MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-149

DATE(S) ISSUED:
10/05/2016

SUBJECT:
Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices including, but not limited to smartphones, tablets, and watches. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Successful exploitation of these vulnerabilities could result in remote code execution in the context of the application, an attacker gaining elevated privileges, information disclosure, or bypassing security restrictions.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEM AFFECTED:
· Android OS builds utilizing Security Patch Levels prior to the Security Patch
Level published on October 05, 2016.

RISK:
Government:
· Large and medium government entities: High
· Small government entities: High
Businesses:
· Large and medium business entities: High
· Small business entities: High
Home users: High

TECHNICAL SUMMARY:
Google's Android OS is prone to multiple vulnerabilities, the most severe of which could allow for remote code execution. The vulnerabilities are as follows:

· Use after free in V8. (CVE-2016-5177)
·Elevation of privilege vulnerability in ServiceManager (CVE-2016-3900).
· Elevation of privilege vulnerability in Lock Settings Service (CVE-2016-3908).
· Elevation of privilege vulnerability in Mediaserver (CVE-2016-3909, CVE-2016-3910, CVE-2016-3913).
· Elevation of privilege vulnerability in Zygote process (CVE-2016-3911).
· Elevation of privilege vulnerability in framework APIs (CVE-2016-3912).
· Elevation of privilege vulnerability in Telephony (CVE-2016-3914).
· Elevation of privilege vulnerability in Camera service (CVE-2016-3915, CVE-2016-3916).
· Elevation of privilege vulnerability in fingerprint login (CVE-2016-3917).
· Information disclosure vulnerability in AOSP Mail (CVE-2016-3918).
· Denial of service vulnerability in Wi-Fi (CVE-2016-3882).
· Denial of service vulnerability in GPS (CVE-2016-5348).
· Denial of service vulnerability in Mediaserver (CVE-2016-3920).
· Elevation of privilege vulnerability in Framework Listener (CVE-2016-3921).
· Elevation of privilege vulnerability in Telephony (CVE-2016-3922).
· Elevation of privilege vulnerability in Accessibility services (CVE-2016-3923).
· Information disclosure vulnerability in Mediaserver (CVE-2016-3924).
· Denial of service vulnerability in Wi-Fi (CVE-2016-3925).
· Remote code execution vulnerability in kernel ASN.1 decoder (CVE-2016-0758).
· Remote code execution vulnerability in kernel networking subsystem (CVE-2016-7117).
· Elevation of privilege vulnerability in MediaTek video driver (CVE-2016-3928).
· Elevation of privilege vulnerability in kernel shared memory driver (CVE-2016-5340).
· Vulnerabilities in Qualcomm components (CVE-2016-3926, CVE-2016-3927, CVE-2016-3929).
· Elevation of privilege vulnerability in Qualcomm networking component (CVE-2016-2059).
· Elevation of privilege vulnerability in NVIDIA MMC test driver (CVE-2016-3930).
· Elevation of privilege vulnerability in Qualcomm Secure Execution Environment Communicator driver (CVE-2016-3931).
· Elevation of privilege vulnerability in Mediaserver (CVE-2016-3932, CVE-2016-3933).
· Elevation of privilege vulnerability in Qualcomm camera driver (CVE-2016-3903, CVE-2016-3934).
· Elevation of privilege vulnerability in Qualcomm sound driver (CVE-2015-8951).
· Elevation of privilege vulnerability in Qualcomm crypto engine driver (CVE-2016-3901, CVE-2016-3935).
· Elevation of privilege vulnerability in MediaTek video driver (CVE-2016-3936, CVE-2016-3937).
· Elevation of privilege vulnerability in Qualcomm video driver (CVE-2016-3938, CVE-2016-3939).
· Elevation of privilege vulnerability in Synaptics touchscreen driver (CVE-2016-3940, CVE-2016-6672).
· Elevation of privilege vulnerability in NVIDIA camera driver (CVE-2016-6673).
· Elevation of privilege vulnerability in system_server (CVE-2016-6674).
· Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (CVE-2016-3905, CVE-2016-6675, CVE-2016-6676, CVE-2016-5342).
· Elevation of privilege vulnerability in kernel performance subsystem (CVE-2015-8955).
· Information disclosure vulnerability in kernel ION subsystem (CVE-2015-8950).
· Information disclosure vulnerability in NVIDIA GPU driver (CVE-2016-6677).
· Elevation of privilege vulnerability in Qualcomm character driver (CVE-2015-0572).
· Information disclosure vulnerability in Qualcomm sound driver (CVE-2016-3860).
· Information disclosure vulnerability in Motorola USBNet driver (CVE-2016-6678).
· Information disclosure vulnerability in Qualcomm components (CVE-2016-6679, CVE-2016-3902, CVE-2016-6680, CVE-2016-6681, CVE-2016-6682).
· Information disclosure vulnerability in kernel components (CVE-2016-6683, CVE-2016-6684, CVE-2015-8956, CVE-2016-6685).
· Information disclosure vulnerability in NVIDIA profiler (CVE-2016-6686, CVE-2016-6687, CVE-2016-6688).
· Information disclosure vulnerability in kernel (CVE-2016-6689).
· Denial of service vulnerability in kernel networking subsystem (CVE-2016-5696).
· Denial of service vulnerability in kernel sound driver (CVE-2016-6690).
· Vulnerabilities in Qualcomm components (CVE-2016-6691, CVE-2016-6692, CVE-2016-6693, CVE-2016-6694, CVE-2016-6695, CVE-2016-6696, CVE-2016-5344, CVE-2016-5343). · Various fixes from internal audits, fuzzing and other initiatives (CVE-2016-5178)

Successful exploitation of these vulnerabilities could result in remote code execution in the context of the application, an attacker gaining elevated privileges, information disclosure, or bypassing security restrictions.

RECOMMENDATIONS:
We recommend the following actions be taken:
· Apply appropriate updates provided by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing.
· Remind users to download apps only from trusted vendors in the Play Store.
· Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources..
· Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Google:

https://source.android.com/security/bulletin/2016-10-01.html

 

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-0572

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-8950

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-8951

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-8955

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-8956

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0758

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2059

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3860

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3882

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3900

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3901

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3902

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3903

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3905

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3908

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3909

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3910

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3911

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3912

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3913

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3914

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3915

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3916

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3917

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3918

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3920

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3921

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3922

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3923

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3924

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3925

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3926

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3927

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3928

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3929

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3930

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3931

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3932

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3933

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3934

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3935

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3936

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3937

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3938

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3939

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3940

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-5340

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-5342

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-5343

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-5344

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-5348

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-5696

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6672

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6673

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6674

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6675

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6676

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6677

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6678

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6679

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6680

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6681

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6682

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6683

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6684

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6685

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6686

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6687

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6688

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6689

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6690

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6691

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6692

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6693

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6694

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6695

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6696

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-7117