MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-099

DATE(S) ISSUED:
07/07/2016

SUBJECT:
Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices including, but not limited to smartphones, tablets, and watches. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Successful exploitation of these vulnerabilities could result in remote code execution in the context of the application, an attacker gaining elevated privileges, blocking access to a Bluetooth device, or bypassing security restrictions.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED INTELLIGENCE:

  • Android OS builds prior to versions 6.0.1 and Security Patch Levels of July 01, 2016 or later

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

 Home users: High

TECHNICAL SUMMARY:

Google's Android OS is prone to multiple vulnerabilities, the most severe of which could allow for remote code execution. The vulnerabilities are as follows:

Successful exploitation of these vulnerabilities could allow for remote code execution on the affected system. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.

  • Remote code execution vulnerability in Mediaserver with the use of a specially crafted file (CVE-2016-2506, CVE-2016-2505, CVE-2016-2507, CVE-2016-2508, CVE-2016-3741, CVE-2016-3742, CVE-2016-3743)
  • Remote code execution vulnerability in OpenSSL and BoringSSL with the use of a specially crafted file (CVE-2016-2108)
  • Remote code execution vulnerability in Bluetooth during the pairing process (CVE-2016-3744)
  • Elevation of privilege vulnerability in libpng with a local malicious application could lead to arbitrary code execution (CVE-2016-3751)
  • Elevation of privilege vulnerability in Mediaserver with a local malicious application could lead to arbitrary code execution (CVE-2016-3745, CVE-2016-3746, CVE-2016-3747)
  • Elevation of privilege vulnerability in sockets with a local malicious application could allow access to system calls outside of permission levels (CVE-2016-3748)
  • Elevation of privilege vulnerability in LockSettingsService, which could enable a malicious application to reset the screen lock password without authorization (CVE-2016-3749)
  • Elevation of privilege vulnerability in Framework APIs, which could enable a local malicious application to bypass operating system protections (CVE-2016-3750)
  • Elevation of privilege vulnerability in ChooserTarget, which could enable a local malicious application to execute code (CVE-2016-3752)
  • Information disclosure vulnerability in Mediaserver, which could enable a remote attacker to access protected data (CVE-2016-3754, CVE-2016-3755, CVE-2016-3756)
  • Information disclosure vulnerability in OpenSSL, which could enable a remote attacker to access protected data (CVE-2016-2107)
  • Denial of service vulnerability in libc, which could enable an attacker to use a specially crafted file to cause a device hang or reboot (CVE-2016-3818)
  • Elevation of privilege vulnerability in Isof, which could enable a local malicious application to execute arbitrary code (CVE-2016-3757)
  • Elevation of privilege vulnerability in DexClassLoader, which could enable a local malicious application to execute arbitrary code (CVE-2016-3758)
  • Elevation of privilege vulnerability in Framework APIs, which could enable a local malicious application to request backup permissions (CVE-2016-3759)
  • Elevation of privilege vulnerability in Bluetooth, which could enable a local attacker to add an authenticated Bluetooth device (CVE-2016-3760)
  • Elevation of privilege vulnerability in NFC, which could enable a local malicious background application to access information (CVE-2016-3761)
  • Elevation of privilege vulnerability in sockets, which could possibly leading to arbitrary code execution (CVE-2016-3762)
  • Information disclosure vulnerability in Proxy Auto-Config, which could allow an application to access sensitive information (CVE-2016-3763)
  • Information disclosure vulnerability in Mediaserver, which could allow a local malicious application to access sensitive information (CVE-2016-3764, CVE-2016-3765)
  • Information disclosure vulnerability in Mediaserver, which could allow a local malicious application to access sensitive information (CVE-2016-3753)
  • Denial of service vulnerability in Mediaserver with the use of a specially crafted file (CVE-2016-3766)
  • Elevation of privilege vulnerability in Qualcomm GPU driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-2503, CVE-2016-2067)
  • Elevation of privilege vulnerability in MediaTek Wi-Fi driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3767)
  • Elevation of privilege vulnerability in Qualcomm performance component, which could enable a local malicious application to execute arbitrary code (CVE-2016-3768)
  • Elevation of privilege vulnerability in NVIDIA video driver could enable a local malicious application to execute arbitrary code (CVE-2016-3769)
  • Elevation of privilege vulnerability in MediaTek drivers, which could enable a local malicious application to execute arbitrary code (CVE-2016-3770, CVE-2016-3771, CVE-2016-3772, CVE-2016-3773, CVE-2016-3774)
  • Elevation of privilege vulnerability in kernel file system, which could enable a local malicious application to execute arbitrary code (CVE-2016-3775)
  • Elevation of privilege vulnerability in USB driver, which could enable a local malicious application to execute arbitrary code (CVE-2015-8816)
  • Multiple elevation of privilege vulnerabilities in Qualcomm components, the most severe of which could possibly lead to arbitrary code execution (CVE-2014-9793,CVE-2014-9794, CVE-2014-9795, CVE-2015-8892, CVE-2013-7457, CVE-2014-9781, CVE-2014-9786, CVE-2014-9788, CVE-2014-9779, CVE-2014-9780, CVE-2014-9789, CVE-2014-9789, CVE-2014-9782, CVE-2014-9783, CVE-2014-9785, CVE-2014-9787, CVE-2014-9784, CVE-2014-9777, CVE-2014-9778, CVE-2014-9790, CVE-2014-9792, CVE-2014-9797, CVE-2014-9791, CVE-2014-9796, CVE-2014-9800, CVE-2014-9799, CVE-2014-9801, CVE-2014-9802, CVE-2015-8891, CVE-2015-8888, CVE-2015-8889, CVE-2015-8890)
  • Elevation of privilege vulnerability in Qualcomm USB driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-2502)
  • Elevation of privilege vulnerability in Qualcomm Wi-Fi driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3792)
  • Elevation of privilege vulnerability in Qualcomm camera driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-2501)
  • Elevation of privilege vulnerability in NVIDIA camera driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3793, CVE-2016-3794)
  • Elevation of privilege vulnerability in MediaTek power driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3795, CVE-2016-3796)
  • Elevation of privilege vulnerability in Qualcomm Wi-Fi driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3797)
  • Elevation of privilege vulnerability in MediaTek hardware sensor driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3798)
  • Elevation of privilege vulnerability in MediaTek video driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3799, CVE-2016-3800)
  • Elevation of privilege vulnerability in MediaTek GPS driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3801)
  • Elevation of privilege vulnerability in kernel file system, which could enable a local malicious application to execute arbitrary code (CVE-2016-3802, CVE-2016-3803)
  • Elevation of privilege vulnerability in MediaTek power management driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3804, CVE-2016-3805)
  • Elevation of privilege vulnerability in MediaTek display driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3806)
  • Elevation of privilege vulnerability in serial peripheral interface driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3807, CVE-2016-3808)
  • Elevation of privilege vulnerability in Qualcomm sound driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-2068)
  • Elevation of privilege vulnerability in kernel, which could enable a local malicious application to execute arbitrary code (CVE-2014-9803)
  • Information disclosure vulnerability in networking component, which could enable a local malicious application to access data (CVE-2016-3809)
  • Information disclosure vulnerability in MediaTek Wi-Fi driver, which could enable a local malicious application to access data (CVE-2016-3810)
  • Elevation of privilege vulnerability in kernel video driver, which could enable a local malicious application to execute arbitrary code (CVE-2016-3811)
  • Information disclosure vulnerability in MediaTek video codec driver, which could enable a local malicious application to access data (CVE-2016-3812)
  • Information disclosure vulnerability in Qualcomm USB driver, which could enable a local malicious application to access data (CVE-2016-3813)
  • Information disclosure vulnerability in NVIDIA camera, which could enable a local malicious application to access data (CVE-2016-3814, CVE-2016-3815)
  • Information disclosure vulnerability in MediaTek display, which could enable a local malicious application to access data (CVE-2016-3816)
  • Information disclosure vulnerability in kernel teletype driver, which could enable a local malicious application to access data (CVE-2016-0723)
  • Denial of service vulnerability in Qualcomm bootloader, which could enable a local malicious application to cause a local permanent device compromise  (CVE-2014-9798, CVE-2015-8893)

Successful exploitation of these vulnerabilities could result in remote code execution in the context of the application, an attacker gaining elevated privileges, blocking access to a Bluetooth device, or bypassing security restrictions.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing
  • Remind users to download apps only from trusted vendors in the Play Store
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources

REFERENCES:

Google:

https://source.android.com/security/bulletin/2016-07-01.html

 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7457

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9777

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9778

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9779

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9780

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9781

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9782

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9783

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9784

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9785

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9786

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9787

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9788

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9789

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9790

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9791

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9792

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9793

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9794

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9795

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9796

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9797

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9798

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9799

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9800

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9801

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9802

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9803

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8816

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8888

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8889

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8890

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8891

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8892

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8893

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0723

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2067

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2068

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2108

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2501

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2502

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2503

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2505

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2506

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2507

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2508

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3741

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3742

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3743

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3744

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3745

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3746

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3747

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3748

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3749

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3750

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3751

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3752

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3753

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3754

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3755

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3756

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3757

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3758

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3759

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3760

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3761

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3762

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3763

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3764

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3765

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3766

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3767

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3768

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3769

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3770

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3771

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3772

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3773

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3774

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3775

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3792

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3793

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3794

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3795

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3796

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3797

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3798

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3799

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3800

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3801

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3802

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3803

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3804

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3805

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3806

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3807

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3808

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3809

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3810

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3811

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3812

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3813

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3814

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3815

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3816

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3818