MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-164

DATE(S) ISSUED:
11/08/2016

SUBJECT:
Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices including, but not limited to smartphones, tablets, and watches. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Successful exploitation of these vulnerabilities could result in remote code execution in the context of the application, an attacker gaining elevated privileges, information disclosure, or bypassing security restrictions.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Android OS builds utilizing Security Patch Levels prior to the Security Patch Level published on November 6, 2016.

 

RISK:

    Government

  • Large and medium government entities: High
  • Small government entities:High

    Businesses:

  • Large and medium business entities:High
  • Small business entities: High

    Home users: High

TECHNICAL SUMMARY:

Google's Android OS is prone to multiple vulnerabilities, the most severe of which could allow for remote code execution. The vulnerabilities are as follows

  • Remote code execution vulnerability in Mediaserver. (CVE-2016-6699)
  • Elevation of privilege vulnerability in libzipfile. (CVE-2016-6700)
  • Remote code execution vulnerability in Skia. (CVE-2016-6701)
  • Remote code execution vulnerability in libjpeg. (CVE-2016-6702)
  • Remote code execution vulnerability in Android runtime. (CVE-2016-6703)
  • Elevation of privilege vulnerability in Mediaserver. (CVE-2016-6704, CVE-2016-6705, CVE-2016-6706)
  • Elevation of privilege vulnerability in System Server. (CVE-2016-6707)
  • Elevation of privilege vulnerability in System UI. (CVE-2016-6708)
  • Information disclosure vulnerability in Conscrypt and BoringSSL. (CVE-2016-6709)
  • Information disclosure vulnerability in download manager. (CVE-2016-6710)
  • Denial of service vulnerability in Bluetooth. (CVE-2014-9908)
  • Denial of service vulnerability in OpenJDK. (CVE-2015-0410)
  • Denial of service vulnerability in Mediaserver. (CVE-2016-6711, CVE-2016-6712, CVE-2016-6713, CVE-2016-6714)
  • Elevation of privilege vulnerability in Framework APIs. (CVE-2016-6715)
  • Elevation of privilege vulnerability in AOSP Launcher. (CVE-2016-6716)
  • Elevation of privilege vulnerability in Mediaserver. (CVE-2016-6717)
  • Elevation of privilege vulnerability in Account Manager. Service (CVE-2016-6718)
  • Elevation of privilege vulnerability in Bluetooth. (CVE-2016-6719)
  • Information disclosure vulnerability in Mediaserver. (CVE-2016-6720, CVE-2016-6721, CVE-2016-6722)
  • Denial of service vulnerability in Proxy Auto Config. (CVE-2016-6723)
  • Denial of service vulnerability in Input Manager Service. (CVE-2016-6724)
  • Remote code execution vulnerability in Qualcomm crypto. driver (CVE-2016-6725)
  • Elevation of privilege vulnerability in kernel file system. (CVE-2015-8961, CVE-2016-7910, CVE-2016-7911)
  • Elevation of privilege vulnerability in kernel SCSI driver. (CVE-2015-8962)
  • Elevation of privilege vulnerability in kernel media driver. (CVE-2016-7913)
  • Elevation of privilege vulnerability in kernel USB driver. (CVE-2016-7912)
  • Elevation of privilege vulnerability in kernel ION subsystem. (CVE-2016-6728)
  • Elevation of privilege vulnerability in Qualcomm bootloader. (CVE-2016-6729)
  • Elevation of privilege vulnerability in NVIDIA GPU driver. (CVE-2016-6730, CVE-2016-6731, CVE-2016-6732, CVE-2016-6733, CVE-2016-6734, CVE-2016-6735, CVE-2016-6736)
  • Elevation of privilege vulnerability in kernel networking subsystem. (CVE-2016-6828)
  • Elevation of privilege vulnerability in kernel sound subsystem. (CVE-2016-2184)
  • Elevation of privilege vulnerability in kernel ION subsystem. (CVE-2016-6737)
  • Vulnerabilities in Qualcomm components. (CVE-2016-6726, CVE-2016-6727)
  • Remote code execution vulnerability in Expat. (CVE-2016-0718, CVE-2012-6702, CVE-2016-5300, CVE-2015-1283)
  • Remote code execution vulnerability in Webview. (CVE-2016-6754)
  • Remote code execution vulnerability in Freetype. (CVE-2014-9675)
  • Elevation of privilege vulnerability in kernel performance subsystem. (CVE-2015-8963)
  • Elevation of privilege vulnerability in kernel system-call auditing subsystem. (CVE-2016-6136)
  • Elevation of privilege vulnerability in Qualcomm crypto engine driver. (CVE-2016-6738)
  • Elevation of privilege vulnerability in Qualcomm camera driver. (CVE-2016-6739, CVE-2016-6740, CVE-2016-6741)
  • Elevation of privilege vulnerability in Qualcomm bus driver. (CVE-2016-3904)
  • Elevation of privilege vulnerability in Synaptics touchscreen driver. (CVE-2016-6742, CVE-2016-6744, CVE-2016-6745, CVE-2016-6743)
  • Information disclosure vulnerability in kernel components. (CVE-2015-8964, CVE-2016-7914, CVE-2016-7915, CVE-2016-7916)
  • Information disclosure vulnerability in NVIDIA GPU driver. (CVE-2016-6746)
  • Denial of service vulnerability in Mediaserver. (CVE-2016-6747)
  • Information disclosure vulnerability in kernel components. (CVE-2016-6753, CVE-2016-7917)
  • Information disclosure vulnerability in Qualcomm components. (CVE-2016-6748, CVE-2016-6749, CVE-2016-6750, CVE-2016-3906, CVE-2016-3907, CVE-2016-6698, CVE-2016-6751, CVE-2016-6752)
  • Elevation of privilege vulnerability in kernel memory subsystem. (CVE-2016-5195)

Successful exploitation of these vulnerabilities could result in remote code execution in the context of the application, an attacker gaining elevated privileges, information disclosure, causing denial of service or bypassing security restrictions.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing.
  • Remind users to download apps only from trusted vendors in the Play Store.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Google:

https://source.android.com/security/bulletin/2016-11-01.html

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9675

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9908

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8961

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8962

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8963

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8964

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2184

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3904

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3906

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3907

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6136

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6698

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6699

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6700

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6701

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6702

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6703

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6704

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6705

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6706

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6707

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6708

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6709

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6710

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6711

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6712

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6713

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6714

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6715

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6716

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6717

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6718

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6719

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6720

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6721

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6722

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6723

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6724

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6725

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6726

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6727

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6728

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6729

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6730

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6731

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6732

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6733

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6734

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6735

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6736

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6737

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6738

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6739

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6740

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6741

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6742

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6743

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6744

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6745

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6746

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6747

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6748

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6749

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6750

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6751

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6752

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6753

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6754

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6828

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7910

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7911

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7912

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7913

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7914

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7915

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7916

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7917