Huge double boxset of Android patches lands after Qualcomm disk encryption blown open

What a coincidence

Qualcomm Snapdragon 820

Google has released two bundles of Android security patches this month: a smaller one to handle bugs in the operating system, and a larger package that tackles a raft of driver-level issues, particularly with Qualcomm's hardware.

The first tranche of patches includes eight critical, 11 high severity, and nine fixes that are considered moderate. All but one of the critical patches are for Android's soon-to-be redesigned Mediaserver, along with seven high-severity fixes and three moderates.

As ever, people have found new ways to corrupt and hijack Mediaserver using booby-trapped video files and multimedia messages. Opening a malicious vid could lead to full remote code execution on Android devices from version 4.4.4 up to the most recent build.

The other critical fix covers a flaw in OpenSSL and Google's stripped-down software fork BoringSSL. These libraries also suffer from memory corruption bugs that can be potentially exploited to execute code on vulnerable devices.

Other issues of high importance in the update include a fix on the way Android handles Bluetooth communications that would allow an attacker to inject and run code on a nearby device when performing an initial pairing with a new person. Below is the full flaw list.

Issue CVE Severity Affects Nexus?
Remote code execution vulnerability in Mediaserver CVE-2016-2506, CVE-2016-2505, CVE-2016-2507, CVE-2016-2508, CVE-2016-3741, CVE-2016-3742, CVE-2016-3743 Critical Yes
Remote code execution vulnerability in OpenSSL & BoringSSL CVE-2016-2108 Critical Yes
Remote code execution vulnerability in Bluetooth CVE-2016-3744 High Yes
Elevation of privilege vulnerability in libpng CVE-2016-3751 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2016-3745, CVE-2016-3746, CVE-2016-3747 High Yes
Elevation of privilege vulnerability in sockets CVE-2016-3748 High Yes
Elevation of privilege vulnerability in LockSettingsService CVE-2016-3749 High Yes
Elevation of privilege vulnerability in Framework APIs CVE-2016-3750 High Yes
Elevation of privilege vulnerability in ChooserTarget service CVE-2016-3752 High Yes
Information disclosure vulnerability in Mediaserver CVE-2016-3753 High No*
Information disclosure vulnerability in OpenSSL CVE-2016-2107 High No*
Denial of service vulnerability in Mediaserver CVE-2016-3754, CVE-2016-3755, CVE-2016-3756 High Yes
Denial of service vulnerability in libc CVE-2016-3818 High No*
Elevation of privilege vulnerability in lsof CVE-2016-3757 Moderate Yes
Elevation of privilege vulnerability in DexClassLoader CVE-2016-3758 Moderate Yes
Elevation of privilege vulnerability in Framework APIs CVE-2016-3759 Moderate Yes
Elevation of privilege vulnerability in Bluetooth CVE-2016-3760 Moderate Yes
Elevation of privilege vulnerability in NFC CVE-2016-3761 Moderate Yes
Elevation of privilege vulnerability in sockets CVE-2016-3762 Moderate Yes
Information disclosure vulnerability in Proxy Auto-Config CVE-2016-3763 Moderate Yes
Information disclosure vulnerability in Mediaserver CVE-2016-3764, CVE-2016-3765 Moderate Yes
Denial of service vulnerability in Mediaserver CVE-2016-3766 Moderate Yes

But wait, there's more

So far, so Google. The patch bundle is in line with other monthly patching packages from the Chocolate Factory. If you have a Google Nexus device, you'll get your hands on these fixes soon enough over the air automatically. If not, you may well have to wait a while for your device manufacturer and mobile carrier to push these updates to you – if they ever appear.

Meanwhile, Google is issuing a second string of patches that aren't going on general release: they'll be pushed out to Nexus owners and to hardware manufacturers who are expected to then pass on the updates to their customers.

This second set is a much larger tranche of code, including 12 critical fixes, 54 rated high severity, and nine moderates. Google said the second patch bundle will "provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices."

What could this subset of vulnerabilities be? The list of fixes contains some interesting hints. Last week, security researcher Gal Beniamini found a way to defeat Android's full-disk encryption system using blunders in Qualcomm's KeyMaster cryptography program. The design flaws can be potentially exploited by someone who has seized your device to unlock and decrypt your encrypted file system with brute force.

Google and Qualcomm said the problem was fixed in patches issued in January and May, and Mountain View paid Beniamini a bug bounty for his find. But the researcher pointed out that other flaws hiding within Android, particularly elevation of privilege bugs, could be found and exploited to break the encryption system again.

So it's interesting that this secondary bundle includes fixes for 40 flaws with Qualcomm components – more than half of the total, and pretty much all of them are escalation-of-privilege holes. If you were emitting a set of fixes to shore up devices against KeyMaster-based attacks, it would probably look a lot like this one.

The first two critical patches on the list are for the Qualcomm GPU drivers in Nexus 5X, 6, and 6P, to fix an elevation of privilege vulnerability that would allow an attacker to "execute arbitrary code within the context of the kernel." There are another 36 Qualcomm high- and moderate-severity flaw fixes included in the release.

All Nexus devices get a critical patch for an elevation of privilege vulnerability in the Android kernel file system that would have the same effect. Nexus 5 and 7 devices also get critical fixes for security vulnerabilities affecting Qualcomm components including the bootloader, camera, character, networking, sound, and video drivers.

There are also six critical patches for the Android One operating system, used by its basic device range. They fix flaws in the MediaTek Wi-Fi driver and other parts of the supplier's kit that would compromise the kernel and lead to the device having to be wiped to recover.

The full list is below. ®

Issue CVE Severity Affects Nexus?
Elevation of privilege vulnerability in Qualcomm GPU driver (Device specific) CVE-2016-2503, CVE-2016-2067 Critical Yes
Elevation of privilege vulnerability in MediaTek Wi-Fi driver (Device specific) CVE-2016-3767 Critical Yes
Elevation of privilege vulnerability in Qualcomm performance component (Device specific) CVE-2016-3768 Critical Yes
Elevation of privilege vulnerability in NVIDIA video driver (Device specific) CVE-2016-3769 Critical Yes
Elevation of privilege vulnerability in MediaTek drivers (Device specific) CVE-2016-3770, CVE-2016-3771, CVE-2016-3772, CVE-2016-3773, CVE-2016-3774 Critical Yes
Elevation of privilege vulnerability in kernel file system (Device specific) CVE-2016-3775 Critical Yes
Elevation of privilege vulnerability in USB driver (Device specific) CVE-2015-8816 Critical Yes
Elevation of privilege vulnerability in Qualcomm components (Device specific) CVE-2014-9794, CVE-2014-9795, CVE-2015-8892, CVE-2013-7457, CVE-2014-9781, CVE-2014-9786, CVE-2014-9788, CVE-2014-9779, CVE-2014-9780, CVE-2014-9789, CVE-2014-9793, CVE-2014-9782, CVE-2014-9783, CVE-2014-9785, CVE-2014-9787, CVE-2014-9784, CVE-2014-9777, CVE-2014-9778, CVE-2014-9790, CVE-2014-9792, CVE-2014-9797, CVE-2014-9791, CVE-2014-9796, CVE-2014-9800, CVE-2014-9799, CVE-2014-9801, CVE-2014-9802, CVE-2015-8891, CVE-2015-8888, CVE-2015-8889, CVE-2015-8890 High Yes
Elevation of privilege vulnerability in Qualcomm USB driver (Device specific) CVE-2016-2502 High Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (Device specific) CVE-2016-3792 High Yes
Elevation of privilege vulnerability in Qualcomm camera driver (Device specific) CVE-2016-2501 High Yes
Elevation of privilege vulnerability in NVIDIA camera driver (Device specific) CVE-2016-3793, CVE-2016-3794 High Yes
Elevation of privilege vulnerability in MediaTek power driver (Device specific) CVE-2016-3795, CVE-2016-3796 High Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (Device specific) CVE-2016-3797 High Yes
Elevation of privilege vulnerability in MediaTek hardware sensor driver (Device specific) CVE-2016-3798 High Yes
Elevation of privilege vulnerability in MediaTek video driver (Device specific) CVE-2016-3799, CVE-2016-3800 High Yes
Elevation of privilege vulnerability in MediaTek GPS driver (Device specific) CVE-2016-3801 High Yes
Elevation of privilege vulnerability in kernel file system (Device specific) CVE-2016-3802, CVE-2016-3803 High Yes
Elevation of privilege vulnerability in MediaTek power management driver (Device specific) CVE-2016-3804, CVE-2016-3805 High Yes
Elevation of privilege vulnerability in MediaTek display driver (Device specific) CVE-2016-3806 High Yes
Elevation of privilege vulnerability in serial peripheral interface driver (Device specific) CVE-2016-3807, CVE-2016-3808 High Yes
Elevation of privilege vulnerability in Qualcomm sound driver (Device specific) CVE-2016-2068 High Yes
Elevation of privilege vulnerability in kernel (Device specific) CVE-2014-9803 High Yes
Information disclosure vulnerability in networking component (Device specific) CVE-2016-3809 High Yes
Information disclosure vulnerability in MediaTek Wi-Fi driver (Device specific) CVE-2016-3810 High Yes
Elevation of privilege vulnerability in kernel video driver (Device specific) CVE-2016-3811 Moderate Yes
Information disclosure vulnerability in MediaTek video codec driver (Device specific) CVE-2016-3812 Moderate Yes
Information disclosure vulnerability in Qualcomm USB driver (Device specific) CVE-2016-3813 Moderate Yes
Information disclosure vulnerability in NVIDIA camera driver (Device specific) CVE-2016-3814, CVE-2016-3815 Moderate Yes
Information disclosure vulnerability in MediaTek display driver (Device specific) CVE-2016-3816 Moderate Yes
Information disclosure vulnerability in kernel teletype driver (Device specific) CVE-2016-0723 Moderate Yes
Denial of service vulnerability in Qualcomm bootloader (Device specific) CVE-2014-9798, CVE-2015-8893 Moderate Yes

Sponsored: Minds Mastering Machines - Call for papers now open




Biting the hand that feeds IT © 1998–2018