Nexus Security Bulletin - December 2015

In this document

Published December 07, 2015 | Updated March 7, 2016

We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Builds LMY48Z or later and Android 6.0 with Security Patch Level of December 1, 2015 or later address these issues. Refer to the Common Questions and Answers section for more details.

Partners were notified about and provided updates for these issues on November 2, 2015 or earlier. Where applicable, source code patches for these issues have been released to the Android Open Source Project (AOSP) repository.

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.

We have had no reports of active customer exploitation of these newly reported issues. Refer to the Mitigations section for details on the Android security platform protections and service protections such as SafetyNet, which improve the security of the Android platform. We encourage all customers to accept these updates to their devices.

Security Vulnerability Summary

The table below contains a list of security vulnerabilities, the Common Vulnerability and Exposures ID (CVE), and their assessed severity. The severity assessment is based on the effect that exploiting the vulnerability would have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.

Issue CVE Severity
Remote Code Execution Vulnerability in Mediaserver CVE-2015-6616 Critical
Remote Code Execution Vulnerability in Skia CVE-2015-6617 Critical
Elevation of Privilege in Kernel CVE-2015-6619 Critical
Remote Code Execution Vulnerabilities in Display Driver CVE-2015-6633
CVE-2015-6634
Critical
Remote Code Execution Vulnerability in Bluetooth CVE-2015-6618 High
Elevation of Privilege Vulnerabilities in libstagefright CVE-2015-6620 High
Elevation of Privilege Vulnerability in SystemUI CVE-2015-6621 High
Elevation of Privilege Vulnerability in Native Frameworks Library CVE-2015-6622 High
Elevation of Privilege Vulnerability in Wi-Fi CVE-2015-6623 High
Elevation of Privilege Vulnerability in System Server CVE-2015-6624 High
Information Disclosure Vulnerabilities in libstagefright CVE-2015-6626
CVE-2015-6631
CVE-2015-6632
High
Information Disclosure Vulnerability in Audio CVE-2015-6627 High
Information Disclosure Vulnerability in Media Framework CVE-2015-6628 High
Information Disclosure Vulnerability in Wi-Fi CVE-2015-6629 High
Elevation of Privilege Vulnerability in System Server CVE-2015-6625 Moderate
Information Disclosure Vulnerability in SystemUI CVE-2015-6630 Moderate

Mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device rooting tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known rooting applications. Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove any such applications.
  • As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.

Acknowledgements

We would like to thank these researchers for their contributions:

  • Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security Team: CVE-2015-6616, CVE-2015-6617, CVE-2015-6623, CVE-2015-6626, CVE-2015-6619, CVE-2015-6633, CVE-2015-6634
  • Flanker (@flanker_hqd) of KeenTeam (@K33nTeam): CVE-2015-6620
  • Guang Gong (龚广) (@oldfresher, higongguang@gmail.com) of Qihoo 360 Technology Co.Ltd: CVE-2015-6626
  • Mark Carter (@hanpingchinese) of EmberMitre Ltd: CVE-2015-6630
  • Michał Bednarski (https://github.com/michalbednarski): CVE-2015-6621
  • Natalie Silvanovich of Google Project Zero: CVE-2015-6616
  • Peter Pi of Trend Micro: CVE-2015-6616, CVE-2015-6628
  • Qidan He (@flanker_hqd) and Marco Grassi (@marcograss) of KeenTeam (@K33nTeam): CVE-2015-6622
  • Tzu-Yin (Nina) Tai: CVE-2015-6627
  • Joaquín Rinaudo (@xeroxnir) of Programa STIC at Fundación Dr. Manuel Sadosky, Buenos Aires, Argentina: CVE-2015-6631
  • Wangtao (neobyte) of Baidu X-Team: CVE-2015-6626

Security Vulnerability Details

In the sections below, we provide details for each of the security vulnerabilities listed in the Security Vulnerability Summary above. There is a description of the issue, a severity rationale, and a table with the CVE, associated bug, severity, updated versions, and date reported. When available, we will link the AOSP change that addressed the issue to the bug ID. When multiple changes relate to a single bug, additional AOSP references are linked to numbers following the bug ID.

Remote Code Execution Vulnerabilities in Mediaserver

During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.

This issue is rated as a Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6616 ANDROID-24630158 Critical 6.0 and below Google Internal
ANDROID-23882800 Critical 6.0 and below Google Internal
ANDROID-17769851 Critical 5.1 and below Google Internal
ANDROID-24441553 Critical 6.0 and below Sep 22, 2015
ANDROID-24157524 Critical 6.0 Sep 08, 2015

Remote Code Execution Vulnerability in Skia

A vulnerability in the Skia component may be leveraged when processing a specially crafted media file, that could lead to memory corruption and remote code execution in a privileged process. This issue is rated as a Critical severity due to the possibility of remote code execution through multiple attack methods such as email, web browsing, and MMS when processing media files.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6617 ANDROID-23648740 Critical 6.0 and below Google internal

Elevation of Privilege in Kernel

An elevation of privilege vulnerability in the system kernel could enable a local malicious application to execute arbitrary code within the device root context. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device could only be repaired by re-flashing the operating system.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6619 ANDROID-23520714 Critical 6.0 and below Jun 7, 2015

Remote Code Execution Vulnerabilities in Display Driver

There are vulnerabilities in the display drivers that, when processing a media file, could cause memory corruption and potential arbitrary code execution in the context of the user mode driver loaded by mediaserver. This issue is rated as a Critical severity due to the possibility of remote code execution through multiple attack methods such as email, web browsing, and MMS when processing media files.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6633 ANDROID-23987307* Critical 6.0 and below Google Internal
CVE-2015-6634 ANDROID-24163261 [2] [3] [4] Critical 5.1 and below Google Internal

*The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Remote Code Execution Vulnerability in Bluetooth

A vulnerability in Android's Bluetooth component could allow remote code execution. However multiple manual steps are required before this could occur. In order to do this it would require a successfully paired device, after the personal area network (PAN) profile is enabled (for example using Bluetooth Tethering) and the device is paired. The remote code execution would be at the privilege of the Bluetooth service. A device is only vulnerable to this issue from a successfully paired device while in local proximity.

This issue is rated as High severity because an attacker could remotely execute arbitrary code only after multiple manual steps are taken and from a locally proximate attacker that had previously been allowed to pair a device.

CVE Bug(s) Severity Updated versions Date reported
CVE-2015-6618 ANDROID-24595992* High 4.4, 5.0, and 5.1 Sep 28, 2015

*The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerabilities in libstagefright

There are multiple vulnerabilities in libstagefright that could enable a local malicious application to execute arbitrary code within the context of the mediaserver service. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party applications.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6620 ANDROID-24123723 High 6.0 and below Sep 10, 2015
ANDROID-24445127 High 6.0 and below Sep 2, 2015

Elevation of Privilege Vulnerability in SystemUI

When setting an alarm using the clock application, a vulnerability in the SystemUI component could allow an application to execute a task at an elevated privilege level. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party applications.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6621 ANDROID-23909438 High 5.0, 5.1, and 6.0 Sep 7, 2015

Information Disclosure Vulnerability in Native Frameworks Library

An information disclosure vulnerability in Android Native Frameworks Library could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could also be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6622 ANDROID-23905002 High 6.0 and below Sep 7, 2015

Elevation of Privilege Vulnerability in Wi-Fi

An elevation of privilege vulnerability in Wi-Fi could enable a local malicious application to execute arbitrary code within the context of an elevated system service. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6623 ANDROID-24872703 High 6.0 Google Internal

Elevation of Privilege Vulnerability in System Server

An elevation of privilege vulnerability in the System Server component could enable a local malicious application to gain access to service related information. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6624 ANDROID-23999740 High 6.0 Google internal

Information Disclosure Vulnerabilities in libstagefright

There are information disclosure vulnerabilities in libstagefright that during communication with mediaserver, could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could also be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6632 ANDROID-24346430 High 6.0 and below Google Internal
CVE-2015-6626 ANDROID-24310423 High 6.0 and below Sep 2, 2015
CVE-2015-6631 ANDROID-24623447 High 6.0 and below Aug 21, 2015

Information Disclosure Vulnerability in Audio

A vulnerability in the Audio component could be exploited during audio file processing. This vulnerability could allow a local malicious application, during processing of a specially crafted file, to cause information disclosure. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6627 ANDROID-24211743 High 6.0 and below Google Internal

Information Disclosure Vulnerability in Media Framework

There is an information disclosure vulnerability in Media Framework that during communication with mediaserver, could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. This issue is rated as High severity because it could also be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6628 ANDROID-24074485 High 6.0 and below Sep 8, 2015

Information Disclosure Vulnerability in Wi-Fi

A vulnerability in the Wi-Fi component could allow an attacker to cause the Wi-Fi service to disclose information. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party applications.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6629 ANDROID-22667667 High 5.1 and 5.0 Google Internal

Elevation of Privilege Vulnerability in System Server

An elevation of privilege vulnerability in the System Server could enable a local malicious application to gain access to Wi-Fi service related information. This issue is rated as Moderate severity because it could be used to improperly gain “dangerous” permissions.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6625 ANDROID-23936840 Moderate 6.0 Google Internal

Information Disclosure Vulnerability in SystemUI

An information disclosure vulnerability in the SystemUI could enable a local malicious application to gain access to screenshots. This issue is rated as Moderate severity because it could be used to improperly gain “dangerous” permissions.

CVE Bug(s) with AOSP links Severity Updated versions Date reported
CVE-2015-6630 ANDROID-19121797 Moderate 5.0, 5.1, and 6.0 Jan 22, 2015

Common Questions and Answers

This section will review answers to common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

Builds LMY48Z or later and Android 6.0 with Security Patch Level of December 1, 2015 or later address these issues. Refer to the Nexus documentation for instructions on how to check the security patch level. Device manufacturers that include these updates should set the patch string level to: [ro.build.version.security_patch]:[2015-12-01]

Revisions

  • December 07, 2015: Originally Published
  • December 09, 2015: Bulletin revised to include AOSP links.
  • December 22, 2015: Added missing credit to Acknowledgements section.
  • March 07, 2016: Added missing credit to Acknowledgements section.