| Nexus Security Bulletin (September 2015) | Android Security Updates | 09/09/15 13:17 | Nexus Security Bulletin - September 2015 Published September 9, 2015 We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process (Build LMY48M). The updates for Nexus devices and source code patches for these issues have also been released to the Android Open Source Project (AOSP) source repository. The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device. We have not detected customer exploitation of the newly reported issues. The exception is the existing issue (CVE-2015-3636). Refer to the Mitigations section for details on the Android security platform protections, and service protections such as SafetyNet, which reduce the likelihood that security vulnerabilities can be successfully exploited on Android. Please note that both Critical security updates (CVE-2015-3864 and CVE-2015-3686) address already disclosed vulnerabilities. There are no newly disclosed Critical security vulnerabilities in this update. We encourage all customers to accept these updates to their devices. Security vulnerability summary
The severity assessment is based on the effect that exploiting the vulnerability would have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed. Mitigations: This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities can be successfully exploited on Android. - Remote exploitation for many issues on Android versions 4.1 (Jelly Bean) and higher is mitigated by enhancements in the Address Space Layout Randomization (ASLR) algorithm used in those versions. Android 5.0 improved ASLR by requiring PIE (position-independent executable) for all dynamically linked executables further strengthening the ASLR protection. We encourage all users to update to the latest version of Android where possible. - The Android Security team is actively monitoring for abuse of issues with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device “rooting” tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known Rooting applications. Verify Apps will block installation of known “malicious” applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will attempt to automatically remove any such applications and notify the user. - As appropriate, Google has updated the Hangouts and Messenger applications so that media is not automatically passed to vulnerable processes (such as Mediaserver.) Acknowledgements We would like to thank these researchers for their contributions:
Security Vulnerability Details Remote Code Execution Vulnerability in Mediaserver
Description: A vulnerability in mediaserver could allow an attacker during media file and data processing of a specially crafted file to cause memory corruption and potentially remote code execution as the mediaserver process. The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that 3rd party apps cannot normally access. This issue is related to the already reported CVE-2015-3824 (ANDROID-20923261). The original security update was not sufficient to address a variant of this originally reported issue.
Description: An elevation of privilege vulnerability in the Linux kernel's handling of ping sockets could allow a malicious application to execute arbitrary code in context of the kernel. This issue is rated as a Critical severity due to the possibility of code execution in a privileged service that can bypass device protections, potentially leading to permanent compromise (i.e., requiring re-flashing the system partition) on some devices. This issue was first publicly identified on May 01, 2015. An exploit of this vulnerability has been included in a number of “rooting” tools that may be used by the device owner to modify the firmware on their device. Elevation of Privilege Vulnerability in Binder
Description: An elevation of privilege vulnerability in Binder could allow a malicious application to execute arbitrary code within the context of the another app’s process. This issue is rated as High severity because it allows a malicious application to gain privileges not accessible to a third-party application. Elevation of Privilege Vulnerability in Keystore
Description: A elevation of privilege vulnerability in Keystore could allow a malicious application to execute arbitrary code within the context of the keystore service. This could allow unauthorized use of keys stored by Keystore, including hardware-backed keys. This issue is rated as High severity because it can be used to gain privileges not accessible to a third-party application. Elevation of Privilege Vulnerability in Region
Description: An elevation of privilege vulnerability in Region could, through creation of a malicious message to a service, allow a malicious application to execute arbitrary code within the context of the target service. This issue is rated as High severity because it can be used to gain privileges not accessible to a third-party application. Elevation of Privilege vulnerability in SMS enables notification bypass
Description:A elevation of privilege vulnerability in the way that Android processes SMS messages could enable a malicious application to send an SMS message that bypasses the premium-rate SMS warning notification. This issue is rated as High severity because it can be used to gain privileges not accessible to a third-party application.
|
CVE | Bug | Severity | Partners Notified | Affected Versions | Fixed in Nexus Build |
CVE-2015-3860 | ANDROID-22214934 | Moderate | Aug 04, 2015 (Bulletin 2015-12) | 5.1 and 5.0 | 5.1.1 (LMY48M) |
Description:
An elevation of privilege vulnerability in Lockscreen could allow a malicious user to bypass the lockscreen by causing it to crash. This issue is classified as a vulnerability only on Android 5.0 and 5.1. While it's possible to cause the System UI to crash from the lockscreen in a similar way on 4.4, the home screen cannot be accessed and the device must be rebooted to recover.
This is rated as a moderate severity because it potentially allows someone with physical access to a device to install 3rd party apps without the device's owner approving the permissions. It can also allow the attacker to view contact data, phone logs, SMS messages, and other data that is normally protected with a "dangerous" level permission.
CVE | Bug | Severity | Partners Notified | Affected Versions | Fixed in Nexus Build |
CVE-2015-3861 | ANDROID-21296336 | Low | Aug 04, 2015 (Bulletin 2015-12) | 5.1 and below | 5.1.1 (LMY48M) |
Description:
A denial of service vulnerability in mediaserver could allow a local attacker to temporarily block access to an affected device. This issue is a low severity because a user could reboot into safe mode to remove a malicious application that is exploiting this issue. It is also possible to cause mediaserver to process the malicious file remotely through the web or over MMS, in that case the mediaserver process crashes and the device remains usable.
Android Open Source Project includes the following patches for these issues: