Nexus Security Bulletin - February 2016

In this document

Published February 01, 2016 | Updated March 7, 2016

We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Builds LMY49G or later and Android M with Security Patch Level of February 1, 2016 or later address these issues. Refer to the Nexus documentation for instructions on how to check the security patch level.

Partners were notified about the issues described in the bulletin on January 4, 2016 or earlier. Where applicable, source code patches for these issues have been released to the Android Open Source Project (AOSP) repository.

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The Remote Code Execution Vulnerability in Broadcom’s Wi-Fi driver is also Critical severity as it could allow remote code execution on an affected device while connected to the same network as the attacker.

We have had no reports of active customer exploitation of these newly reported issues. Refer to the Mitigations section for details on the Android security platform protections and service protections such as SafetyNet, which improve the security of the Android platform. We encourage all customers to accept these updates to their devices.

Security Vulnerability Summary

The table below contains a list of security vulnerabilities, the Common Vulnerability and Exposures ID (CVE), and their assessed severity. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.

Issue CVE Severity
Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver CVE-2016-0801
CVE-2016-0802
Critical
Remote Code Execution Vulnerability in Mediaserver CVE-2016-0803
CVE-2016-0804
Critical
Elevation of Privilege Vulnerability in Qualcomm Performance Module CVE-2016-0805 Critical
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver CVE-2016-0806 Critical
Elevation of Privilege Vulnerability in the Debugger Daemon CVE-2016-0807 Critical
Denial of Service Vulnerability in Minikin CVE-2016-0808 High
Elevation of Privilege Vulnerability in Wi-Fi CVE-2016-0809 High
Elevation of Privilege Vulnerability in Mediaserver CVE-2016-0810 High
Information Disclosure Vulnerability in libmediaplayerservice CVE-2016-0811 High
Elevation of Privilege Vulnerability in Setup Wizard CVE-2016-0812
CVE-2016-0813
Moderate

Mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet which will warn about potentially harmful applications about to be installed. Device rooting tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known rooting applications. Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove any such applications.
  • As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.

Acknowledgements

We would like to thank these researchers for their contributions:

Security Vulnerability Details

In the sections below, we provide details for each of the security vulnerabilities listed in the Security Vulnerability Summary above. There is a description of the issue, a severity rationale, and a table with the CVE, associated bug, severity, affected versions, and date reported. When available, we will link the AOSP commit that addressed the issue to the bug ID. When multiple changes relate to a single bug, additional AOSP references are linked to numbers following the bug ID.

Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver

Multiple remote execution vulnerabilities in the Broadcom Wi-Fi driver could allow a remote attacker to use specially crafted wireless control message packets to corrupt kernel memory in a way that leads to remote code execution in the context of the kernel. These vulnerabilities can be triggered when the attacker and the victim are associated with the same network. This issue is rated as a Critical severity due to the possibility of remote code execution in the context of the kernel without requiring user interaction.

CVE Bugs Severity Updated versions Date reported
CVE-2016-0801 ANDROID-25662029
ANDROID-25662233
Critical 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Oct 25, 2015
CVE-2016-0802 ANDROID-25306181 Critical 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Oct 26,2015

Remote Code Execution Vulnerability in Mediaserver

During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.

This issue is rated as a Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.

CVE Bugs with AOSP links Severity Updated versions Date reported
CVE-2016-0803 ANDROID-25812794 Critical 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Nov 19, 2015
CVE-2016-0804 ANDROID-25070434 Critical 5.0, 5.1.1, 6.0, 6.0.1 Oct 12, 2015

Elevation of Privilege Vulnerability in Qualcomm Performance Module

An elevation of privilege vulnerability in the performance event manager component for ARM processors from Qualcomm could enable a local malicious application to execute arbitrary code within the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system.

CVE Bug Severity Updated versions Date reported
CVE-2016-0805 ANDROID-25773204* Critical 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Nov 15, 2015

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver

There is a vulnerability in the Qualcomm Wi-Fi driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system.

CVE Bug Severity Updated versions Date reported
CVE-2016-0806 ANDROID-25344453* Critical 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Nov 15, 2015

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in the Debuggerd

An elevation of privilege vulnerability in the Debuggerd component could enable a local malicious application to execute arbitrary code within the device root context. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-0807 ANDROID-25187394 Critical 6.0 and 6.0.1 Google Internal

Denial of Service Vulnerability in Minikin

A denial of service vulnerability in the Minikin library could allow a local attacker to temporarily block access to an affected device. An attacker could cause an untrusted font to be loaded and cause an overflow in the Minikin component which leads to a crash. This is rated as a high severity because Denial of Service leads to a continuous reboot loop.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-0808 ANDROID-25645298 High 5.0, 5.1.1, 6.0, 6.0.1 Nov 3, 2015

Elevation of Privilege Vulnerability in Wi-Fi

An elevation of privilege vulnerability in the Wi-Fi component could enable a local malicious application to execute arbitrary code within the System context. A device is only vulnerable to this issue while in local proximity. This issue is rated as High severity because it could be used to gain “normal” capabilities remotely. Generally, these permissions are accessible only to third-party applications installed locally.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-0809 ANDROID-25753768 High 6.0, 6.0.1 Google Internal

Elevation of Privilege Vulnerability in Mediaserver

An elevation of privilege vulnerability in mediaserver could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-0810 ANDROID-25781119 High 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1 Google Internal

Information Disclosure Vulnerability in libmediaplayerservice

An information disclosure vulnerability in libmediaplayerservice could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could also be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-0811 ANDROID-25800375 High 6.0, 6.0.1 Nov 16, 2015

Elevation of Privilege Vulnerability in Setup Wizard

A vulnerability in the Setup Wizard could allow a malicious attacker to bypass the Factory Reset Protection and gain access to the device. This is rated as a Moderate severity because it potentially allows someone with physical access to a device to bypass the Factory Reset Protection, which enables an attacker to successfully reset a device, erasing all data.

CVE Bugs with AOSP links Severity Updated versions Date reported
CVE-2016-0812 ANDROID-25229538 Moderate 5.1.1, 6.0 Google Internal
CVE-2016-0813 ANDROID-25476219 Moderate 5.1.1, 6.0, 6.0.1 Google Internal

Common Questions and Answers

This section reviews answers to common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

Builds LMY49G or later and Android 6.0 with Security Patch Level of February 1, 2016 or later address these issues. Refer to the Nexus documentation for instructions on how to check the security patch level. Device manufacturers that include these updates should set the patch string level to: [ro.build.version.security_patch]:[2016-02-01]

Revisions

  • February 01, 2016: Bulletin published.
  • February 02, 2016: Bulletin revised to include AOSP links.
  • March 07, 2016: Bulletin revised to include additional AOSP links.