1page.title=Nexus Security Bulletin - November 2015 2@jd:body 3 4<!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18--> 19<div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25</div> 26 27<p><em>Published November 02, 2015</em></p> 28 29<p>We have released a security update to Nexus devices through an over-the-air 30(OTA) update as part of our Android Security Bulletin Monthly Release process. 31The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY48X or later and Android Marshmallow with Security Patch Level of 32November 1, 2015 or later address these issues. Refer to the <a href="#common_questions_and_answers">Common Questions and Answers</a> section for more details.</p> 33 34<p>Partners were notified about these issues on October 5, 2015 or earlier. Source 35code patches for these issues will be released to the Android Open Source 36Project (AOSP) repository over the next 48 hours. We will revise this bulletin 37with the AOSP links when they are available.</p> 38 39<p>The most severe of these issues is a Critical security vulnerability that could 40enable remote code execution on an affected device through multiple methods 41such as email, web browsing, and MMS when processing media files.</p> 42 43<p>We have had no reports of active customer exploitation of these newly reported 44issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="{@docRoot}security/enhancements/index.html">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the 45Android platform. We encourage all customers to accept these updates to their 46devices.</p> 47 48<h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2> 49 50 51<p>The table below contains a list of security vulnerabilities, the Common 52Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an 53affected device, assuming the platform and service mitigations are disabled for 54development purposes or if successfully bypassed. </p> 55<table> 56 <tr> 57 <th>Issue</th> 58 <th>CVE</th> 59 <th>Severity</th> 60 </tr> 61 <tr> 62 <td>Remote Code Execution Vulnerabilities in Mediaserver</td> 63 <td>CVE-2015-6608</td> 64 <td>Critical</td> 65 </tr> 66 <tr> 67 <td>Remote Code Execution Vulnerability in libutils</td> 68 <td>CVE-2015-6609</td> 69 <td>Critical</td> 70 </tr> 71 <tr> 72 <td>Information Disclosure Vulnerabilities in Mediaserver </td> 73 <td>CVE-2015-6611</td> 74 <td>High</td> 75 </tr> 76 <tr> 77 <td>Elevation of Privilege Vulnerability in libstagefright</td> 78 <td>CVE-2015-6610</td> 79 <td>High</td> 80 </tr> 81 <tr> 82 <td>Elevation of Privilege Vulnerability in libmedia</td> 83 <td>CVE-2015-6612</td> 84 <td>High</td> 85 </tr> 86 <tr> 87 <td>Elevation of Privilege Vulnerability in Bluetooth</td> 88 <td>CVE-2015-6613</td> 89 <td>High</td> 90 </tr> 91 <tr> 92 <td>Elevation of Privilege Vulnerability in Telephony</td> 93 <td>CVE-2015-6614</td> 94 <td>Moderate</td> 95 </tr> 96</table> 97 98 99<p>The <a href="{@docRoot}security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would have on an 100affected device, assuming the platform and service mitigations are disabled for 101development purposes or if successfully bypassed. </p> 102 103<h2 id=mitigations>Mitigations</h2> 104 105 106<p>This is a summary of the mitigations provided by the <a href="{@docRoot}security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the 107likelihood that security vulnerabilities can be successfully exploited on 108Android. </p> 109 110<ul> 111 <li> Exploitation for many issues on Android is made more difficult by enhancements 112in newer versions of the Android platform. We encourage all users to update to 113the latest version of Android where possible. 114 <li> The Android Security team is actively monitoring for abuse with Verify Apps and 115SafetyNet which will warn about potentially harmful applications about to be 116installed. Device rooting tools are prohibited within Google Play. To protect 117users who install applications from outside of Google Play, Verify Apps is 118enabled by default and will warn users about known rooting applications. Verify 119Apps attempts to identify and block installation of known malicious 120applications that exploit a privilege escalation vulnerability. If such an 121application has already been installed, Verify Apps will notify the user and 122attempt to remove any such applications. 123 <li> As appropriate, Google Hangouts and Messenger applications do not automatically 124pass media to processes such as mediaserver. 125</ul> 126 127<h2 id=acknowledgements>Acknowledgements</h2> 128 129 130<p>We would like to thank these researchers for their contributions:</p> 131 132<ul> 133 <li> Abhishek Arya, Oliver Chang and Martin Barbella, Google Chrome Security Team: 134CVE-2015-6608 135 <li> Daniel Micay (daniel.micay@copperhead.co) at Copperhead Security: CVE-2015-6609 136 <li> Dongkwan Kim of System Security Lab, KAIST (dkay@kaist.ac.kr): CVE-2015-6614 137 <li> Hongil Kim of System Security Lab, KAIST (hongilk@kaist.ac.kr): CVE-2015-6614 138 <li> Jack Tang of Trend Micro (@jacktang310): CVE-2015-6611 139 <li> Peter Pi of Trend Micro: CVE-2015-6611 140 <li> Natalie Silvanovich of Google Project Zero: CVE-2015-6608 141 <li> Qidan He (@flanker_hqd) and Wen Xu (@antlr7) from KeenTeam (@K33nTeam, 142http://k33nteam.org/): CVE-2015-6612 143 <li> Guang Gong (龚广) (<a href="https://twitter.com/oldfresher">@oldfresher</a>, higongguang@gmail.com) of <a href="http://www.360.cn">Qihoo 360 Technology CC 144o.Ltd</a>: CVE-2015-6612 145 <li> Seven Shen of Trend Micro: CVE-2015-6610 146</ul> 147 148<h2 id=security_vulnerability_details>Security Vulnerability Details</h2> 149 150 151<p>In the sections below, we provide details for each of the security 152vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> above. There is a description of the issue, a severity rationale, and a table 153with the CVE, associated bug, severity, affected versions, and date reported. 154Where available, we’ve linked the AOSP change that addressed the issue to the 155bug ID. When multiple changes relate to a single bug, additional AOSP 156references are linked to numbers following the bug ID.</p> 157 158<h3 id=remote_code_execution_vulnerabilities_in_mediaserver>Remote Code Execution Vulnerabilities in Mediaserver</h3> 159 160 161<p>During media file and data processing of a specially crafted file, 162vulnerabilities in mediaserver could allow an attacker to cause memory 163corruption and remote code execution as the mediaserver process.</p> 164 165<p>The affected functionality is provided as a core part of the operating system 166and there are multiple applications that allow it to be reached with remote 167content, most notably MMS and browser playback of media.</p> 168 169<p>This issue is rated as a Critical severity due to the possibility of remote 170code execution within the context of the mediaserver service. The mediaserver 171service has access to audio and video streams as well as access to privileges 172that third-party apps cannot normally access.</p> 173<table> 174 <tr> 175 <th>CVE</th> 176 <th>Bug(s) with AOSP links</th> 177 <th>Severity</th> 178 <th>Affected versions</th> 179 <th>Date reported</th> 180 </tr> 181 <tr> 182 <td rowspan="6">CVE-2015-6608</td> 183 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/8ec845c8fe0f03bc57c901bc484541bdd6a7cf80">ANDROID-19779574</a></td> 184 <td rowspan="3">Critical</td> 185 <td rowspan="3">5.0, 5.1, 6.0</td> 186 <td rowspan="3">Google Internal</td> 187 </tr> 188 <tr> 189 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/c6a2815eadfce62702d58b3fa3887f24c49e1864">ANDROID-23680780</a></td> 190 </tr> 191 <tr> 192 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Faac/+/b3c5a4bb8442ab3158fa1f52b790fadc64546f46">ANDROID-23876444</a></td> 193 </tr> 194 <tr> 195 <td><a href="https://android.googlesource.com/platform%2Fexternal%2Ftremolo/+/3830d0b585ada64ee75dea6da267505b19c622fd">ANDROID-23881715</a></td> 196 <td>Critical</td> 197 <td>4.4, 5.0, 5.1, 6.0</td> 198 <td>Google Internal</td> 199 </tr> 200 <tr> 201 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3878b990f7d53eae7c2cf9246b6ef2db5a049872">ANDROID-14388161</a></td> 202 <td>Critical</td> 203 <td>4.4 and 5.1</td> 204 <td>Google Internal</td> 205 </tr> 206 <tr> 207 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/f3eb82683a80341f5ac23057aab733a57963cab2">ANDROID-23658148</a></td> 208 <td>Critical</td> 209 <td>5.0, 5.1, 6.0</td> 210 <td>Google Internal</td> 211 </tr> 212</table> 213 214 215<h3 id=remote_code_execution_vulnerability_in_libutils>Remote Code Execution Vulnerability in libutils</h3> 216 217 218<p>A vulnerability in libutils, a generic library, can be exploited during audio 219file processing. This vulnerability could allow an attacker, during processing 220of a specially crafted file, to cause memory corruption and remote code 221execution.</p> 222 223<p>The affected functionality is provided as an API and there are multiple 224applications that allow it to be reached with remote content, most notably MMS 225and browser playback of media. This issue is rated as a Critical severity issue 226due to the possibility of remote code execution in a privileged service. The 227affected component has access to audio and video streams as well as access to 228privileges that third-party apps cannot normally access.</p> 229 230<table> 231 <tr> 232 <th>CVE</th> 233 <th>Bug(s) with AOSP links</th> 234 <th>Severity</th> 235 <th>Affected versions</th> 236 <th>Date reported</th> 237 </tr> 238 <tr> 239 <td>CVE-2015-6609</td> 240 <td><a href="https://android.googlesource.com/platform%2Fbootable%2Frecovery/+/ec63d564a86ad5b30f75aa307b4bd271f6a96a56">ANDROID-22953624</a> 241[<a href="https://android.googlesource.com/platform%2Fsystem%2Fcore/+/419e6c3c68413bd6dbb6872340b2ae0d69a0fd60">2</a>]</td> 242 <td>Critical</td> 243 <td>6.0 and below</td> 244 <td>Aug 3, 2015</td> 245 </tr> 246</table> 247 248 249<h3 id=information_disclosure_vulnerabilities_in_mediaserver>Information Disclosure Vulnerabilities in Mediaserver</h3> 250 251 252<p>There are information disclosure vulnerabilities in mediaserver that can permit 253a bypass of security measures in place to increase the difficulty of attackers 254exploiting the platform.</p> 255<table> 256 <tr> 257 <th>CVE</th> 258 <th>Bug(s) with AOSP links</th> 259 <th>Severity</th> 260 <th>Affected versions</th> 261 <th>Date reported</th> 262 </tr> 263 <tr> 264 <td rowspan="12">CVE-2015-6611</td> 265 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/1c7719820359f4190cd4bfd1a24d521face7b4f8">ANDROID-23905951</a> 266[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3b76870d146b1350db8a2f7797e06897c8c92dc2">2</a>] 267[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/40715a2ee896edd2df4023d9f6f586977887d34c">3</a>] </td> 268 <td rowspan="3">High</td> 269 <td rowspan="3">6.0 and below</td> 270 <td rowspan="3">Sep 07, 2015</td> 271 </tr> 272 <tr> 273 <td>ANDROID-23912202*</td> 274 </tr> 275 <tr> 276 <td>ANDROID-23953967*</td> 277 </tr> 278 <tr> 279 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fnative/+/b414255f53b560a06e642251535b019327ba0d7b">ANDROID-23696300</a></td> 280 <td>High</td> 281 <td>6.0 and below</td> 282 <td>Aug 31, 2015</td> 283 </tr> 284 <tr> 285 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/09ed70fab1f1424971ccc105dcdf5be5ce2e2643">ANDROID-23600291</a></td> 286 <td>High</td> 287 <td>6.0 and below</td> 288 <td>Aug 26, 2015</td> 289 </tr> 290 <tr> 291 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/892354335d49f0b9fcd10e20e0c13e3cd0f1f1cb">ANDROID-23756261</a> 292[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/a946d844a77906072f5eb7093d41db465d6514bb">2</a>]</td> 293 <td>High</td> 294 <td>6.0 and below</td> 295 <td>Aug 26, 2015</td> 296 </tr> 297 <tr> 298 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/57bed83a539535bb64a33722fb67231119cb0618">ANDROID-23540907</a> [<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/25a634427dec455b79d73562131985ae85b98c43">2</a>]</td> 299 <td>High</td> 300 <td>5.1 and below</td> 301 <td>Aug 25, 2015</td> 302 </tr> 303 <tr> 304 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/d53aced041b7214a92b1f2fd5970d895bb9934e5">ANDROID-23541506</a></td> 305 <td rowspan="4">High</td> 306 <td rowspan="4">6.0 and below</td> 307 <td rowspan="4">Aug 25, 2015</td> 308 </tr> 309 <tr> 310 <td>ANDROID-23284974*</td> 311 </tr> 312 <tr> 313 <td>ANDROID-23542351*</td> 314 </tr> 315 <tr> 316 <td>ANDROID-23542352*</td> 317 </tr> 318 <tr> 319 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/0981df6e3db106bfb7a56a2b668c012fcc34dd2c">ANDROID-23515142</a></td> 320 <td>High</td> 321 <td>5.1 and below</td> 322 <td>Aug 19, 2015</td> 323 </tr> 324</table> 325<p>* The patch for this bug is included in other provided AOSP links.</p> 326 327<h3 id=elevation_of_privilege_vulnerability_in_libstagefright>Elevation of Privilege Vulnerability in libstagefright</h3> 328 329 330<p>There is an elevation of privilege vulnerability in libstagefright that can 331enable a local malicious application to cause memory corruption and arbitrary 332code execution within the context of the mediaserver service. While this issue 333would normally be rated Critical, we have assessed this issue as High 334severity because of a lower likelihood that it can be exploited remotely.</p> 335<table> 336 <tr> 337 <th>CVE</th> 338 <th>Bug(s) with AOSP links</th> 339 <th>Severity</th> 340 <th>Affected versions</th> 341 <th>Date reported</th> 342 </tr> 343 <tr> 344 <td>CVE-2015-6610</td> 345 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/d26052738f7b095b7e318c8dde7f32db0a48450c">ANDROID-23707088</a> 346[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/820c105f7a4dc0971ee563caea4c9b346854a2f7">2</a>]</td> 347 <td>High</td> 348 <td>6.0 and below</td> 349 <td>Aug 19, 2015</td> 350 </tr> 351</table> 352 353 354<h3 id=elevation_of_privilege_vulnerability_in_libmedia>Elevation of Privilege Vulnerability in libmedia</h3> 355 356 357<p>There is a vulnerability in libmedia that can enable a local malicious 358application to execute arbitrary code within the context of the mediaserver 359service. This issue is rated as High severity because it can be used to access 360privileges which are not directly accessible to a third-party application. </p> 361<table> 362 <tr> 363 <th>CVE</th> 364 <th>Bug(s) with AOSP links</th> 365 <th>Severity</th> 366 <th>Affected versions</th> 367 <th>Date reported</th> 368 </tr> 369 <tr> 370 <td>CVE-2015-6612</td> 371 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/4b219e9e5ab237eec9931497cf10db4d78982d84">ANDROID-23540426</a></td> 372 <td>High</td> 373 <td>6.0 and below</td> 374 <td>Aug 23, 2015</td> 375 </tr> 376</table> 377 378 379<h3 id=elevation_of_privilege_vulnerability_in_bluetooth>Elevation of Privilege Vulnerability in Bluetooth</h3> 380 381 382<p>There is a vulnerability in Bluetooth that can enable a local application to 383send commands to a listening debug port on the device. This issue is rated as 384High severity because it can be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p> 385<table> 386 <tr> 387 <th>CVE</th> 388 <th>Bug(s) with AOSP links</th> 389 <th>Severity</th> 390 <th>Affected versions</th> 391 <th>Date reported</th> 392 </tr> 393 <tr> 394 <td>CVE-2015-6613</td> 395 <td><a href="https://android.googlesource.com/platform%2Fsystem%2Fbt/+/74dad51510f7d7b05c6617ef88168bf0bbdf3fcd">ANDROID-24371736</a></td> 396 <td>High</td> 397 <td>6.0</td> 398 <td>Google Internal</td> 399 </tr> 400</table> 401 402 403<h3 id=elevation_of_privilege_vulnerability_in_telephony> 404Elevation Of Privilege Vulnerability in Telephony</h3> 405 406 407<p>A vulnerability in the Telephony component that can enable a local malicious 408application to pass unauthorized data to the restricted network interfaces, 409potentially impacting data charges. It could also prevent the device from 410receiving calls as well as allowing an attacker to control the mute settings of 411calls. This issue is rated as Moderate severity because it can be used to 412improperly gain “<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a>” permissions. </p> 413<table> 414 <tr> 415 <th>CVE</th> 416 <th>Bug(s) with AOSP links</th> 417 <th>Severity</th> 418 <th>Affected versions</th> 419 <th>Date reported</th> 420 </tr> 421 <tr> 422 <td>CVE-2015-6614</td> 423 <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fopt%2Ftelephony/+/70dd1f77873913635288e513564a6c93ae4d0a26">ANDROID-21900139</a> 424[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/a12044215b1148826ea9a88d5d1102378b13922f">2</a>] 425[<a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/2b6af396ad14def9a967f62cccc87ee715823bb1">3</a>]</td> 426 <td>Moderate</td> 427 <td>5.0, 5.1</td> 428 <td>Jun 8, 2015</td> 429 </tr> 430</table> 431 432 433<h3 id=common_questions_and_answers>Common Questions and Answers</h3> 434 435 436<p>This section will review answers to common questions that may occur after 437reading this bulletin.</p> 438 439<p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> 440 441<p>Builds LMY48X or later and Android Marshmallow with Security Patch Level of 442November 1, 2015 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device 443manufacturers that include these updates should set the patch string level to: 444[ro.build.version.security_patch]:[2015-11-01]</p> 445 446<h2 id=revisions>Revisions</h2> 447 448<ul> 449 <li> November 02, 2015: Originally Published 450</ul> 451