Headline
CVE-2015-6647: Nexus Security Bulletin—January 2016
The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to gain privileges via a crafted application that leverages QSEECOM access, aka internal bug 24441554.
Published January 04, 2016 | Updated April 28, 2016
We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Builds LMY49F or later and Android 6.0 with Security Patch Level of January 1, 2016 or later address these issues. Refer to the Common Questions and Answers section for more details.
Partners were notified about and provided updates for the issues described in this bulletin on December 7, 2015 or earlier. Where applicable, source code patches for these issues have been released to the Android Open Source Project (AOSP) repository.
The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.
We have had no reports of active customer exploitation of these newly reported issues. Refer to the Mitigations section for details on the Android security platform protections and service protections such as SafetyNet, which improve the security of the Android platform. We encourage all customers to accept these updates to their devices.
Mitigations
This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.
- Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
- The Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device rooting tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known rooting applications. Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove any such applications.
- As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.
Acknowledgements
We would like to thank these researchers for their contributions:
- Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security Team: CVE-2015-6636
- Sen Nie (@nforest_) and jfang of KEEN lab, Tencent (@K33nTeam): CVE-2015-6637
- Yabin Cui from Android Bionic Team: CVE-2015-6640
- Tom Craig of Google X: CVE-2015-6641
- Jann Horn (https://thejh.net): CVE-2015-6642
- Jouni Malinen PGP id EFC895FA: CVE-2015-5310
- Quan Nguyen of Google Information Security Engineer Team: CVE-2015-6644
- Gal Beniamini (@laginimaineb, http://bits-please.blogspot.com): CVE-2015-6639
Security Vulnerability Details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-01-01 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated bug, severity, updated versions, and date reported. When available, we will link the AOSP change that addressed the issue to the bug ID. When multiple changes relate to a single bug, additional AOSP references are linked to numbers following the bug ID.
Remote Code Execution Vulnerability in Mediaserver
During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.
The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
This issue is rated as a Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.
CVE
Bug(s) with AOSP links
Severity
Updated versions
Date reported
CVE-2015-6636
ANDROID-25070493
Critical
5.0, 5.1.1, 6.0, 6.0.1
Google Internal
ANDROID-24686670
Critical
5.0, 5.1.1, 6.0, 6.0.1
Google Internal
Elevation of Privilege Vulnerability in misc-sd driver
An elevation of privilege vulnerability in the misc-sd driver from MediaTek could enable a local malicious application to execute arbitrary code within the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise, in which case the device would possibly need to be repaired by re-flashing the operating system.
CVE
Bug(s)
Severity
Updated versions
Date reported
CVE-2015-6637
ANDROID-25307013*
Critical
4.4.4, 5.0, 5.1.1, 6.0, 6.0.1
Oct 26, 2015
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in the Imagination Technologies driver
An elevation of privilege vulnerability in a kernel driver from Imagination Technologies could enable a local malicious application to execute arbitrary code within the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise, in which case device would possibly need to be repaired by re-flashing the operating system.
CVE
Bug(s)
Severity
Updated versions
Date reported
CVE-2015-6638
ANDROID-24673908*
Critical
5.0, 5.1.1, 6.0, 6.0.1
Google Internal
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerabilities in Trustzone
Elevation of privilege vulnerabilities in the Widevine QSEE TrustZone application could enable a compromise, privileged application with access to QSEECOM to execute arbitrary code in the Trustzone context. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise, in which case the device would possibly need to be repaired by re-flashing the operating system.
CVE
Bug(s)
Severity
Updated versions
Date reported
CVE-2015-6639
ANDROID-24446875*
Critical
5.0, 5.1.1, 6.0, 6.0.1
Sep 23, 2015
CVE-2015-6647
ANDROID-24441554*
Critical
5.0, 5.1.1, 6.0, 6.0.1
Sep 27, 2015
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in Kernel
An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise, in which case the device would possibly need to be repaired by re-flashing the operating system.
CVE
Bug(s) with AOSP Link
Severity
Updated versions
Date reported
CVE-2015-6640
ANDROID-20017123
Critical
4.4.4, 5.0, 5.1.1, 6.0
Google Internal
Elevation of Privilege Vulnerability in Bluetooth
An elevation of privilege vulnerability in the Bluetooth component could enable a remote device paired over Bluetooth to gain access to user’s private information (Contacts). This issue is rated as High severity because it could be used to gain “dangerous” capabilities remotely, these permissions are accessible only to third-party applications installed locally.
CVE
Bug(s) with AOSP links
Severity
Updated versions
Date reported
CVE-2015-6641
ANDROID-23607427 [2]
High
6.0, 6.0.1
Google Internal
Information Disclosure Vulnerability in Kernel
An information disclosure vulnerability in the kernel could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could also be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications.
CVE
Bug(s)
Severity
Updated versions
Date reported
CVE-2015-6642
ANDROID-24157888*
High
4.4.4, 5.0, 5.1.1, 6.0
Sep 12, 2015
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in Setup Wizard
An elevation of privilege vulnerability in the Setup Wizard could enable an attacker with physical access to the device to gain access to device settings and perform a manual device reset. This issue is rated as Moderate severity because it could be used to improperly work around the factory reset protection.
CVE
Bug(s) with AOSP links
Severity
Updated versions
Date reported
CVE-2015-6643
ANDROID-25290269 [2]
Moderate
5.1.1, 6.0, 6.0.1
Google Internal
Elevation of Privilege Vulnerability in Wi-Fi
An elevation of privilege vulnerability in the Wi-Fi component could enable a locally proximate attacker to gain access to Wi-Fi service related information. A device is only vulnerable to this issue while in local proximity. This issue is rated as Moderate severity because it could be used to gain “normal” capabilities remotely, these permissions are accessible only to third-party applications installed locally.
CVE
Bug(s) with AOSP links
Severity
Updated versions
Date reported
CVE-2015-5310
ANDROID-25266660
Moderate
4.4.4, 5.0, 5.1.1, 6.0, 6.0.1
Oct 25, 2015
Information Disclosure Vulnerability in Bouncy Castle
An information disclosure vulnerability in Bouncy Castle could enable a local malicious application to gain access to user’s private information. This issue is rated as Moderate severity because it could be used to improperly gain “dangerous” permissions.
CVE
Bug(s) with AOSP links
Severity
Updated versions
Date reported
CVE-2015-6644
ANDROID-24106146
Moderate
4.4.4, 5.0, 5.1.1, 6.0, 6.0.1
Google Internal
Denial of Service Vulnerability in SyncManager
A denial of service vulnerability in the SyncManager could enable a local malicious application to cause a reboot loop. This issue is rated as Moderate severity because it could be used to cause a local temporary denial of service that would possibly need to be fixed though a factory reset.
CVE
Bug(s) with AOSP links
Severity
Updated versions
Date reported
CVE-2015-6645
ANDROID-23591205
Moderate
4.4.4, 5.0, 5.1.1, 6.0
Google Internal
Attack Surface Reduction for Nexus Kernels
SysV IPC is not supported in any Android Kernel. We have removed this from the OS as it exposes additional attack surface that doesn’t add functionality to the system that could be exploited by malicious applications. Also, System V IPCs are not compliant with Android’s application lifecycle because the allocated resources are not freeable by the memory manager leading to global kernel resource leakage. This change addresses issue such as CVE-2015-7613.
CVE
Bug(s)
Severity
Updated versions
Date reported
CVE-2015-6646
ANDROID-22300191*
Moderate
6.0
Google Internal
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Common Questions and Answers
This section reviews answers to common questions that may occur after reading this bulletin.
1. How do I determine if my device is updated to address these issues?
Builds LMY49F or later and Android 6.0 with Security Patch Level of January 1, 2016 or later address these issues. Refer to the Nexus documentation for instructions on how to check the security patch level. Device manufacturers that include these updates should set the patch string level to: [ro.build.version.security_patch]:[2016-01-01]
Revisions
- January 04, 2016: Bulletin published.
- January 06, 2016: Bulletin revised to include AOSP links.
- April 28, 2016: Removed CVE-2015-6617 from Acknowledgements and added CVE-2015-6647 to summary table
Related news
Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_verify_keys prefix_len+feature_name_len integer overflow and resultant buffer overflow.
Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_save_keys file_name_len integer overflow and resultant buffer overflow.
Widevine Trusted Application (TA) 5.0.0 through 7.1.1 has a PRDiagParseAndStoreData integer overflow and resultant buffer overflow.
Widevine Trusted Application (TA) 5.0.0 through 7.1.1 has a PRDiagVerifyProvisioning integer overflow and resultant buffer overflow.
Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_verify_keys total_len+file_name_len integer overflow and resultant buffer overflow.
Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_save_keys integer overflow and resultant buffer overflow.
Widevine Trustlet versions 5.x, 6.x, and 7.x suffer from a buffer overflow vulnerability in PRDiagVerifyProvisioning at 0x5f90.
Widevine Trustlet versions 5.x, 6.x, and 7.x suffer from a buffer overflow vulnerability in PRDiagVerifyProvisioning at 0x5f90.