10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.956 High
EPSS
Percentile
99.4%
We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Builds LMY48I or later address these issues. Partners were notified about these issues on June 25, 2015 or earlier.
The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.
This is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities can be successfully exploited on Android.
We would like to thank these researchers for their contributions:
*Wish is also our very first Android Security Rewards recipient!
There are several potential integer overflows in libstagefright that could occur during MP4 atom processing, leading to memory corruption and potentially remote code execution as the mediaserver process.
The affected functionality is provided as an application API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access. Note that under our previous severity rating guidelines, this was rated as a High severity vulnerability and was reported to partners as such. Under our new guidelines, published in June 2015, it is a Critical severity issue.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-1538 | ANDROID-20139950 [2] | Critical | 5.1 and below |
There is a potential integer underflow in libstagefright that could occur during ESDS atom processing, leading to memory corruption and potentially remote code execution as the mediaserver process.
The affected functionality is provided as an application API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access. Note that under our previous severity rating guidelines, this was rated as a High severity vulnerability and was reported to partners as such. Under our new guidelines, published in June 2015, it is a Critical severity issue.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-1539 | ANDROID-20139950 | Critical | 5.1 and below |
There is a potential integer overflow in libstagefright that could occur during MPEG4 tx3g data processing, leading to memory corruption and potentially remote code execution as the mediaserver process.
The affected functionality is provided as an application API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access.
Note that under our previous severity rating guidelines, this was rated as a High severity vulnerability and was reported to partners as such. Under our new guidelines, published in June 2015, it is a Critical severity issue.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3824 | ANDROID-20923261 | Critical | 5.1 and below |
There is a potential integer underflow in libstagefright that could occur during MPEG4 data processing, leading to memory corruption and potentially remote code execution as the mediaserver process.
The affected functionality is provided as an application API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access.
Note that under our previous severity rating guidelines, this was rated as a High severity vulnerability and was reported to partners as such. Under our new guidelines, published in June 2015, it is a Critical severity issue.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3827 | ANDROID-20923261 | Critical | 5.1 and below |
There is a potential integer underflow in libstagefright that could occur during 3GPP data processing, leading to memory corruption and potentially remote code execution as the mediaserver process.
The affected functionality is provided as an application API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access. Note that under our previous severity rating guidelines, this was rated as a High severity vulnerability and was reported to partners as such. Under our new guidelines, published in June 2015, it is a Critical severity issue.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3828 | ANDROID-20923261 | Critical | 5.0 and above |
There is a potential integer overflow in libstagefright that could occur during MPEG4 covr data processing, leading to memory corruption and potentially remote code execution as the mediaserver process.
The affected functionality is provided as an application API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access. Note that under our previous severity rating guidelines, this was rated as a High severity vulnerability and was reported to partners as such. Under our new guidelines, published in June 2015, it is a Critical severity issue.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3829 | ANDROID-20923261 | Critical | 5.0 and above |
There is a potential buffer overflow in Sonivox that could occur during XMF data processing, leading to memory corruption and potentially remote code execution as the mediaserver process.
The affected functionality is provided as an application API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access. Note that under our previous severity rating guidelines, this was rated as a High severity vulnerability and was reported to partners as such. Under our new guidelines, published in June 2015, it is a Critical severity issue.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3836 | ANDROID-21132860 | Critical | 5.1 and below |
There are several buffer overflows in libstagefright that could occur during MP4 processing, leading to memory corruption and potentially remote code execution as the mediaserver process.
The affected functionality is provided as an application API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
This issue is rated as a Critical severity due to the possibility of remote code execution as the privileged mediaserver service. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access.
Initially this issue was reported as a local exploit (not remotely accessible). Note that under our previous severity rating guidelines, this was rated as a Moderate severity vulnerability and was reported to partners as such. Under our new guidelines, published in June 2015, it is a Critical severity issue.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3832 | ANDROID-19641538 | Critical | 5.1 and below |
There is a potential buffer overflow in BpMediaHTTPConnection when processing data provided by another application, leading to memory corruption and potentially code execution as the mediaserver process.
The affected functionality is provided as an application API. We don’t believe the issue is remotely exploitable.
This issue is rated as a High severity due to the possibility of code execution as the privileged mediaserver service, from a local application. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3831 | ANDROID-19400722 | High | 5.0 and 5.1 |
There is a potential buffer overflow that could occur in reading IDAT data within the png_read_IDAT_data() function in libpng, leading to memory corruption and potentially remote code execution within an application using this method.
The affected functionality is provided as an application API. There may be applications that allow it to be reached with remote content, most notably messaging applications and browsers.
This issue is rated as a High severity due to the possibility of remote code execution as an unprivileged application.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-0973 | ANDROID-19499430 | High | 5.1 and below |
When wpa_supplicant is operating in WLAN Direct mode, it’s vulnerable to potential remote code execution due to an overflow in the p2p_add_device() method. Successful exploitation could result in code execution as the ‘wifi’ user in Android.
There are several mitigations that can effect successful exploitation of this issue:
- WLAN Direct is not enabled by default on most Android devices
- Exploitation requires an attacker to be locally proximate (within WiFi range)
- The wpa_supplicant process runs as the ‘wifi’ user which has limited access to the system
- Remote exploitation is mitigated by ASLR on Android 4.1 and later devices.
- The wpa_supplicant process is tightly constrained by SELinux policy on Android 5.0 and greater
This issue is rated as High severity due to the possibility of remote code execution. While the ‘wifi’ service does have capabilities that are not normally accessible to 3rd party apps which could rate this as Critical, we believe the limited capabilities and level of mitigation warrant decreasing the severity to High.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-1863 | ANDROID-20076874 | High | 5.1 and below |
A malicious local application can send an Intent which, when deserialized by the receiving application, can decrement a value at an arbitrary memory address, leading to memory corruption and potentially code execution within the receiving application.
This issue is rated as High severity because it can be used to gain privileges not accessible to a third-party application.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3837 | ANDROID-21437603 | High | 5.1 and below |
There is a potential integer overflow in libstagefright when processing data provided by another application, leading to memory (heap) corruption and potentially code execution as the mediaserver process.
This issue is rated as High severity because it can be used to gain privileges not accessible to a third-party application. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access.
Note that under our previous severity rating guidelines, this was rated as a Moderate severity vulnerability and was reported to partners as such. Under our new guidelines, published in June 2015, it is a High severity vulnerability.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3834 | ANDROID-20222489 | High | 5.1 and below |
There is a potential buffer overflow in libstagefright when processing data provided by another application, leading to memory corruption and potentially code execution as the mediaserver process.
This issue is rated as High severity because it can be used to gain privileges not accessible to a third-party application. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access.
Note that under our previous severity rating guidelines, this was rated as a Moderate severity vulnerability and was reported to partners as such. Under our new guidelines, published in June 2015, it is a High severity vulnerability.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3835 | ANDROID-20634516 [2] | High | 5.1 and below |
There is a heap overflow in mediaserver’s Audio Policy Service that could allow a local application to execute arbitrary code in mediaserver’s process.
The affected functionality is provided as an application API. We don’t believe the issue is remotely exploitable.
This issue is rated as a High severity due to the possibility of code execution as the privileged mediaserver service, from a local application. While mediaserver is guarded with SELinux, it does have access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3842 | ANDROID-21953516 | High | 5.1 and below |
There is a vulnerability in the SIM Toolkit (STK) framework that could allow apps to intercept or emulate certain STK SIM commands to Android’s Telephony subsystem.
This issue is rated at a High severity because it could allow an unprivileged app to access capabilities or data normally protected by a “signature” or “system” level permission.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3843 | ANDROID-21697171 [2, 3, 4] | High | 5.1 and below |
An integer overflow in Bitmap_createFromParcel() could allow an app to either crash the system_server process or read memory data from system_server.
This issue is rated as Moderate severity due to the possibility of leaking sensitive data from the system_server process to an unprivileged local process. While this type of vulnerability would normally be rated as High severity, the severity has been reduced because the data that is leaked in a successful attack cannot be controlled by the attacking process and the consequence of an unsuccessful attack is to render the device temporarily unusable (requiring a reboot).
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-1536 | ANDROID-19666945 | Moderate | 5.1 and below |
There is a vulnerability in AppWidgetServiceImpl in the Settings app that allows an app to grant itself a URI permission by specifying FLAG_GRANT_READ/WRITE_URI_PERMISSION. For example, this could be exploited to read contact data without the READ_CONTACTS permission.
This is rated as a Moderate severity vulnerability because it can allow a local app to access data normally protected by permissions with a “dangerous” protection level.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-1541 | ANDROID-19618745 | Moderate | 5.1 |
A local application can reliably determine the foreground application, circumventing the getRecentTasks() restriction introduced in Android 5.0.
This is rated as a moderate severity vulnerability because it can allow a local app to access data normally protected by permissions with a “dangerous” protection level.
We believe this vulnerability was first described publicly on Stack Overflow.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3833 | ANDROID-20034603 | Moderate | 5.0 and 5.1 |
ActivityManager’s getProcessRecordLocked() method doesn’t properly verify that an application’s process name matches the corresponding package name. In some cases, this can allow ActivityManager to load the wrong process for certain tasks.
The implications are that an app can prevent Settings from being loaded or inject parameters for Settings fragments. We don’t believe that this vulnerability can be used to execute arbitrary code as the “system” user.
While the ability to access capabilities normally only accessible to “system” would be rated as a High severity, we rated this one as a Moderate due to the limited level of access granted by the vulnerability.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3844 | ANDROID-21669445 | Moderate | 5.1 and below |
An integer underflow during parsing of 3GPP data can result in a read operation overrunning a buffer, causing mediaserver to crash.
This issue was originally rated as a High severity and was reported to partners as such, but after further investigation it has been downgraded to Low severity as the impact is limited to crashing mediaserver.
CVE | Bug(s) with AOSP links | Severity | Affected versions |
---|---|---|---|
CVE-2015-3826 | ANDROID-20923261 | Low | 5.0 and 5.1 |