Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2016-0821: Nexus Security Bulletin - March 2016  |  Android Open Source Project

The LIST_POISON feature in include/linux/poison.h in the Linux kernel before 4.3, as used in Android 6.0.1 before 2016-03-01, does not properly consider the relationship to the mmap_min_addr value, which makes it easier for attackers to bypass a poison-pointer protection mechanism by triggering the use of an uninitialized list entry, aka Android internal bug 26186802, a different vulnerability than CVE-2015-3636.

CVE
#vulnerability#web#android#google#linux#dos

Published March 07, 2016 | Updated March 08, 2016

We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Builds LMY49H or later and Android M with Security Patch Level of March 01, 2016 or later address these issues. Refer to the Nexus documentation for instructions on how to check the security patch level.

Partners were notified about the issues described in the bulletin on February 1, 2016 or earlier. Where applicable, source code patches for these issues have been released to the Android Open Source Project (AOSP) repository.

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation of these newly reported issues. Refer to the Mitigations section for details on the Android security platform protections and service protections such as SafetyNet, which improve the security of the Android platform. We encourage all customers to accept these updates to their devices.

Mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device rooting tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known rooting applications. Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove any such applications.
  • As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.

Acknowledgements

We would like to thank these researchers for their contributions:

  • Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security Team: CVE-2016-0815
  • Anestis Bechtsoudis (@anestisb) of CENSUS S.A.: CVE-2016-0816, CVE-2016-0824
  • Chad Brubaker from Android Security: CVE-2016-0818
  • Mark Brand of Google Project Zero: CVE-2016-0820
  • Mingjian Zhou (@Mingjian_Zhou), Chiachih Wu (@chiachih_wu), and Xuxian Jiang of C0RE Team from Qihoo 360: CVE-2016-0826
  • Peter Pi (@heisecode) of Trend Micro: CVE-2016-0827, CVE-2016-0828, CVE-2016-0829
  • Scott Bauer ([email protected], [email protected]): CVE-2016-0822
  • Wish Wu (@wish_wu) of Trend Micro Inc.: CVE-2016-0819
  • Yongzheng Wu and Tieyan Li of Huawei: CVE-2016-0831
  • Su Mon Kywe and Yingjiu Li of Singapore Management University: CVE-2016-0831
  • Zach Riggle (@ebeip90) of the Android Security Team: CVE-2016-0821

Security Vulnerability Details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-03-01 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated bug, severity, affected versions, and date reported. When available, we will link the AOSP change that addressed the issue to the bug ID. When multiple changes relate to a single bug, additional AOSP references are linked to numbers following the bug ID.

Remote Code Execution Vulnerability in Mediaserver

During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.

This issue is rated as a Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps could not normally access.

CVE

Bugs with AOSP links

Severity

Updated versions

Date reported

CVE-2016-0815

ANDROID-26365349

Critical

4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1

Google Internal

CVE-2016-0816

ANDROID-25928803

Critical

6.0, 6.0.1

Google Internal

Remote Code Execution Vulnerabilities in libvpx

During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.

The issues are rated as Critical severity because they could be used for remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.

CVE

Bug with AOSP links

Severity

Updated versions

Date reported

CVE-2016-1621

ANDROID-23452792 [2] [3]

Critical

4.4.4, 5.0.2, 5.1.1, 6.0

Google Internal

Elevation of Privilege in Conscrypt

A vulnerability in Conscrypt could allow a specific type of invalid certificate, issued by an intermediate Certificate Authority (CA), to be incorrectly trusted. This may enable a man-in-the-middle attack. This issue is rated as a Critical severity due to the possibility of an elevation of privilege and remote arbitrary code execution.

CVE

Bug with AOSP links

Severity

Updated versions

Date reported

CVE-2016-0818

ANDROID-26232830 [2]

Critical

4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1

Google Internal

Elevation of Privilege Vulnerability in the Qualcomm Performance Component

An elevation of privilege vulnerability in the Qualcomm performance component could enable a local malicious application to execute arbitrary code in the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise, and the device could only be repaired by re-flashing the operating system.

CVE

Bug

Severity

Updated versions

Date reported

CVE-2016-0819

ANDROID-25364034*

Critical

4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1

Oct 29, 2015

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in MediaTek Wi-Fi Kernel Driver

There is a vulnerability in the MediaTek Wi-Fi kernel driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as a Critical severity due to the possibility of elevation of privilege and arbitrary code execution in the context of the kernel.

CVE

Bug

Severity

Updated versions

Date reported

CVE-2016-0820

ANDROID-26267358*

Critical

6.0.1

Dec 18, 2015

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Kernel Keyring Component

An elevation of privilege vulnerability in the Kernel Keyring Component could enable a local malicious application to execute arbitrary code within the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device could potentially only be repaired by re-flashing the operating system. However, in Android versions 5.0 and above, SELinux rules prevents third-party applications from reaching the affected code.

Note: For reference, the patch in AOSP is available for specific kernel versions: 4.1, 3.18, 3.14, and 3.10.

CVE

Bug

Severity

Updated versions

Date reported

CVE-2016-0728

ANDROID-26636379

Critical

4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1

Jan 11, 2016

Mitigation Bypass Vulnerability in the Kernel

A mitigation bypass vulnerability in the kernel could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. This issue is rated as High severity because it could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform.

Note: The update for this issue is located in the Linux upstream.

CVE

Bug

Severity

Updated versions

Date reported

CVE-2016-0821

ANDROID-26186802

High

6.0.1

Google Internal

Elevation of Privilege in MediaTek Connectivity Kernel Driver

There is an elevation of privilege vulnerability in a MediaTek connectivity kernel driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. Normally a kernel code execution bug like this would be rated critical, but because it requires first compromising the conn_launcher service, it justifies a downgrade to High severity rating.

CVE

Bug

Severity

Updated versions

Date reported

CVE-2016-0822

ANDROID-25873324*

High

6.0.1

Nov 24, 2015

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Information Disclosure Vulnerability in Kernel

An information disclosure vulnerability in the kernel could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could allow a local bypass of exploit mitigation technologies such as ASLR in a privileged process.

Note: The fix for this issue is located in Linux upstream.

CVE

Bug

Severity

Updated versions

Date reported

CVE-2016-0823

ANDROID-25739721*

High

6.0.1

Google Internal

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Information Disclosure Vulnerability in libstagefright

An information disclosure vulnerability in libstagefright could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could also be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications.

CVE

Bug with AOSP link

Severity

Updated versions

Date reported

CVE-2016-0824

ANDROID-25765591

High

6.0, 6.0.1

Nov 18, 2015

Information Disclosure Vulnerability in Widevine

An information disclosure vulnerability in the Widevine Trusted Application could allow code running in the kernel context to access information in TrustZone secure storage. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges.

CVE

Bug(s)

Severity

Updated versions

Date reported

CVE-2016-0825

ANDROID-20860039*

High

6.0.1

Google Internal

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Mediaserver

An elevation of privilege vulnerability in mediaserver could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE

Bugs with AOSP links

Severity

Updated versions

Date reported

CVE-2016-0826

ANDROID-26265403 [2]

High

4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1

Dec 17, 2015

CVE-2016-0827

ANDROID-26347509

High

4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1

Dec 28, 2015

Information Disclosure Vulnerability in Mediaserver

An information disclosure vulnerability in mediaserver could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could also be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications.

CVE

Bugs with AOSP links

Severity

Updated versions

Date reported

CVE-2016-0828

ANDROID-26338113

High

5.0.2, 5.1.1, 6.0, 6.0.1

Dec 27, 2015

CVE-2016-0829

ANDROID-26338109

High

4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1

Dec 27, 2015

Remote Denial of Service Vulnerability in Bluetooth

A remote denial of service vulnerability in the Bluetooth component could allow a proximal attacker to block access to an affected device. An attacker could cause an overflow of identified Bluetooth devices in the Bluetooth component, which leads to memory corruption and service stop. This is rated as a High severity because it leads to a Denial of Service to the Bluetooth service, which could potentially only be fixed with a flash of the device.

CVE

Bug with AOSP link

Severity

Updated versions

Date reported

CVE-2016-0830

ANDROID-26071376

High

6.0, 6.0.1

Google Internal

Information Disclosure Vulnerability in Telephony

An information disclosure vulnerability in the Telephony component could allow an application to access sensitive information. This issue is rated Moderate severity because it could be used to improperly access data without permission.

CVE

Bug with AOSP link

Severity

Updated versions

Date reported

CVE-2016-0831

ANDROID-25778215

Moderate

5.0.2, 5.1.1, 6.0, 6.0.1

Nov 16, 2015

Elevation of Privilege Vulnerability in Setup Wizard

A vulnerability in the Setup Wizard could enable an attacker who had physical access to the device to gain access to device settings and perform a manual device reset. This issue is rated as Moderate severity because it could be used to improperly work around the factory reset protection.

CVE

Bug(s)

Severity

Updated versions

Date reported

CVE-2016-0832

ANDROID-25955042*

Moderate

5.1.1, 6.0, 6.0.1

Google Internal

* There is no source code patch provided for this update.

Common Questions and Answers

This section reviews answers to common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

Builds LMY49H or later and Android 6.0 with Security Patch Level of March 1, 2016 or later address these issues. Refer to the Nexus documentation for instructions on how to check the security patch level. Device manufacturers that include these updates should set the patch string level to: [ro.build.version.security_patch]:[2016-03-01]

Revisions

  • March 07, 2016: Bulletin published.
  • March 08, 2016: Bulletin revised to include AOSP links.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907