diff options
author | Danielle Roberts <daroberts@google.com> | 2016-01-26 18:21:00 -0800 |
---|---|---|
committer | Danielle Roberts <daroberts@google.com> | 2016-02-02 10:36:53 -0800 |
commit | 17648a1b8c330df7a8974a9bf2d71f5ea1b02440 (patch) | |
tree | 042d1b59a5f941dd9a105bfe17bcf76109e5771c | |
parent | fbc273148c413d5c155276d9802dfbb0b36faf12 (diff) | |
download | source.android.com-17648a1b8c330df7a8974a9bf2d71f5ea1b02440.tar.gz |
Docs: February 2016 security bulletin
Bug: 26411900
Change-Id: I5390bfbece941df934745063931179feaeee87f9
-rw-r--r-- | src/security/bulletin/2016-01-01.jd | 2 | ||||
-rw-r--r-- | src/security/bulletin/2016-02-01.jd | 484 | ||||
-rw-r--r-- | src/security/bulletin/index.jd | 5 | ||||
-rw-r--r-- | src/security/overview/acknowledgements.jd | 18 | ||||
-rw-r--r-- | src/security/security_toc.cs | 1 |
5 files changed, 509 insertions, 1 deletions
diff --git a/src/security/bulletin/2016-01-01.jd b/src/security/bulletin/2016-01-01.jd index 87ba6575..9878d747 100644 --- a/src/security/bulletin/2016-01-01.jd +++ b/src/security/bulletin/2016-01-01.jd @@ -257,7 +257,7 @@ possibly need to be repaired by re-flashing the operating system.</p> <td>CVE-2015-6638</td> <td>ANDROID-24673908*</td> <td>Critical</td> - <td>5.0, 5.5.1, 6.0, 6.0.1</td> + <td>5.0, 5.1.1, 6.0, 6.0.1</td> <td>Google Internal</td> </tr> </table> diff --git a/src/security/bulletin/2016-02-01.jd b/src/security/bulletin/2016-02-01.jd new file mode 100644 index 00000000..b209d6e9 --- /dev/null +++ b/src/security/bulletin/2016-02-01.jd @@ -0,0 +1,484 @@ +page.title=Nexus Security Bulletin - February 2016 +@jd:body + +<!-- + Copyright 2016 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<div id="qv-wrapper"> + <div id="qv"> + <h2>In this document</h2> + <ol id="auto-toc"> + </ol> + </div> +</div> + +<p><em>Published February 01, 2016</em></p> + +<p>We have released a security update to Nexus devices through an over-the-air +(OTA) update as part of our Android Security Bulletin Monthly Release process. +The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY49G or later and Android M with Security Patch Level of February 1, +2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level.</p> + +<p>Partners were notified about the issues described in the bulletin on January 4, +2016 or earlier. Source code patches for these issues will be released to the +Android Open Source Project (AOSP) repository over the next 48 hours. We will +revise this bulletin with the AOSP links when they are available.</p> + +<p>The most severe of these issues is a Critical security vulnerability that could +enable remote code execution on an affected device through multiple methods +such as email, web browsing, and MMS when processing media files. The Remote Code +Execution Vulnerability in Broadcom’s Wi-Fi driver is also Critical severity as +it could allow remote code execution on an affected device while in Wi-Fi radio range.</p> + +<p>We have had no reports of active customer exploitation of these newly reported +issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="https://source.android.com/security/enhancements/">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the +Android platform. We encourage all customers to accept these updates to their +devices.</p> + +<h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2> + + +<p>The table below contains a list of security vulnerabilities, the Common +Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="https://source.android.com/security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would possibly have +on an affected device, assuming the platform and service mitigations are +disabled for development purposes or if successfully bypassed.</p> +<table> + <tr> + <th>Issue</th> + <th>CVE</th> + <th>Severity</th> + </tr> + <tr> + <td>Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver</td> + <td>CVE-2016-0801<br /> + CVE-2016-0802</td> + <td>Critical</td> + </tr> + <tr> + <td>Remote Code Execution Vulnerability in Mediaserver</td> + <td>CVE-2016-0803<br /> + CVE-2016-0804</td> + <td>Critical</td> + </tr> + <tr> + <td>Elevation of Privilege Vulnerability in Qualcomm Performance Module</td> + <td>CVE-2016-0805</td> + <td>Critical</td> + </tr> + <tr> + <td>Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</td> + <td>CVE-2016-0806</td> + <td>Critical</td> + </tr> + <tr> + <td>Elevation of Privilege Vulnerability in the Debugger Daemon</td> + <td>CVE-2016-0807</td> + <td>Critical</td> + </tr> + <tr> + <td>Denial of Service Vulnerability in Minikin</td> + <td>CVE-2016-0808</td> + <td>High</td> + </tr> + <tr> + <td>Elevation of Privilege Vulnerability in Wi-Fi</td> + <td>CVE-2016-0809</td> + <td>High</td> + </tr> + <tr> + <td>Elevation of Privilege Vulnerability in Mediaserver</td> + <td>CVE-2016-0810</td> + <td>High</td> + </tr> + <tr> + <td>Information Disclosure Vulnerability in libmediaplayerservice</td> + <td>CVE-2016-0811</td> + <td>High</td> + </tr> + <tr> + <td>Elevation of Privilege Vulnerability in Setup Wizard</td> + <td>CVE-2016-0812<br /> + CVE-2016-0813</td> + <td>Moderate</td> + </tr> +</table> + + +<h3 id=mitigations>Mitigations</h3> + + +<p>This is a summary of the mitigations provided by the <a href="https://source.android.com/security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the +likelihood that security vulnerabilities could be successfully exploited on +Android.</p> + +<ul> + <li> Exploitation for many issues on Android is made more difficult by enhancements +in newer versions of the Android platform. We encourage all users to update to +the latest version of Android where possible. + <li> The Android Security team is actively monitoring for abuse with Verify Apps and +SafetyNet which will warn about potentially harmful applications about to be +installed. Device rooting tools are prohibited within Google Play. To protect +users who install applications from outside of Google Play, Verify Apps is +enabled by default and will warn users about known rooting applications. Verify +Apps attempts to identify and block installation of known malicious +applications that exploit a privilege escalation vulnerability. If such an +application has already been installed, Verify Apps will notify the user and +attempt to remove any such applications. + <li> As appropriate, Google Hangouts and Messenger applications do not automatically +pass media to processes such as mediaserver. +</ul> + +<h3 id=acknowledgements>Acknowledgements</h3> + + +<p>We would like to thank these researchers for their contributions:</p> + +<ul> + <li> Android and Chrome Security Team: CVE-2016-0809, CVE-2016-0810 + <li> Broadgate Team: CVE-2016-0801, CVE-2015-0802 + <li> David Riley of the Google Pixel C Team: CVE-2016-0812 + <li> Dongkwan Kim (<a href="mailto:dkay@kaist.ac.kr">dkay@kaist.ac.kr</a>) of System Security Lab, KAIST: CVE-2015-6614 + <li> Gengjia Chen (<a href="https://twitter.com/@chengjia4574">@chengjia4574</a>) from Lab 0x031E of Qihoo 360 Technology Co. Ltd : CVE-2016-0805 + <li> Hongil Kim (<a href="mailto:hongilk@kaist.ac.kr">hongilk@kaist.ac.kr</a>) of System Security Lab, KAIST: CVE-2015-6614 + <li> Qidan He (<a href="https://twitter.com/@Flanker_hqd">@Flanker_hqd</a>) of + KeenLab (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-0811 + <li> Seven Shen (<a href="https://twitter.com/@lingtongshen">@lingtongshen</a>) of Trend Micro (<a href="http://www.trendmicro.com">www.trendmicro.com</a>): CVE-2016-0803 + <li> Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of Alibaba Inc: CVE-2016-0808 + <li> Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>) of the Android Security Team: CVE-2016-0807 +</ul> + +<h2 id=security_vulnerability_details>Security Vulnerability Details</h2> + + +<p>In the sections below, we provide details for each of the security +vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a> +above. There is a description of the issue, a severity rationale, and a table +with the CVE, associated bug, severity, affected versions, and date reported. +When available, we will link the AOSP commit that addressed the issue to the +bug ID. When multiple changes relate to a single bug, additional AOSP +references are linked to numbers following the bug ID.</p> + +<h3 id=remote_code_execution_vulnerability_in_broadcom_wi-fi_driver>Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver</h3> + + +<p>Multiple remote execution vulnerabilities in the Broadcom Wi-Fi driver could +allow a remote attacker to use specially crafted wireless control message +packets to corrupt kernel memory in a way that leads to remote code execution +in the context of the kernel. These vulnerabilities can be triggered when the +attacker and the victim are associated with the same network. This issue is +rated as a Critical severity due to the possibility of remote code execution in +the context of the kernel without requiring user interaction.</p> +<table> + <tr> + <th>CVE</th> + <th>Bug(s)</th> + <th>Severity</th> + <th>Updated versions</th> + <th>Date reported</th> + </tr> + <tr> + <td>CVE-2016-0801</td> + <td>ANDROID-25662029</td> + <td>Critical</td> + <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> + <td>Oct 25, 2015</td> + </tr> + <tr> + <td>CVE-2016-0802</td> + <td>ANDROID-25306181</td> + <td>Critical</td> + <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> + <td>Oct 26,2015</td> + </tr> +</table> + + +<h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3> + + +<p>During media file and data processing of a specially crafted file, +vulnerabilities in mediaserver could allow an attacker to cause memory +corruption and remote code execution as the mediaserver process.</p> + +<p>The affected functionality is provided as a core part of the operating system +and there are multiple applications that allow it to be reached with remote +content, most notably MMS and browser playback of media.</p> + +<p>This issue is rated as a Critical severity due to the possibility of remote +code execution within the context of the mediaserver service. The mediaserver +service has access to audio and video streams as well as access to privileges +that third-party apps cannot normally access.</p> +<table> + <tr> + <th>CVE</th> + <th>Bug(s)</th> + <th>Severity</th> + <th>Updated versions</th> + <th>Date reported</th> + </tr> + <tr> + <td>CVE-2016-0803</td> + <td>ANDROID-25812794</td> + <td>Critical</td> + <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> + <td>Nov 19, 2015</td> + </tr> + <tr> + <td>CVE-2016-0804</td> + <td>ANDROID-25070434</td> + <td>Critical</td> + <td>5.0, 5.1.1, 6.0, 6.0.1</td> + <td>Oct 12, 2015</td> + </tr> +</table> + + +<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_performance_module>Elevation of Privilege Vulnerability in Qualcomm Performance Module</h3> + + +<p>An elevation of privilege vulnerability in the performance event manager +component for ARM processors from Qualcomm could enable a local malicious +application to execute arbitrary code within the kernel. This issue is rated as +a Critical severity due to the possibility of a local permanent device +compromise and the device would possibly need to be repaired by re-flashing the +operating system.</p> +<table> + <tr> + <th>CVE</th> + <th>Bug(s)</th> + <th>Severity</th> + <th>Updated versions</th> + <th>Date reported</th> + </tr> + <tr> + <td>CVE-2016-0805</td> + <td>ANDROID-25773204</td> + <td>Critical</td> + <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> + <td>Nov 15, 2015</td> + </tr> +</table> + + +<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_wifi_driver>Elevation of Privilege Vulnerability in Qualcomm WiFi Driver</h3> + + +<p>There is a vulnerability in the Qualcomm Wi-Fi driver that could enable a local +malicious application to execute arbitrary code within the context of the +kernel. This issue is rated as a Critical severity due to the possibility of a +local permanent device compromise and the device would possibly need to be +repaired by re-flashing the operating system.</p> +<table> + <tr> + <th>CVE</th> + <th>Bug(s)</th> + <th>Severity</th> + <th>Updated versions</th> + <th>Date reported</th> + </tr> + <tr> + <td>CVE-2016-0806</td> + <td>ANDROID-25344453</td> + <td>Critical</td> + <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> + <td>Nov 15, 2015</td> + </tr> +</table> + + +<h3 id=elevation_of_privilege_vulnerability_in_the_debuggerd>Elevation of Privilege Vulnerability in the Debuggerd </h3> + + +<p>An elevation of privilege vulnerability in the Debuggerd component could enable +a local malicious application to execute arbitrary code within the device root +context. This issue is rated as a Critical severity due to the possibility of a +local permanent device compromise and the device would possibly need to be +repaired by re-flashing the operating system.</p> +<table> + <tr> + <th>CVE</th> + <th>Bug(s)</th> + <th>Severity</th> + <th>Updated versions</th> + <th>Date reported</th> + </tr> + <tr> + <td>CVE-2016-0807</td> + <td>ANDROID-25187394</td> + <td>Critical</td> + <td>6.0 and 6.0.1</td> + <td>Google Internal</td> + </tr> +</table> + + +<h3 id=denial_of_service_vulnerability_in_minikin>Denial of Service Vulnerability in Minikin</h3> + + +<p>A denial of service vulnerability in the Minikin library could allow a local +attacker to temporarily block access to an affected device. An attacker could +cause an untrusted font to be loaded and cause an overflow in the Minikin +component which leads to a crash. This is rated as a high severity because +Denial of Service leads to a continuous reboot loop.</p> +<table> + <tr> + <th>CVE</th> + <th>Bug(s)</th> + <th>Severity</th> + <th>Updated versions</th> + <th>Date reported</th> + </tr> + <tr> + <td>CVE-2016-0808</td> + <td>ANDROID-25645298</td> + <td>High</td> + <td>5.0, 5.1.1, 6.0, 6.0.1</td> + <td>Nov 3, 2015</td> + </tr> +</table> + + +<h3 id=elevation_of_privilege_vulnerability_in_wi-fi>Elevation of Privilege Vulnerability in Wi-Fi</h3> + + +<p>An elevation of privilege vulnerability in the Wi-Fi component could enable a +local malicious application to execute arbitrary code within the System +context. A device is only vulnerable to this issue while in local proximity. +This issue is rated as High severity because it could be used to gain “<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">normal</a>” capabilities remotely. Generally, these permissions are accessible only to +third-party applications installed locally.</p> +<table> + <tr> + <th>CVE</th> + <th>Bug(s)</th> + <th>Severity</th> + <th>Updated versions</th> + <th>Date reported</th> + </tr> + <tr> + <td>CVE-2016-0809</td> + <td>ANDROID-25753768</td> + <td>High</td> + <td>6.0, 6.0.1</td> + <td>Google Internal</td> + </tr> +</table> + + +<p> +</p> + +<h3 id=elevation_of_privilege_vulnerability_in_mediaserver>Elevation of Privilege Vulnerability in Mediaserver </h3> + + +<p>An elevation of privilege vulnerability in mediaserver could enable a local +malicious application to execute arbitrary code within the context of an +elevated system application. This issue is rated as High severity because it +could be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p> +<table> + <tr> + <th>CVE</th> + <th>Bug(s)</th> + <th>Severity</th> + <th>Updated versions</th> + <th>Date reported</th> + </tr> + <tr> + <td>CVE-2016-0810</td> + <td>ANDROID-25781119</td> + <td>High</td> + <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td> + <td>Google Internal</td> + </tr> +</table> + + +<h3 id=information_disclosure_vulnerability_in_libmediaplayerservice>Information Disclosure Vulnerability in libmediaplayerservice </h3> + + +<p>An information disclosure vulnerability in libmediaplayerservice could permit a +bypass of security measures in place to increase the difficulty of attackers +exploiting the platform. These issues are rated as High severity because they +could also be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p> +<table> + <tr> + <th>CVE</th> + <th>Bug(s)</th> + <th>Severity</th> + <th>Updated versions</th> + <th>Date reported</th> + </tr> + <tr> + <td>CVE-2016-0811</td> + <td>ANDROID-25800375</td> + <td>High</td> + <td>6.0, 6.0.1</td> + <td>Nov 16, 2015</td> + </tr> +</table> + + +<h3 id=elevation_of_privilege_vulnerability_in_setup_wizard>Elevation of Privilege Vulnerability in Setup Wizard</h3> + + +<p>A vulnerability in the Setup Wizard could allow a malicious attacker to bypass +the Factory Reset Protection and gain access to the device. This is rated as a +Moderate severity because it potentially allows someone with physical access to +a device to bypass the Factory Reset Protection, which enables an attacker to +successfully reset a device, erasing all data.</p> +<table> + <tr> + <th>CVE</th> + <th>Bug(s)</th> + <th>Severity</th> + <th>Updated versions</th> + <th>Date reported</th> + </tr> + <tr> + <td>CVE-2016-0812</td> + <td>ANDROID-25229538</td> + <td>Moderate</td> + <td>5.1.1, 6.0</td> + <td>Google Internal</td> + </tr> + <tr> + <td>CVE-2016-0813</td> + <td>ANDROID-25476219</td> + <td>Moderate</td> + <td>5.1.1, 6.0, 6.0.1</td> + <td>Google Internal</td> + </tr> +</table> + + +<p> +</p> + +<p><strong>Common Questions and Answers</strong></p> + +<p>This section reviews answers to common questions that may occur after reading +this bulletin.</p> + +<p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> + +<p>Builds LMY49G or later and Android 6.0 with Security Patch Level of February 1, +2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device +manufacturers that include these updates should set the patch string level to: +[ro.build.version.security_patch]:[2016-02-01]</p> + +<h2 id=revisions>Revisions</h2> + + +<ul> + <li> February 01, 2016: Bulletin published. diff --git a/src/security/bulletin/index.jd b/src/security/bulletin/index.jd index 7e1e96cd..25682ebc 100644 --- a/src/security/bulletin/index.jd +++ b/src/security/bulletin/index.jd @@ -33,6 +33,11 @@ month to the<a href="https://developers.google.com/android/nexus/images"> Google <th>Android Security Patch Level</th> </tr> <tr> + <td><a href="2016-02-01.html">February 2016</a></td> + <td>February 1, 2016</td> + <td>February 1, 2016: [2016-02-01]</td> + </tr> + <tr> <td><a href="2016-01-01.html">January 2016</a></td> <td>January 4, 2016</td> <td>January 1, 2016: [2016-01-01]</td> diff --git a/src/security/overview/acknowledgements.jd b/src/security/overview/acknowledgements.jd index 22eb8a8f..a74be9e8 100644 --- a/src/security/overview/acknowledgements.jd +++ b/src/security/overview/acknowledgements.jd @@ -40,8 +40,18 @@ Rewards</a> program.</p> <p>Abhishek Arya of Google Chrome Security Team</p> +<p>Broadgate Team</p> + +<p>David Riley of the Google Pixel C Team</p> + +<p>Dongkwan Kim (<a href="mailto:dkay@kaist.ac.kr">dkay@kaist.ac.kr</a>) of System Security Lab, KAIST</p> + <p>Gal Beniamini (<a href="https://twitter.com/@laginimaineb">@laginimaineb</a>, <a href="http://bits-please.blogspot.com/">http://bits-please.blogspot.com</a>)</p> +<p>Gengjia Chen (<a href="https://twitter.com/@chengjia4574">@chengjia4574</a>) from Lab 0x031E of Qihoo 360 Technology Co. Ltd</p> + +<p>Hongil Kim (<a href="mailto:hongilk@kaist.ac.kr">hongilk@kaist.ac.kr</a>) of System Security Lab, KAIST</p> + <p>Jann Horn (<a href="https://thejh.net/">https://thejh.net</a>)</p> <p>jfang of KEEN lab, Tencent (<a href="https://twitter.com/k33nteam">@K33nTeam</a>)</p> @@ -54,12 +64,20 @@ Rewards</a> program.</p> <p>Quan Nguyen of Google Information Security Engineer Team</p> +<p>Qidan He (<a href="https://twitter.com/@Flanker_hqd">@Flanker_hqd</a>) of KeenLab (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent</p> + <p>Sen Nie (<a href="https://twitter.com/@nforest_">@nforest_</a>) of KEEN lab, Tencent (<a href="https://twitter.com/k33nteam">@K33nTeam</a>)</p> +<p>Seven Shen (<a href="https://twitter.com/@lingtongshen">@lingtongshen</a>) of Trend Micro (<a href="http://www.trendmicro.com">www.trendmicro.com</a>)</p> + <p>Tom Craig of Google X</p> +<p>Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of Alibaba Inc</p> + <p>Yabin Cui from Android Bionic Team</p> +<p>Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>) of the Android Security Team</p> + </div> <h2 id=2015>2015</h2> diff --git a/src/security/security_toc.cs b/src/security/security_toc.cs index cf74b3d0..805905c6 100644 --- a/src/security/security_toc.cs +++ b/src/security/security_toc.cs @@ -50,6 +50,7 @@ </a> </div> <ul> + <li><a href="<?cs var:toroot ?>security/bulletin/2016-02-01.html">February 2016</a></li> <li><a href="<?cs var:toroot ?>security/bulletin/2016-01-01.html">January 2016</a></li> <li><a href="<?cs var:toroot ?>security/bulletin/2015-12-01.html">December 2015</a></li> <li><a href="<?cs var:toroot ?>security/bulletin/2015-11-01.html">November 2015</a></li> |