• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1page.title=Nexus Security Bulletin - February 2016
2@jd:body
3
4<!--
5    Copyright 2016 The Android Open Source Project
6
7    Licensed under the Apache License, Version 2.0 (the "License");
8    you may not use this file except in compliance with the License.
9    You may obtain a copy of the License at
10
11        http://www.apache.org/licenses/LICENSE-2.0
12
13    Unless required by applicable law or agreed to in writing, software
14    distributed under the License is distributed on an "AS IS" BASIS,
15    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16    See the License for the specific language governing permissions and
17    limitations under the License.
18-->
19<div id="qv-wrapper">
20  <div id="qv">
21    <h2>In this document</h2>
22    <ol id="auto-toc">
23   </ol>
24  </div>
25</div>
26
27<p><em>Published February 01, 2016 | Updated February 2, 2016</em></p>
28
29<p>We have released a security update to Nexus devices through an over-the-air
30(OTA) update as part of our Android Security Bulletin Monthly Release process.
31The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY49G or later and Android M with Security Patch Level of February 1,
322016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level.</p>
33
34<p>Partners were notified about the issues described in the bulletin on January 4,
352016 or earlier. Where applicable, source code patches for these issues have been
36released to the Android Open Source Project (AOSP) repository.</p>
37
38<p>The most severe of these issues is a Critical security vulnerability that could
39enable remote code execution on an affected device through multiple methods
40such as email, web browsing, and MMS when processing media files. The Remote Code
41Execution Vulnerability in Broadcom’s Wi-Fi driver is also Critical severity as
42it could allow remote code execution on an affected device while connected to
43the same network as the attacker.</p>
44
45<p>We have had no reports of active customer exploitation of these newly reported
46issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="https://source.android.com/security/enhancements/">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the
47Android platform. We encourage all customers to accept these updates to their
48devices.</p>
49
50<h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2>
51
52
53<p>The table below contains a list of security vulnerabilities, the Common
54Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="https://source.android.com/security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would possibly have
55on an affected device, assuming the platform and service mitigations are
56disabled for development purposes or if successfully bypassed.</p>
57<table>
58 <tr>
59    <th>Issue</th>
60    <th>CVE</th>
61    <th>Severity</th>
62 </tr>
63 <tr>
64    <td>Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver</td>
65    <td>CVE-2016-0801<br />
66        CVE-2016-0802</td>
67    <td>Critical</td>
68 </tr>
69 <tr>
70    <td>Remote Code Execution Vulnerability in Mediaserver</td>
71    <td>CVE-2016-0803<br />
72        CVE-2016-0804</td>
73    <td>Critical</td>
74 </tr>
75 <tr>
76    <td>Elevation of Privilege Vulnerability in Qualcomm Performance Module</td>
77    <td>CVE-2016-0805</td>
78    <td>Critical</td>
79 </tr>
80 <tr>
81    <td>Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</td>
82    <td>CVE-2016-0806</td>
83    <td>Critical</td>
84 </tr>
85 <tr>
86    <td>Elevation of Privilege Vulnerability in the Debugger Daemon</td>
87    <td>CVE-2016-0807</td>
88    <td>Critical</td>
89 </tr>
90 <tr>
91    <td>Denial of Service Vulnerability in Minikin</td>
92    <td>CVE-2016-0808</td>
93    <td>High</td>
94 </tr>
95 <tr>
96    <td>Elevation of Privilege Vulnerability in Wi-Fi</td>
97    <td>CVE-2016-0809</td>
98    <td>High</td>
99 </tr>
100 <tr>
101    <td>Elevation of Privilege Vulnerability in Mediaserver</td>
102    <td>CVE-2016-0810</td>
103    <td>High</td>
104 </tr>
105 <tr>
106    <td>Information Disclosure Vulnerability in libmediaplayerservice</td>
107    <td>CVE-2016-0811</td>
108    <td>High</td>
109 </tr>
110 <tr>
111    <td>Elevation of Privilege Vulnerability in Setup Wizard</td>
112    <td>CVE-2016-0812<br />
113        CVE-2016-0813</td>
114    <td>Moderate</td>
115 </tr>
116</table>
117
118
119<h3 id=mitigations>Mitigations</h3>
120
121
122<p>This is a summary of the mitigations provided by the <a href="https://source.android.com/security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the
123likelihood that security vulnerabilities could be successfully exploited on
124Android.</p>
125
126<ul>
127  <li> Exploitation for many issues on Android is made more difficult by enhancements
128in newer versions of the Android platform. We encourage all users to update to
129the latest version of Android where possible.
130  <li> The Android Security team is actively monitoring for abuse with Verify Apps and
131SafetyNet which will warn about potentially harmful applications about to be
132installed. Device rooting tools are prohibited within Google Play. To protect
133users who install applications from outside of Google Play, Verify Apps is
134enabled by default and will warn users about known rooting applications. Verify
135Apps attempts to identify and block installation of known malicious
136applications that exploit a privilege escalation vulnerability. If such an
137application has already been installed, Verify Apps will notify the user and
138attempt to remove any such applications.
139  <li> As appropriate, Google Hangouts and Messenger applications do not automatically
140pass media to processes such as mediaserver.
141</ul>
142
143<h3 id=acknowledgements>Acknowledgements</h3>
144
145
146<p>We would like to thank these researchers for their contributions:</p>
147
148<ul>
149  <li> Android and Chrome Security Team: CVE-2016-0809, CVE-2016-0810
150  <li> Broadgate Team: CVE-2016-0801, CVE-2015-0802
151  <li> David Riley of the Google Pixel C Team: CVE-2016-0812
152  <li> Dongkwan Kim (<a href="mailto:dkay@kaist.ac.kr">dkay@kaist.ac.kr</a>) of System Security Lab, KAIST: CVE-2015-6614
153  <li> Gengjia Chen (<a href="https://twitter.com/@chengjia4574">@chengjia4574</a>)
154       of Lab IceSword, Qihoo 360: CVE-2016-0805
155  <li> Hongil Kim (<a href="mailto:hongilk@kaist.ac.kr">hongilk@kaist.ac.kr</a>) of System Security Lab, KAIST: CVE-2015-6614
156  <li> Qidan He (<a href="https://twitter.com/@Flanker_hqd">@Flanker_hqd</a>) of
157       KeenLab (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-0811
158  <li> Seven Shen (<a href="https://twitter.com/@lingtongshen">@lingtongshen</a>)
159       of Trend Micro (<a href="http://www.trendmicro.com">www.trendmicro.com</a>): CVE-2016-0803
160  <li> Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of Alibaba Inc: CVE-2016-0808
161  <li> Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>) of the Android Security Team: CVE-2016-0807
162</ul>
163
164<h2 id=security_vulnerability_details>Security Vulnerability Details</h2>
165
166
167<p>In the sections below, we provide details for each of the security
168vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a>
169above. There is a description of the issue, a severity rationale, and a table
170with the CVE, associated bug, severity, affected versions, and date reported.
171When available, we will link the AOSP commit that addressed the issue to the
172bug ID. When multiple changes relate to a single bug, additional AOSP
173references are linked to numbers following the bug ID.</p>
174
175<h3 id=remote_code_execution_vulnerability_in_broadcom_wi-fi_driver>Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver</h3>
176
177
178<p>Multiple remote execution vulnerabilities in the Broadcom Wi-Fi driver could
179allow a remote attacker to use specially crafted wireless control message
180packets to corrupt kernel memory in a way that leads to remote code execution
181in the context of the kernel. These vulnerabilities can be triggered when the
182attacker and the victim are associated with the same network. This issue is
183rated as a Critical severity due to the possibility of remote code execution in
184the context of the kernel without requiring user interaction.</p>
185<table>
186 <tr>
187    <th>CVE</th>
188    <th>Bugs</th>
189    <th>Severity</th>
190    <th>Updated versions</th>
191    <th>Date reported</th>
192 </tr>
193 <tr>
194    <td>CVE-2016-0801</td>
195    <td>ANDROID-25662029*</td>
196    <td>Critical</td>
197    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
198    <td>Oct 25, 2015</td>
199 </tr>
200 <tr>
201    <td>CVE-2016-0802</td>
202    <td>ANDROID-25306181*</td>
203    <td>Critical</td>
204    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
205    <td>Oct 26,2015</td>
206 </tr>
207</table>
208<p>* The patch for this issue is not in AOSP. The update is contained in the
209latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>
210
211<h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3>
212
213
214<p>During media file and data processing of a specially crafted file,
215vulnerabilities in mediaserver could allow an attacker to cause memory
216corruption and remote code execution as the mediaserver process.</p>
217
218<p>The affected functionality is provided as a core part of the operating system
219and there are multiple applications that allow it to be reached with remote
220content, most notably MMS and browser playback of media.</p>
221
222<p>This issue is rated as a Critical severity due to the possibility of remote
223code execution within the context of the mediaserver service. The mediaserver
224service has access to audio and video streams as well as access to privileges
225that third-party apps cannot normally access.</p>
226<table>
227 <tr>
228    <th>CVE</th>
229    <th>Bugs with AOSP links</th>
230    <th>Severity</th>
231    <th>Updated versions</th>
232    <th>Date reported</th>
233 </tr>
234 <tr>
235    <td>CVE-2016-0803</td>
236    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/50270d98e26fa18b20ca88216c3526667b724ba7">ANDROID-25812794</a></td>
237    <td>Critical</td>
238    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
239    <td>Nov 19, 2015</td>
240 </tr>
241 <tr>
242    <td>CVE-2016-0804</td>
243    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/224858e719d045c8554856b12c4ab73d2375cf33">ANDROID-25070434</a></td>
244    <td>Critical</td>
245    <td>5.0, 5.1.1, 6.0, 6.0.1</td>
246    <td>Oct 12, 2015</td>
247 </tr>
248</table>
249
250
251<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_performance_module>Elevation of Privilege Vulnerability in Qualcomm Performance Module</h3>
252
253
254<p>An elevation of privilege vulnerability in the performance event manager
255component for ARM processors from Qualcomm could enable a local malicious
256application to execute arbitrary code within the kernel. This issue is rated as
257a Critical severity due to the possibility of a local permanent device
258compromise and the device would possibly need to be repaired by re-flashing the
259operating system.</p>
260<table>
261 <tr>
262    <th>CVE</th>
263    <th>Bug</th>
264    <th>Severity</th>
265    <th>Updated versions</th>
266    <th>Date reported</th>
267 </tr>
268 <tr>
269    <td>CVE-2016-0805</td>
270    <td>ANDROID-25773204*</td>
271    <td>Critical</td>
272    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
273    <td>Nov 15, 2015</td>
274 </tr>
275</table>
276
277<p>* The patch for this issue is not in AOSP. The update is contained in the
278latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>
279
280<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_wifi_driver>Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</h3>
281
282
283<p>There is a vulnerability in the Qualcomm Wi-Fi driver that could enable a local
284malicious application to execute arbitrary code within the context of the
285kernel. This issue is rated as a Critical severity due to the possibility of a
286local permanent device compromise and the device would possibly need to be
287repaired by re-flashing the operating system.</p>
288<table>
289 <tr>
290    <th>CVE</th>
291    <th>Bug</th>
292    <th>Severity</th>
293    <th>Updated versions</th>
294    <th>Date reported</th>
295 </tr>
296 <tr>
297    <td>CVE-2016-0806</td>
298    <td>ANDROID-25344453*</td>
299    <td>Critical</td>
300    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
301    <td>Nov 15, 2015</td>
302 </tr>
303</table>
304
305<p>* The patch for this issue is not in AOSP. The update is contained in the
306latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>
307
308<h3 id=elevation_of_privilege_vulnerability_in_the_debuggerd>Elevation of Privilege Vulnerability in the Debuggerd </h3>
309
310
311<p>An elevation of privilege vulnerability in the Debuggerd component could enable
312a local malicious application to execute arbitrary code within the device root
313context. This issue is rated as a Critical severity due to the possibility of a
314local permanent device compromise and the device would possibly need to be
315repaired by re-flashing the operating system.</p>
316<table>
317 <tr>
318    <th>CVE</th>
319    <th>Bug with AOSP link</th>
320    <th>Severity</th>
321    <th>Updated versions</th>
322    <th>Date reported</th>
323 </tr>
324 <tr>
325    <td>CVE-2016-0807</td>
326    <td><a href="https://android.googlesource.com/platform%2Fsystem%2Fcore/+/d917514bd6b270df431ea4e781a865764d406120">ANDROID-25187394</a></td>
327    <td>Critical</td>
328    <td>6.0 and 6.0.1</td>
329    <td>Google Internal</td>
330 </tr>
331</table>
332
333
334<h3 id=denial_of_service_vulnerability_in_minikin>Denial of Service Vulnerability in Minikin</h3>
335
336
337<p>A denial of service vulnerability in the Minikin library could allow a local
338attacker to temporarily block access to an affected device. An attacker could
339cause an untrusted font to be loaded and cause an overflow in the Minikin
340component which leads to a crash. This is rated as a high severity because
341Denial of Service leads to a continuous reboot loop.</p>
342<table>
343 <tr>
344    <th>CVE</th>
345    <th>Bug with AOSP link</th>
346    <th>Severity</th>
347    <th>Updated versions</th>
348    <th>Date reported</th>
349 </tr>
350 <tr>
351    <td>CVE-2016-0808</td>
352    <td><a href="https://android.googlesource.com/platform/frameworks/minikin/+/ed4c8d79153baab7f26562afb8930652dfbf853b">ANDROID-25645298</a></td>
353    <td>High</td>
354    <td>5.0, 5.1.1, 6.0, 6.0.1</td>
355    <td>Nov 3, 2015</td>
356 </tr>
357</table>
358
359
360<h3 id=elevation_of_privilege_vulnerability_in_wi-fi>Elevation of Privilege Vulnerability in Wi-Fi</h3>
361
362
363<p>An elevation of privilege vulnerability in the Wi-Fi component could enable a
364local malicious application to execute arbitrary code within the System
365context. A device is only vulnerable to this issue while in local proximity.
366This issue is rated as High severity because it could be used to gain “<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">normal</a>” capabilities remotely. Generally, these permissions are accessible only to
367third-party applications installed locally.</p>
368<table>
369 <tr>
370    <th>CVE</th>
371    <th>Bug with AOSP link</th>
372    <th>Severity</th>
373    <th>Updated versions</th>
374    <th>Date reported</th>
375 </tr>
376 <tr>
377    <td>CVE-2016-0809</td>
378    <td><a href="https://android.googlesource.com/platform/hardware/broadcom/wlan/+/2c5a4fac8bc8198f6a2635ede776f8de40a0c3e1%5E%21/#F0">ANDROID-25753768</a></td>
379    <td>High</td>
380    <td>6.0, 6.0.1</td>
381    <td>Google Internal</td>
382 </tr>
383</table>
384
385
386<h3 id=elevation_of_privilege_vulnerability_in_mediaserver>Elevation of Privilege Vulnerability in Mediaserver </h3>
387
388
389<p>An elevation of privilege vulnerability in mediaserver could enable a local
390malicious application to execute arbitrary code within the context of an
391elevated system application. This issue is rated as High severity because it
392could be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p>
393<table>
394 <tr>
395    <th>CVE</th>
396    <th>Bug with AOSP link</th>
397    <th>Severity</th>
398    <th>Updated versions</th>
399    <th>Date reported</th>
400 </tr>
401 <tr>
402    <td>CVE-2016-0810</td>
403    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/19c47afbc402542720ddd280e1bbde3b2277b586">ANDROID-25781119</a></td>
404    <td>High</td>
405    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
406    <td>Google Internal</td>
407 </tr>
408</table>
409
410
411<h3 id=information_disclosure_vulnerability_in_libmediaplayerservice>Information Disclosure Vulnerability in libmediaplayerservice </h3>
412
413
414<p>An information disclosure vulnerability in libmediaplayerservice could permit a
415bypass of security measures in place to increase the difficulty of attackers
416exploiting the platform. These issues are rated as High severity because they
417could also be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p>
418<table>
419 <tr>
420    <th>CVE</th>
421    <th>Bug with AOSP link</th>
422    <th>Severity</th>
423    <th>Updated versions</th>
424    <th>Date reported</th>
425 </tr>
426 <tr>
427    <td>CVE-2016-0811</td>
428    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/22f824feac43d5758f9a70b77f2aca840ba62c3b">ANDROID-25800375</a></td>
429    <td>High</td>
430    <td>6.0, 6.0.1</td>
431    <td>Nov 16, 2015</td>
432 </tr>
433</table>
434
435
436<h3 id=elevation_of_privilege_vulnerability_in_setup_wizard>Elevation of Privilege Vulnerability in Setup Wizard</h3>
437
438
439<p>A vulnerability in the Setup Wizard could allow a malicious attacker to bypass
440the Factory Reset Protection and gain access to the device. This is rated as a
441Moderate severity because it potentially allows someone with physical access to
442a device to bypass the Factory Reset Protection, which enables an attacker to
443successfully reset a device, erasing all data.</p>
444<table>
445 <tr>
446    <th>CVE</th>
447    <th>Bugs with AOSP links</th>
448    <th>Severity</th>
449    <th>Updated versions</th>
450    <th>Date reported</th>
451 </tr>
452 <tr>
453    <td>CVE-2016-0812</td>
454    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/84669ca8de55d38073a0dcb01074233b0a417541">ANDROID-25229538</a></td>
455    <td>Moderate</td>
456    <td>5.1.1, 6.0</td>
457    <td>Google Internal</td>
458 </tr>
459 <tr>
460    <td>CVE-2016-0813</td>
461    <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/16a76dadcc23a13223e9c2216dad1fe5cad7d6e1">ANDROID-25476219</a></td>
462    <td>Moderate</td>
463    <td>5.1.1, 6.0, 6.0.1</td>
464    <td>Google Internal</td>
465 </tr>
466</table>
467
468<h3 id=common_questions_and_answers>Common Questions and Answers</strong></h3>
469
470<p>This section reviews answers to common questions that may occur after reading
471this bulletin.</p>
472
473<p><strong>1. How do I determine if my device is updated to address these issues?</strong></p>
474
475<p>Builds LMY49G or later and Android 6.0 with Security Patch Level of February 1,
4762016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device
477manufacturers that include these updates should set the patch string level to:
478[ro.build.version.security_patch]:[2016-02-01]</p>
479
480<h2 id=revisions>Revisions</h2>
481
482
483<ul>
484  <li> February 01, 2016: Bulletin published.
485  <li> February 02, 2016:  Bulletin revised to include AOSP links.
486