Nexus Security Bulletin—April 2016

Published April 04, 2016 | Updated December 19, 2016

We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Security Patch Levels of April 02, 2016 or later address these issues (refer to the Nexus documentation for instructions on how to check the security patch level).

Partners were notified about the issues described in the bulletin on March 16, 2016 or earlier. Where applicable, source code patches for these issues have been released to the Android Open Source Project (AOSP) repository.

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.

Android Security Advisory 2016-03-18 previously discussed use of CVE-2015-1805 by a rooting application. CVE-2015-1805 is resolved in this update. There have been no reports of active customer exploitation or abuse of the other newly reported issues. Refer to the Mitigations section for further details on the Android security platform protections and service protections such as SafetyNet, which improve the security of the Android platform.

Mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet, which will warn the user about detected potentially harmful applications about to be installed. Device rooting tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known rooting applications. Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove any such applications.
  • As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.

Acknowledgements

The Android Security team would like to thank these researchers for their contributions:

The Android Security team also thanks Yuan-Tsung Lo, Wenke Dou, Chiachih Wu (@chiachih_wu), and Xuxian Jiang of C0RE Team and Zimperium for their contribution to CVE-2015-1805.

Security Vulnerability Details

The sections below contain details for each of the security vulnerabilities that apply to the 2016-04-02 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated bug, severity, affected versions, and date reported. When available, we will link the AOSP commit that addressed the issue to the bug ID. When multiple changes relate to a single bug, additional AOSP references are linked to numbers following the bug ID.

Remote Code Execution Vulnerability in DHCPCD

A vulnerability in the Dynamic Host Configuration Protocol service could enable an attacker to cause memory corruption, which could lead to remote code execution. This issue is rated as Critical severity due to the possibility of remote code execution within the context of the DHCP client. The DHCP service has access to privileges that third-party apps could not normally access.

CVE Bugs with AOSP links Severity Updated versions Date reported
CVE-2014-6060 ANDROID-15268738 Critical 4.4.4 July 30, 2014
CVE-2014-6060 ANDROID-16677003 Critical 4.4.4 July 30, 2014
CVE-2016-1503 ANDROID-26461634 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 4, 2016

Remote Code Execution Vulnerability in Media Codec

During media file and data processing of a specially crafted file, vulnerabilities in a media codec used by mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.

This issue is rated as Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams, as well as access to privileges that third-party apps could not normally access.

CVE Bug Severity Updated versions Date reported
CVE-2016-0834 ANDROID-26220548* Critical 6.0, 6.0.1 Dec 16, 2015

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Remote Code Execution Vulnerability in Mediaserver

During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.

This issue is rated as Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams, as well as access to privileges that third-party apps could not normally access.

CVE Bugs with AOSP links Severity Updated versions Date reported
CVE-2016-0835 ANDROID-26070014 [2] Critical 6.0, 6.0.1 Dec 6, 2015
CVE-2016-0836 ANDROID-25812590 Critical 6.0, 6.0.1 Nov 19, 2015
CVE-2016-0837 ANDROID-27208621 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Feb 11, 2016
CVE-2016-0838 ANDROID-26366256 [2] Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal
CVE-2016-0839 ANDROID-25753245 Critical 6.0, 6.0.1 Google Internal
CVE-2016-0840 ANDROID-26399350 Critical 6.0, 6.0.1 Google Internal
CVE-2016-0841 ANDROID-26040840 Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal

Remote Code Execution Vulnerability in libstagefright

During media file and data processing of a specially crafted file, vulnerabilities in libstagefright could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.

This issue is rated as a Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams, as well as access to privileges that third-party apps could not normally access.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-0842 ANDROID-25818142 Critical 6.0, 6.0.1 Nov 23, 2015

Elevation of Privilege Vulnerability in Kernel

An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code within the kernel. This issue is rated as Critical severity due to the possibility of a local permanent device compromise, and the device would possibly need to be repaired by re-flashing the operating system. This issue was described in Android Security Advisory 2016-03-18.

CVE Bug Severity Updated versions Date reported
CVE-2015-1805 ANDROID-27275324* Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 February 19, 2016

* The patch in AOSP is available for specific kernel versions: 3.14, 3.10, and 3.4.

Elevation of Privilege Vulnerability in Qualcomm Performance Module

An elevation of privilege vulnerability in the performance event manager component for ARM processors from Qualcomm could enable a local malicious application to execute arbitrary code within the kernel. This issue is rated as Critical severity due to the possibility of a local permanent device compromise, and the device would possibly need to be repaired by re-flashing the operating system.

CVE Bug Severity Updated versions Date reported
CVE-2016-0843 ANDROID-25801197* Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Nov 19, 2015

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Qualcomm RF component

There is a vulnerability in the Qualcomm RF driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical severity due to the possibility of a local permanent device compromise, and the device would possibly need to be repaired by re-flashing the operating system.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-0844 ANDROID-26324307* Critical 6.0, 6.0.1 Dec 25, 2015

* An additional patch for this issue is located in Linux upstream.

Elevation of Privilege Vulnerability in Kernel

An elevation of privilege vulnerability in the common kernel could enable a local malicious application to execute arbitrary code in the kernel. This issue is rated as Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system.

CVE Bug with AOSP links Severity Updated versions Date reported
CVE-2014-9322 ANDROID-26927260 [2] [3]
[4] [5] [6] [7] [8] [9] [10] [11]
Critical 6.0, 6.0.1 Dec 25, 2015

Elevation of Privilege Vulnerability in IMemory Native Interface

An elevation of privilege vulnerability in the IMemory Native Interface could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-0846 ANDROID-26877992 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 29, 2016

Elevation of Privilege Vulnerability in Telecom Component

An elevation of privilege vulnerability in the Telecom Component could enable an attacker to make calls appear to come from any arbitrary number. This issue is rated as High severity because it could be used to gain local access to elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE Bug with AOSP links Severity Updated versions Date reported
CVE-2016-0847 ANDROID-26864502 [2] High 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal

Elevation of Privilege Vulnerability in Download Manager

An elevation of privilege vulnerability in the Download Manager could enable an attacker to gain access to unauthorized files in private storage. This issue is rated as High severity because it could be used to gain local access to elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-0848 ANDROID-26211054 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 14, 2015

Elevation of Privilege Vulnerability in Recovery Procedure

An elevation of privilege vulnerability in the Recovery Procedure could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-0849 ANDROID-26960931 High 5.0.2, 5.1.1, 6.0, 6.0.1 Feb 3, 2016

Elevation of Privilege Vulnerability in Bluetooth

An elevation of privilege vulnerability in Bluetooth could enable an untrusted device to pair with the phone during the initial pairing process. This could lead to unauthorized access of the device resources, such as the Internet connection. This issue is rated as High severity because it could be used to gain elevated capabilities that are not accessible to untrusted devices.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-0850 ANDROID-26551752 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 13, 2016

Elevation of Privilege Vulnerability in Texas Instruments Haptic Driver

There is an elevation of privilege vulnerability in a Texas Instruments haptic kernel driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. Normally a kernel code execution bug like this would be rated Critical, but because it first requires compromising a service that can call the driver, it is rated as High severity instead.

CVE Bug Severity Updated versions Date reported
CVE-2016-2409 ANDROID-25981545* High 6.0, 6.0.1 Dec 25, 2015

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Qualcomm Video Kernel Driver

There is an elevation of privilege vulnerability in a Qualcomm video kernel driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. Normally a kernel code execution vulnerability would be rated Critical, but because it requires first compromising a service that can call the driver, it is rated as High severity instead.

CVE Bug Severity Updated versions Date reported
CVE-2016-2410 ANDROID-26291677* High 6.0, 6.0.1 Dec 21, 2015

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Qualcomm Power Management component

There is an elevation of privilege vulnerability in a Qualcomm Power Management kernel driver that could enable a local malicious application to execute arbitrary code within the context of the kernel. Normally a kernel code execution bug like this would be rated Critical, but because it requires first compromising the device and elevation to root, it is rated as High severity instead.

CVE Bug Severity Updated versions Date reported
CVE-2016-2411 ANDROID-26866053* High 6.0, 6.0.1 Jan 28, 2016

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in System_server

An elevation of privilege vulnerability in System_server could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-2412 ANDROID-26593930 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 15, 2016

Elevation of Privilege Vulnerability in Mediaserver

An elevation of privilege vulnerability in mediaserver could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-2413 ANDROID-26403627 High 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 5, 2016

Denial of Service Vulnerability in Minikin

A denial of service vulnerability in the Minikin library could allow a local attacker to temporarily block access to an affected device. An attacker could cause an untrusted font to be loaded and cause an overflow in the Minikin component, which leads to a crash. This is rated as High severity because Denial of Service would lead to a continuous reboot loop.

CVE Bug with AOSP links Severity Updated versions Date reported
CVE-2016-2414 ANDROID-26413177 [2] High 5.0.2, 5.1.1, 6.0, 6.0.1 Nov 3, 2015

Information Disclosure Vulnerability in Exchange ActiveSync

An information disclosure vulnerability in Exchange ActiveSync could enable a local malicious application to gain access to a user’s private information. This issue is rated as High severity because it allows remote access to protected data.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-2415 ANDROID-26488455 High 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 11, 2016

Information Disclosure Vulnerability in Mediaserver

An information disclosure vulnerability in Mediaserver could permit a bypass of security measures in place to increase the difficulty of attackers exploiting the platform. These issues are rated as High severity because they could also be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to third-party applications.

CVE Bugs with AOSP links Severity Updated versions Date reported
CVE-2016-2416 ANDROID-27046057 [2] High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Feb 5, 2016
CVE-2016-2417 ANDROID-26914474 High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Feb 1, 2016
CVE-2016-2418 ANDROID-26324358 High 6.0, 6.0.1 Dec 24, 2015
CVE-2016-2419 ANDROID-26323455 High 6.0, 6.0.1 Dec 24, 2015

Elevation of Privilege Vulnerability in Debuggerd Component

An elevation of privilege vulnerability in the Debuggerd component could enable a local malicious application to execute arbitrary code that could lead to a permanent device compromise. As a result, the device would possibly need to be repaired by re-flashing the operating system. Normally a code execution bug like this would be rated as Critical, but because it enables an elevation of privilege from system to root only in Android version 4.4.4, it is rated as Moderate instead. In Android versions 5.0 and above, SELinux rules prevent third-party applications from reaching the affected code.

CVE Bug with AOSP links Severity Updated versions Date reported
CVE-2016-2420 ANDROID-26403620 [2] Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Jan 5, 2016

Elevation of Privilege Vulnerability in Setup Wizard

A vulnerability in the Setup Wizard could allow an attacker to bypass the Factory Reset Protection and gain access to the device. This is rated as Moderate severity because it potentially allows someone with physical access to a device to bypass the Factory Reset Protection, which would enable an attacker to successfully reset a device, erasing all data.

CVE Bug Severity Updated versions Date reported
CVE-2016-2421 ANDROID-26154410* Moderate 5.1.1, 6.0, 6.0.1 Google Internal

* The patch for this issue is not in AOSP. The update is contained in the latest binary release for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Wi-Fi

An elevation of privilege vulnerability in Wi-Fi could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as Moderate severity because it could be used to gain elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-2422 ANDROID-26324357 Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 23, 2015

Elevation of Privilege Vulnerability in Telephony

A vulnerability in Telephony could allow an attacker to bypass the Factory Reset Protection and gain access to the device. This is rated as Moderate severity because it potentially allows someone with physical access to a device to bypass the Factory Reset Protection, which would enable an attacker to successfully reset a device, erasing all data.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-2423 ANDROID-26303187 Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal

Denial of Service Vulnerability in SyncStorageEngine

A denial of service vulnerability in SyncStorageEngine could enable a local malicious application to cause a reboot loop. This issue is rated as Moderate severity because it could be used to cause a local temporary denial of service that would possibly need to be fixed though a factory reset.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-2424 ANDROID-26513719 Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal

Information Disclosure Vulnerability in AOSP Mail

An information disclosure vulnerability in AOSP Mail could enable a local malicious application to gain access to a user’s private information. This issue is rated as Moderate severity because it could be used to improperly gain “dangerous” permissions.

CVE Bugs with AOSP link Severity Updated versions Date reported
CVE-2016-2425 ANDROID-26989185 Moderate 4.4.4, 5.1.1, 6.0, 6.0.1 Jan 29, 2016
CVE-2016-2425 ANDROID-7154234* Moderate 5.0.2 Jan 29, 2016

* The patch for this issue is not in AOSP. The update is contained in the latest binary release for Nexus devices available from the Google Developer site.

Information Disclosure Vulnerability in Framework

An information disclosure vulnerability in the Framework component could allow an application to access sensitive information. This issue is rated Moderate severity because it could be used to improperly access to data without permission.

CVE Bug with AOSP link Severity Updated versions Date reported
CVE-2016-2426 ANDROID-26094635 Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Dec 8, 2015

Common Questions and Answers

This section reviews answers to common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

Security Patch Levels of April 2, 2016 or later address these issues (refer to the Nexus documentation for instructions on how to check the security patch level). Device manufacturers that include these updates should set the patch string level to: [ro.build.version.security_patch]:[2016-04-02]

2. Why is this Security Patch Level April 2, 2016?

The Security Patch Level for the monthly security update is normally set to the first of the month. For April, a Security Patch Level of April 1, 2016 indicates that all issues described in this bulletin with the exception of CVE-2015-1805, as described in Android Security Advisory 2016-03-18 have been addressed. A Security Patch Level of April 2, 2016 indicates that all issues described in this bulletin including CVE-2015-1805, as described in Android Security Advisory 2016-03-18 have been addressed.

Revisions

  • April 04, 2016: Bulletin published.
  • April 06, 2016: Bulletin revised to include AOSP links.
  • April 07, 2016: Bulletin revised to include an additional AOSP link.
  • July 11, 2016: Updated description of CVE-2016-2427.
  • August 01, 2016: Updated description of CVE-2016-2427
  • December 19, 2016: Updated to remove CVE-2016-2427, which was reverted.