 patch level. 107 There is a description of the issue, a severity rationale, and a table 108 with the CVE, associated bug, severity, affected versions, and date reported. 109 When available, we will link the AOSP change that addressed the issue to the 110 bug ID. When multiple changes relate to a single bug, additional AOSP 111 references are linked to numbers following the bug ID.</p> 112 113 <h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3> 114 115 116 <p>During media file and data processing of a specially crafted file, 117 vulnerabilities in mediaserver could allow an attacker to cause memory 118 corruption and remote code execution as the mediaserver process.</p> 119 120 <p>The affected functionality is provided as a core part of the operating system, 121 and there are multiple applications that allow it to be reached with remote 122 content, most notably MMS and browser playback of media.</p> 123 124 <p>This issue is rated as a Critical severity due to the possibility of remote 125 code execution within the context of the mediaserver service. The mediaserver 126 service has access to audio and video streams as well as access to privileges 127 that third-party apps could not normally access.</p> 128 <table> 129 <tr> 130 <th>CVE</th> 131 <th>Bugs with AOSP links</th> 132 <th>Severity</th> 133 <th>Updated versions</th> 134 <th>Date reported</th> 135 </tr> 136 <tr> 137 <td>CVE-2016-0815</td> 138 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5403587a74aee2fb57076528c3927851531c8afb">ANDROID-26365349</a> 139 </td> 140 <td>Critical</td> 141 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 142 <td>Google Internal</td> 143 </tr> 144 <tr> 145 <td>CVE-2016-0816</td> 146 <td><a href="https://android.googlesource.com/platform/external/libavc/+/4a524d3a8ae9aa20c36430008e6bd429443f8f1d">ANDROID-25928803</a> 147 </td> 148 <td>Critical</td> 149 <td>6.0, 6.0.1</td> 150 <td>Google Internal</td> 151 </tr> 152 </table> 153 154 155 <h3 id=remote_code_execution_vulnerabilities_in_libvpx>Remote Code Execution Vulnerabilities in libvpx</h3> 156 157 158 <p>During media file and data processing of a specially crafted file, 159 vulnerabilities in mediaserver could allow an attacker to cause memory 160 corruption and remote code execution as the mediaserver process.</p> 161 162 <p>The affected functionality is provided as a core part of the operating system 163 and there are multiple applications that allow it to be reached with remote 164 content, most notably MMS and browser playback of media.</p> 165 166 <p>The issues are rated as Critical severity because they could be used for remote 167 code execution within the context of the mediaserver service. The mediaserver 168 service has access to audio and video streams as well as access to privileges 169 that third-party apps cannot normally access.</p> 170 <table> 171 <tr> 172 <th>CVE</th> 173 <th>Bug with AOSP links</th> 174 <th>Severity</th> 175 <th>Updated versions</th> 176 <th>Date reported</th> 177 </tr> 178 <tr> 179 <td>CVE-2016-1621</td> 180 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/5a6788730acfc6fd8f4a6ef89d2c376572a26b55">ANDROID-23452792</a> 181 <a href="https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d">[2]</a> 182 <a href="https://android.googlesource.com/platform/external/libvpx/+/5a9753fca56f0eeb9f61e342b2fccffc364f9426">[3]</a> 183 </td> 184 <td>Critical</td> 185 <td>4.4.4, 5.0.2, 5.1.1, 6.0</td> 186 <td>Google Internal</td> 187 </tr> 188 </table> 189 190 191 <h3 id=elevation_of_privilege_in_conscrypt>Elevation of Privilege in Conscrypt</h3> 192 193 <p>A vulnerability in Conscrypt could allow a specific type of invalid certificate, issued by an intermediate Certificate Authority (CA), to be incorrectly trusted. This may enable a man-in-the-middle attack. This issue is rated as a Critical severity due to the possibility of an elevation of privilege and remote arbitrary code execution.</p> 194 195 <table> 196 <tr> 197 <th>CVE</th> 198 <th>Bug with AOSP links</th> 199 <th>Severity</th> 200 <th>Updated versions</th> 201 <th>Date reported</th> 202 </tr> 203 <tr> 204 <td>CVE-2016-0818</td> 205 <td><a href="https://android.googlesource.com/platform/external/conscrypt/+/c4ab1b959280413fb11bf4fd7f6b4c2ba38bd779">ANDROID-26232830</a> 206 <a href="https://android.googlesource.com/platform/external/conscrypt/+/4c9f9c2201116acf790fca25af43995d29980ee0">[2]</a> 207 </td> 208 <td>Critical</td> 209 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 210 <td>Google Internal</td> 211 </tr> 212 </table> 213 214 215 <h3 id=elevation_of_privilege_vulnerability_in_the_qualcomm_performance_component>Elevation of Privilege Vulnerability in the Qualcomm Performance Component</h3> 216 217 218 <p>An elevation of privilege vulnerability in the Qualcomm performance component 219 could enable a local malicious application to execute arbitrary code in the 220 kernel. This issue is rated as a Critical severity due to the possibility of a 221 local permanent device compromise, and the device could only be repaired by 222 re-flashing the operating system.</p> 223 <table> 224 <tr> 225 <th>CVE</th> 226 <th>Bug</th> 227 <th>Severity</th> 228 <th>Updated versions</th> 229 <th>Date reported</th> 230 </tr> 231 <tr> 232 <td>CVE-2016-0819</td> 233 <td>ANDROID-25364034*</td> 234 <td>Critical</td> 235 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 236 <td>Oct 29, 2015</td> 237 </tr> 238 </table> 239 240 241 <p>* The patch for this issue is not in AOSP. The update is contained in the 242 latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 243 244 <h3 id=elevation_of_privilege_vulnerability_in_mediatek_wi-fi_kernel_driver>Elevation of Privilege Vulnerability in MediaTek Wi-Fi Kernel Driver</h3> 245 246 247 <p>There is a vulnerability in the MediaTek Wi-Fi kernel driver that could enable 248 a local malicious application to execute arbitrary code within the context of 249 the kernel. This issue is rated as a Critical severity due to the possibility 250 of elevation of privilege and arbitrary code execution in the context of the 251 kernel.</p> 252 <table> 253 <tr> 254 <th>CVE</th> 255 <th>Bug</th> 256 <th>Severity</th> 257 <th>Updated versions</th> 258 <th>Date reported</th> 259 </tr> 260 <tr> 261 <td>CVE-2016-0820</td> 262 <td>ANDROID-26267358*</td> 263 <td>Critical</td> 264 <td>6.0.1</td> 265 <td>Dec 18, 2015</td> 266 </tr> 267 </table> 268 269 270 <p>* The patch for this issue is not in AOSP. The update is contained in the 271 latest binary drivers for Nexus devices available from the 272 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 273 274 <h3 id=elevation_of_privilege_vulnerability_in_kernel_keyring_component>Elevation of Privilege Vulnerability in Kernel Keyring Component</h3> 275 276 277 <p>An elevation of privilege vulnerability in the Kernel Keyring Component could 278 enable a local malicious application to execute arbitrary code within the 279 kernel. This issue is rated as a Critical severity due to the possibility of a 280 local permanent device compromise and the device could potentially only be 281 repaired by re-flashing the operating system. However, in Android versions 5.0 282 and above, SELinux rules prevents third-party applications from reaching the 283 affected code.</p> 284 285 <p><strong>Note:</strong> For reference, the patch in AOSP is available for specific kernel versions: 286 <a href="https://android.googlesource.com/kernel/common/+/8a8431507f8f5910db5ac85b72dbdc4ed8f6b308">4.1</a>, 287 <a href="https://android.googlesource.com/kernel/common/+/ba8bb5774ca7b1acc314c98638cf678ce0beb19a">3.18</a>, 288 <a href="https://android.googlesource.com/kernel/common/+/93faf7ad3d603c33b33e49318e81cf00f3a24a73">3.14</a>, 289 and <a href="https://android.googlesource.com/kernel/common/+/9fc5f368bb89b65b591c4f800dfbcc7432e49de5">3.10</a>.</p> 290 <table> 291 <tr> 292 <th>CVE</th> 293 <th>Bug</th> 294 <th>Severity</th> 295 <th>Updated versions</th> 296 <th>Date reported</th> 297 </tr> 298 <tr> 299 <td>CVE-2016-0728</td> 300 <td>ANDROID-26636379 </td> 301 <td>Critical</td> 302 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 </td> 303 <td>Jan 11, 2016</td> 304 </tr> 305 </table> 306 307 308 <h3 id=mitigation_bypass_vulnerability_in_the_kernel>Mitigation Bypass Vulnerability in the Kernel</h3> 309 310 311 <p>A mitigation bypass vulnerability in the kernel could permit a bypass of 312 security measures in place to increase the difficulty of attackers exploiting 313 the platform. This issue is rated as High severity because it could permit a 314 bypass of security measures in place to increase the difficulty of attackers 315 exploiting the platform.</p> 316 317 <p><strong>Note:</strong> The update for this issue is 318 <a href="https://github.com/torvalds/linux/commit/8a5e5e02fc83aaf67053ab53b359af08c6c49aaf">located in the Linux upstream</a>.</p> 319 320 <table> 321 <tr> 322 <th>CVE</th> 323 <th>Bug</th> 324 <th>Severity</th> 325 <th>Updated versions</th> 326 <th>Date reported</th> 327 </tr> 328 <tr> 329 <td>CVE-2016-0821</td> 330 <td>ANDROID-26186802</td> 331 <td>High</td> 332 <td>6.0.1</td> 333 <td>Google Internal</td> 334 </tr> 335 </table> 336 337 338 <h3 id=elevation_of_privilege_in_mediatek_connectivity_kernel_driver>Elevation of Privilege in MediaTek Connectivity Kernel Driver</h3> 339 340 341 <p>There is an elevation of privilege vulnerability in a MediaTek connectivity 342 kernel driver that could enable a local malicious application to execute 343 arbitrary code within the context of the kernel. Normally a kernel code execution 344 bug like this would be rated critical, but because it requires first compromising 345 the conn_launcher service, it justifies a downgrade to High severity rating. 346 </p> 347 <table> 348 <tr> 349 <th>CVE</th> 350 <th>Bug</th> 351 <th>Severity</th> 352 <th>Updated versions</th> 353 <th>Date reported</th> 354 </tr> 355 <tr> 356 <td>CVE-2016-0822</td> 357 <td>ANDROID-25873324*</td> 358 <td>High</td> 359 <td>6.0.1</td> 360 <td>Nov 24, 2015</td> 361 </tr> 362 </table> 363 364 365 <p>* The patch for this issue is not in AOSP. The update is contained in the 366 latest binary drivers for Nexus devices available from the 367 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 368 369 <h3 id=information_disclosure_vulnerability_in_kernel>Information Disclosure Vulnerability in Kernel</h3> 370 371 372 <p>An information disclosure vulnerability in the kernel could permit a bypass of 373 security measures in place to increase the difficulty of attackers exploiting 374 the platform. These issues are rated as High severity because they could allow 375 a local bypass of exploit mitigation technologies such as ASLR in a privileged 376 process.</p> 377 378 <p><strong>Note:</strong> The fix for this issue is 379 <a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce">located in Linux upstream</a>.</p> 380 <table> 381 <tr> 382 <th>CVE</th> 383 <th>Bug</th> 384 <th>Severity</th> 385 <th>Updated versions</th> 386 <th>Date reported</th> 387 </tr> 388 <tr> 389 <td>CVE-2016-0823</td> 390 <td>ANDROID-25739721*</td> 391 <td>High</td> 392 <td>6.0.1</td> 393 <td>Google Internal</td> 394 </tr> 395 </table> 396 <p>* The patch for this issue is not in AOSP. The update is contained in the 397 latest binary drivers for Nexus devices available from the 398 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 399 400 <h3 id=information_disclosure_vulnerability_in_libstagefright>Information Disclosure Vulnerability in libstagefright</h3> 401 402 403 <p>An information disclosure vulnerability in libstagefright could permit a bypass 404 of security measures in place to increase the difficulty of attackers 405 exploiting the platform. These issues are rated as High severity because they 406 could also be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 407 <table> 408 <tr> 409 <th>CVE</th> 410 <th>Bug with AOSP link</th> 411 <th>Severity</th> 412 <th>Updated versions</th> 413 <th>Date reported</th> 414 </tr> 415 <tr> 416 <td>CVE-2016-0824</td> 417 <td><a href="https://android.googlesource.com/platform/external/libmpeg2/+/ffab15eb80630dc799eb410855c93525b75233c3">ANDROID-25765591</a> 418 </td> 419 <td>High</td> 420 <td>6.0, 6.0.1</td> 421 <td>Nov 18, 2015</td> 422 </tr> 423 </table> 424 425 426 <h3 id=information_disclosure_vulnerability_in_widevine>Information Disclosure Vulnerability in Widevine</h3> 427 428 429 <p>An information disclosure vulnerability in the Widevine Trusted Application 430 could allow code running in the kernel context to access information in 431 TrustZone secure storage. This issue is rated as High severity because it could 432 be used to gain elevated capabilities, such as 433 <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or 434 <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> 435 permissions privileges.</p> 436 <table> 437 <tr> 438 <th>CVE</th> 439 <th>Bug(s)</th> 440 <th>Severity</th> 441 <th>Updated versions</th> 442 <th>Date reported</th> 443 </tr> 444 <tr> 445 <td>CVE-2016-0825</td> 446 <td>ANDROID-20860039*</td> 447 <td>High</td> 448 <td>6.0.1</td> 449 <td>Google Internal</td> 450 </tr> 451 </table> 452 453 454 <p>* The patch for this issue is not in AOSP. The update is contained in the 455 latest binary drivers for Nexus devices available from the 456 <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p> 457 458 <h3 id=elevation_of_privilege_vulnerability_in_mediaserver>Elevation of Privilege Vulnerability in Mediaserver </h3> 459 460 461 <p>An elevation of privilege vulnerability in mediaserver could enable a local 462 malicious application to execute arbitrary code within the context of an 463 elevated system application. This issue is rated as High severity because it 464 could be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p> 465 <table> 466 <tr> 467 <th>CVE</th> 468 <th>Bugs with AOSP links</th> 469 <th>Severity</th> 470 <th>Updated versions</th> 471 <th>Date reported</th> 472 </tr> 473 <tr> 474 <td>CVE-2016-0826</td> 475 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c9ab2b0bb05a7e19fb057e79b36e232809d70122">ANDROID-26265403</a> 476 <a href="https://android.googlesource.com/platform/frameworks/av/+/899823966e78552bb6dfd7772403a4f91471d2b0">[2]</a> 477 </td> 478 <td>High</td> 479 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 480 <td>Dec 17, 2015</td> 481 </tr> 482 <tr> 483 <td>CVE-2016-0827</td> 484 <td><a href="https://android.googlesource.com/platform/frameworks/av/+/9e29523b9537983b4c4b205ff868d0b3bca0383b">ANDROID-26347509</a></td> 485 <td>High</td> 486 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 487 <td>Dec 28, 2015</td> 488 </tr> 489 </table> 490 491 492 <h3 id=information_disclosure_vulnerability_in_mediaserver>Information Disclosure Vulnerability in Mediaserver </h3> 493 494 495 <p>An information disclosure vulnerability in mediaserver could permit a bypass of 496 security measures in place to increase the difficulty of attackers exploiting 497 the platform. These issues are rated as High severity because they could also 498 be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> 499 <table> 500 <tr> 501 <th>CVE</th> 502 <th>Bugs with AOSP links</th> 503 <th>Severity</th> 504 <th>Updated versions</th> 505 <th>Date reported</th> 506 </tr> 507 <tr> 508 <td>CVE-2016-0828</td> 509 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/dded8fdbb700d6cc498debc69a780915bc34d755">ANDROID-26338113</a> 510 </td> 511 <td>High</td> 512 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 513 <td>Dec 27, 2015</td> 514 </tr> 515 <tr> 516 <td>CVE-2016-0829</td> 517 <td><a href="https://android.googlesource.com/platform/frameworks/native/+/d06421fd37fbb7fd07002e6738fac3a223cb1a62">ANDROID-26338109</a></td> 518 <td>High</td> 519 <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td> 520 <td>Dec 27, 2015</td> 521 </tr> 522 </table> 523 524 525 <h3 id=remote_denial_of_service_vulnerability_in_bluetooth>Remote Denial of Service Vulnerability in Bluetooth</h3> 526 527 528 <p>A remote denial of service vulnerability in the Bluetooth component could allow 529 a proximal attacker to block access to an affected device. An attacker could 530 cause an overflow of identified Bluetooth devices in the Bluetooth component, 531 which leads to memory corruption and service stop. This is rated as a High 532 severity because it leads to a Denial of Service to the Bluetooth service, which 533 could potentially only be fixed with a flash of the device.</p> 534 <table> 535 <tr> 536 <th>CVE</th> 537 <th>Bug with AOSP link</th> 538 <th>Severity</th> 539 <th>Updated versions</th> 540 <th>Date reported</th> 541 </tr> 542 <tr> 543 <td>CVE-2016-0830</td> 544 <td><a href="https://android.googlesource.com/platform/system/bt/+/d77f1999ecece56c1cbb333f4ddc26f0b5bac2c5">ANDROID-26071376</a></td> 545 <td>High</td> 546 <td>6.0, 6.0.1</td> 547 <td>Google Internal</td> 548 </tr> 549 </table> 550 551 552 <h3 id=information_disclosure_vulnerability_in_telephony>Information Disclosure Vulnerability in Telephony</h3> 553 554 555 <p>An information disclosure vulnerability in the Telephony component could allow 556 an application to access sensitive information. This issue is rated Moderate 557 severity because it could be used to improperly access data without 558 permission.</p> 559 <table> 560 <tr> 561 <th>CVE</th> 562 <th>Bug with AOSP link</th> 563 <th>Severity</th> 564 <th>Updated versions</th> 565 <th>Date reported</th> 566 </tr> 567 <tr> 568 <td>CVE-2016-0831</td> 569 <td><a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/79eecef63f3ea99688333c19e22813f54d4a31b1">ANDROID-25778215</a></td> 570 <td>Moderate</td> 571 <td>5.0.2, 5.1.1, 6.0, 6.0.1</td> 572 <td>Nov 16, 2015</td> 573 </tr> 574 </table> 575 576 577 <h3 id=elevation_of_privilege_vulnerability_in_setup_wizard>Elevation of Privilege Vulnerability in Setup Wizard</h3> 578 579 580 <p>A vulnerability in the Setup Wizard could enable an attacker who had physical 581 access to the device to gain access to device settings and perform a manual 582 device reset. This issue is rated as Moderate severity because it could be used 583 to improperly work around the factory reset protection.</p> 584 <table> 585 <tr> 586 <th>CVE</th> 587 <th>Bug(s)</th> 588 <th>Severity</th> 589 <th>Updated versions</th> 590 <th>Date reported</th> 591 </tr> 592 <tr> 593 <td>CVE-2016-0832</td> 594 <td>ANDROID-25955042*</td> 595 <td>Moderate</td> 596 <td>5.1.1, 6.0, 6.0.1</td> 597 <td>Google Internal</td> 598 </tr> 599 </table> 600 601 602 <p>* There is no source code patch provided for this update.</p> 603 604 <h2 id=common_questions_and_answers>Common Questions and Answers</h2> 605 606 607 <p>This section reviews answers to common questions that may occur after reading 608 this bulletin.</p> 609 610 <p><strong>1. How do I determine if my device is updated to address these issues? </strong></p> 611 612 <p>Builds LMY49H or later and Android 6.0 with Security Patch Level of March 1, 613 2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device 614 manufacturers that include these updates should set the patch string level to: 615 [ro.build.version.security_patch]:[2016-03-01]</p> 616 617 <h2 id=revisions>Revisions</h2> 618 619 620 <ul> 621 <li> March 07, 2016: Bulletin published. 622 <li> March 08, 2016: Bulletin revised to include AOSP links. 623 </ul> 624 625 </body> 626 </html> 627
