Android Security Bulletin—June 2016

Published June 06, 2016 | Updated June 08, 2016

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Nexus devices through an over-the-air (OTA) update. The Nexus firmware images have also been released to the Google Developer site. Security Patch Levels of June 01, 2016 or later address these issues. Refer to the Nexus documentation to learn how to check the security patch level.

Partners were notified about the issues described in the bulletin on May 02, 2016 or earlier. Where applicable, source code patches for these issues have been released to the Android Open Source Project (AOSP) repository.

The most severe issue is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Service Mitigations section for details on the Android security platform protections and service protections such as SafetyNet, which improve the security of the Android platform.

We encourage all customers to accept these updates to their devices.

Android and Google Service Mitigations

This is a summary of the mitigations provided by the Android security platform and service protections, such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services, and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
  • As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as Mediaserver.

Acknowledgements

We would like to thank these researchers for their contributions:

  • Di Shen (@returnsme) of KeenLab (@keen_lab), Tencent: CVE-2016-2468
  • Gal Beniamini (@laginimaineb): CVE-2016-2476
  • Gengjia Chen (@chengjia4574), pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd.: CVE-2016-2492
  • Hao Chen, Guang Gong, and Wenlin Yang of Mobile Safe Team, Qihoo 360 Technology Co. Ltd.: CVE-2016-2470, CVE-2016-2471, CVE-2016-2472, CVE-2016-2473, CVE-2016-2498
  • Iwo Banas: CVE-2016-2496
  • Jianqiang Zhao(@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd.: CVE-2016-2490, CVE-2016-2491
  • Lee Campbell of Google: CVE-2016-2500
  • Maciej Szawłowski of the Google Security Team: CVE-2016-2474
  • Marco Nelissen and Max Spector of Google: CVE-2016-2487
  • Mark Brand of Google Project Zero: CVE-2016-2494
  • Mingjian Zhou (@Mingjian_Zhou), Chiachih Wu (@chiachih_wu), and Xuxian Jiang of C0RE Team: CVE-2016-2477, CVE-2016-2478, CVE-2016-2479, CVE-2016-2480, CVE-2016-2481, CVE-2016-2482, CVE-2016-2483, CVE-2016-2484, CVE-2016-2485, CVE-2016-2486
  • Scott Bauer (@ScottyBauer1): CVE-2016-2066, CVE-2016-2061, CVE-2016-2465, CVE-2016-2469, CVE-2016-2489
  • Vasily Vasilev: CVE-2016-2463
  • Weichao Sun (@sunblate) of Alibaba Inc.: CVE-2016-2495
  • Xiling Gong of Tencent Security Platform Department: CVE-2016-2499
  • Zach Riggle (@ebeip90) of the Android Security Team: CVE-2016-2493

Security Vulnerability Details

In the sections below, we provide details for each of the security vulnerabilitiesi that apply to the 2016-06-01 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated Android bug, severity, updated Nexus devices, updated AOSP versions (where applicable), and date reported. When available, we will link the AOSP change that addressed the issue to the bug ID. When multiple changes relate to a single bug, additional AOSP references are linked to numbers following the bug ID.

Remote Code Execution Vulnerability in Mediaserver

A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. The Mediaserver process has access to audio and video streams, as well as access to privileges that third-party apps could not normally access.

The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.

CVE Android bugs Severity Updated Nexus devices Updated AOSP versions Date reported
CVE-2016-2463 27855419 Critical All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 25, 2016

Remote Code Execution Vulnerabilities in libwebm

Remote code execution vulnerabilities with libwebm could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. The Mediaserver process has access to audio and video streams, as well as access to privileges that third-party apps could not normally access.

The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.

CVE Android bugs Severity Updated Nexus devices Updated AOSP versions Date reported
CVE-2016-2464 23167726 [2] Critical All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal

Elevation of Privilege Vulnerability in Qualcomm Video Driver

An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2465 27407865* Critical Nexus 5, Nexus 5X, Nexus 6, Nexus 6P Feb 21, 2016

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Qualcomm Sound Driver

An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2466 27947307* Critical Nexus 6 Feb 27, 2016
CVE-2016-2467 28029010* Critical Nexus 5 Mar 13, 2014

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Qualcomm GPU Driver

An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2468 27475454* Critical Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 Mar 2, 2016
CVE-2016-2062 27364029* Critical Nexus 5X, Nexus 6P Mar 6, 2016

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2474 27424603* Critical Nexus 5X Google Internal

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Broadcom Wi-Fi Driver

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to invoke system calls changing the device settings and behavior without the privileges to do so. This issue is rated as High because it could be used to gain local access to elevated capabilities.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2475 26425765* High Nexus 5, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Nexus Player, Pixel C Jan 6, 2016

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Qualcomm Sound Driver

An elevation of privilege vulnerability in the Qualcomm sound driver could enable a malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service that can call the driver.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2066 26876409* High Nexus 5, Nexus 5X, Nexus 6, Nexus 6P Jan 29, 2016
CVE-2016-2469 27531992* High Nexus 5, Nexus 6, Nexus 6P Mar 4, 2016

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Mediaserver

An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High because it could be used to gain local access to elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE Android bugs Severity Updated Nexus devices Updated AOSP versions Date reported
CVE-2016-2476 27207275 [2] [3] [4] High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Feb 11, 2016
CVE-2016-2477 27251096 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Feb 17, 2016
CVE-2016-2478 27475409 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 3, 2016
CVE-2016-2479 27532282 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 6, 2016
CVE-2016-2480 27532721 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 6, 2016
CVE-2016-2481 27532497 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 6, 2016
CVE-2016-2482 27661749 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 14, 2016
CVE-2016-2483 27662502 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 14, 2016
CVE-2016-2484 27793163 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 22, 2016
CVE-2016-2485 27793367 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 22, 2016
CVE-2016-2486 27793371 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 22, 2016
CVE-2016-2487 27833616 [2] [3] High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal

Elevation of Privilege Vulnerability in Qualcomm Camera Driver

An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service that can call the driver.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2061 27207747* High Nexus 5X, Nexus 6P Feb 15, 2016
CVE-2016-2488 27600832* High Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013) Google Internal

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Qualcomm Video Driver

An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service that can call the driver.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2489 27407629* High Nexus 5, Nexus 5X, Nexus 6, Nexus 6P Feb 21, 2016

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in NVIDIA Camera Driver

An elevation of privilege vulnerability in the NVIDIA camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service to call the driver.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2490 27533373* High Nexus 9 Mar 6, 2016
CVE-2016-2491 27556408* High Nexus 9 Mar 8, 2016

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service that can call the driver.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2470 27662174* High Nexus 7 (2013) Mar 13, 2016
CVE-2016-2471 27773913* High Nexus 7 (2013) Mar 19, 2016
CVE-2016-2472 27776888* High Nexus 7 (2013) Mar 20, 2016
CVE-2016-2473 27777501* High Nexus 7 (2013) Mar 20, 2016

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in MediaTek Power Management Driver

An elevation of privilege in the MediaTek power management driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising the device and an elevation to root to call the driver.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2492 28085410* High Android One Apr 7, 2016

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Elevation of Privilege Vulnerability in SD Card Emulation Layer

An elevation of privilege vulnerability in the SD Card userspace emulation layer could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High because it could be used to gain local access to elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.

CVE Android bugs Severity Updated Nexus devices Updated AOSP versions Date reported
CVE-2016-2494 28085658 High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Apr 7, 2016

Elevation of Privilege Vulnerability in Broadcom Wi-Fi Driver

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service to call the driver.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2493 26571522* High Nexus 5, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus Player, Pixel C Google Internal

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Remote Denial of Service Vulnerability in Mediaserver

A remote denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service.

CVE Android bugs Severity Updated Nexus devices Updated AOSP versions Date reported
CVE-2016-2495 28076789 [2] High All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Apr 6, 2016

Elevation of Privilege Vulnerability in Framework UI

An elevation of privilege vulnerability in the Framework UI permission dialog window could enable an attacker to gain access to unauthorized files in private storage. This issue is rated as Moderate because it could be used to improperly gain "dangerous" permissions.

CVE Android bugs Severity Updated Nexus devices Updated AOSP versions Date reported
CVE-2016-2496 26677796 [2] [3] Moderate All Nexus 6.0, 6.1 May 26, 2015

Information Disclosure Vulnerability in Qualcomm Wi-Fi Driver

An information disclosure in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a service that can call the driver.

CVE Android bugs Severity Updated Nexus devices Date reported
CVE-2016-2498 27777162* Moderate Nexus 7 (2013) Mar 20, 2016

* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.

Information Disclosure Vulnerability in Mediaserver

An information disclosure vulnerability in Mediaserver could allow an application to access sensitive information. This issue is rated as Moderate because it could be used to access data without permission.

CVE Android bugs Severity Updated Nexus devices Updated AOSP versions Date reported
CVE-2016-2499 27855172 Moderate All Nexus 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 Mar 24, 2016

Information Disclosure Vulnerability in Activity Manager

An information disclosure vulnerability in the Activity Manager component could allow an application to access sensitive information. This issue is rated Moderate because it could be used to access data without permission.

CVE Android bugs Severity Updated Nexus devices Updated AOSP versions Date reported
CVE-2016-2500 19285814 Moderate All Nexus 5.0.2, 5.1.1, 6.0, 6.0.1 Google Internal

Common Questions and Answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

Security Patch Levels of June 01, 2016 or later address these issues (refer to the Nexus documentation for instructions on how to check the security patch level). Device manufacturers that include these updates should set the patch string level to: [ro.build.version.security_patch]:[2016-06-01]

2. How do I determine which Nexus devices are affected by each issue?

In the Security Vulnerability Details section, each table has an Updated Nexus devices column that covers the range of affected Nexus devices updated for each issue. This column has a few options:

  • All Nexus devices: If an issue affects all Nexus devices, the table will have “All Nexus” in the Updated Nexus devices column. “All Nexus” encapsulates the following supported devices: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Android One, Nexus Player, and Pixel C.
  • Some Nexus devices: If an issue doesn’t affect all Nexus devices, the affected Nexus devices are listed in the Updated Nexus devices column.
  • No Nexus devices: If no Nexus devices are affected by the issue, the table will have “None” in the Updated Nexus devices column.

Revisions

  • June 06, 2016: Bulletin published.
  • June 07, 2016:
    • Bulletin revised to include AOSP links.
    • CVE-2016-2496 removed from bulletin.
  • June 08, 2016: CVE-2016-2496 added back to bulletin.