10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.972 High
EPSS
Percentile
99.8%
Stagefright is the media playback service for Android, introduced in Android 2.2 (Froyo). Stagefright in versions of Android prior to 5.1.1_r9 may contain multiple vulnerabilities, including several integer overflows, which may allow a remote attacker to execute code on the device.
According to a Zimperium zLabs blog post, Android’s Stagefright engine contains multiple vulnerabilities, including several integer overflows, allowing a remote attacker to access files or possibly execute code on the device. This vulnerability may at least partially affect all versions of Android starting from 2.2 (Froyo) and prior to 5.1.1_r9 (Lollipop).
An attacker with a victim’s cell phone number may send maliciously crafted multimedia messages (MMS) which may be improperly parsed by the Stagefright tool. Other attack vectors include client-side (web browsers, downloads, email), physically adjacent (NFC, Bluetooth, VCards), physical (SD cards, USB on-the-go, USB Media Transfer Protocol and Picture Transfer Protocol), Gallery, and possibly others not yet identified.
According to Ars Technica, “successful exploits at the very least provide direct access to a phone’s audio and camera feeds and to the external storage … many older phones grant elevated system privileges to Stagefright code, a design that could allow attackers access to many more device resources.”
Zimperium has released an update on 2015-09-09 to their previous information on these vulnerabilities, including a proof of concept code, patches, a video demoing the exploit and an Android app that detects the vulnerability.
The vulnerabilities include:
1.\tCVE-2015-1538, P0006, Google Stagefright ‘stsc’ MP4 Atom Integer Overflow Remote Code Execution
2.\tCVE-2015-1538, P0004, Google Stagefright 𠆌tts’ MP4 Atom Integer Overflow Remote Code Execution
3.\tCVE-2015-1538, P0004, Google Stagefright ‘stts’ MP4 Atom Integer Overflow Remote Code Execution
4.\tCVE-2015-1538, P0004, Google Stagefright ‘stss’ MP4 Atom Integer Overflow Remote Code Execution
5.\tCVE-2015-1539, P0007, Google Stagefright 𠆎sds’ MP4 Atom Integer Underflow Remote Code Execution
6.\tCVE-2015-3827, P0008, Google Stagefright 𠆌ovr’ MP4 Atom Integer Underflow Remote Code Execution
7.\tCVE-2015-3826, P0009, Google Stagefright 3GPP Metadata Buffer Overread
8.\tCVE-2015-3828, P0010, Google Stagefright 3GPP Integer Underflow Remote Code Execution
9.\tCVE-2015-3824, P0011, Google Stagefright ‘tx3g’ MP4 Atom Integer Overflow Remote Code Execution
10.\tCVE-2015-3829, P0012, Google Stagefright 𠆌ovr’ MP4 Atom Integer Overflow Remote Code Execution
Zimperium has also released a second round of Stagefright vulnerabilities on 2015-10-01. Processing specially crafted MP3 or MP4 files can lead to arbitrary code execution.
In the November 2015 Security Bulletin, Google announced fixes for the Stagefright 2.0 vulnerabilities will soon be applied to the Android Open Source Project (AOSP) code.
A remote attacker may be able to execute code on the Android device.
Apply an update
The Android Open Source Project (AOSP) has released Android 5.1.1_r9 to address the original issues. The newer “Stagefright 2.0” issues have been addressed in Nexus build LMY48K or later, or Android Marshmallow with Security Patch Level of November 1, 2015 or later.
Partial fixes are available for Nexus (now being pushed over the air), Samsung and HTC phones (AT&T has pushed this over the air).
In the US, cell phone carriers largely control the updating process. The update may or may not be available for your phone. Contact your cell phone carrier or manufacturer for update information.
Note that in the aftermath of the original disclosure, it has been determined that the original patches fail to completely resolve the original vulnerability. CVE-2015-3864 has been assigned by Google to identify the issue identified in a blog post by Exodus Intelligence, and updates are to be available as previously described.
Alternatively, the MMS attack vector of this vulnerability may be mitigated by the following workarounds:
Block all text messages from unknown senders
Blocking all text messages from unknown senders in your default text message handling app may mitigate this issue.
Turn off “Auto Retrieve” for multimedia messages
If your default text messaging app does not allow blocking of senders, you may also disable the auto retrieve feature for multimedia messages. This may prevent the autoloading of MMS content into Stagefright.
924951
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: July 28, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: July 28, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: July 28, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: August 15, 2015
Affected
We have not received a statement from the vendor.
HTC is providing patches for some model phones, see the references below.
Updated: July 28, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: July 28, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: July 28, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: July 28, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: January 08, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: August 07, 2015
Affected
We have not received a statement from the vendor.
Samsung has released an update:
Updated: July 28, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 11 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:N |
Temporal | 4.7 | E:POC/RL:W/RC:UR |
Environmental | 3.5 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Joshua Drake at Zimperium’s zLabs for working with Google to develop patches and publicly disclose these vulnerabilities. Thanks to Jordan Gruskovnjak and Aaron Portnov of Exodus Intelligence for identifying and disclosing the issues with the original patches.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829, CVE-2015-3864, CVE-2015-6602 |
---|---|
Date Public: | 2015-07-21 Date First Published: |
arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/
blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/
source.android.com/devices/media.html
www.droid-life.com/2015/09/10/download-lmy48m-ota-updates-for-nexus-devices/
www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/
www.htc.com/us/support/htc-one-m8-att/news/
www.theregister.co.uk/2015/08/17/botched_google_stagefright_fix_wont_be_resolved_until_september/
www.zdnet.com/article/stagefright-just-how-scary-is-it-for-android-users/
android.googlesource.com/platform/frameworks/av/+/030d8d0%5E!/
android.googlesource.com/platform/frameworks/av/+/0e4e5a8%5E!/
android.googlesource.com/platform/frameworks/av/+/5c134e6%5E!/
blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/
blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/
blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/
blog.zimperium.com/zimperium-zlabs-is-raising-the-volume-new-vulnerability-processing-mp3mp4-media/
developers.google.com/android/nexus/images
developers.google.com/android/nexus/images?hl=en
groups.google.com/forum/#!topic/android-security-updates/n1aw2MGce4E
twitter.com/zimperium/status/629057085544660992
www.duosecurity.com/blog/exploit-mitigations-in-android-jelly-bean-4-1