February 2016 Android Nexus Security Bulletin

Google today patched Nexus devices in an over-the-air update against a critical vulnerability that could be exploited by an attacker on the same Wi-Fi network.

The patch addresses multiple vulnerabilities in the Broadcom Wi-Fi driver that could be abused to allow for remote code execution. The patches were pushed out in builds LMY49G or later to Nexus devices and shared on Jan. 4 with carrier and manufacturer partners. The fixes are expected to be released to the Android Open Source Project in the next two days.

Google said it is unaware of public attacks against any of the vulnerabilities patched in today’s Android Security Bulletin.

The Wi-Fi vulnerabilities can be exploited by sending a malicious wireless control message packet. The packets could corrupt kernel memory and expose an Android device to remote code execution at the kernel level.

“These vulnerabilities can be triggered when the attacker and the victim are associated with the same network,” Google said in its advisory. “This issue is rated as a Critical severity due to the possibility of remote code execution in the context of the kernel without requiring user interaction.”

The flaws, CVE-2016-0801 and CVE-2016-0802, were privately disclosed Oct. 25 by the Broadgate Team, Google said.

As has become customary with the monthly Android patch release, Google has again patched critical vulnerabilities in Mediaserver. Flaws in the software were at the crux of last summer’s Stagefright vulnerabilities and exploits and continues to be a soft spot.

Mediaserver can be attacked via multiple means, most effectively via remote content such as MMS files or browser playback of media files. The service can access audio streams as well, and is granted privileges that other apps do not have, Google said.

“During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process,” Google said in its advisory.

The flaw, CVE-2016-0803 and CVE-2016-0804, were separately disclosed in October and November. A separate elevation of privilege flaw was also found and patched in Mediaserver and could be exploited to gain Signature or SignatureOrSystem privileges, Google said.

Today’s bulletin also patches two critical vulnerabilities in Qualcomm components, the Qualcomm Performance Module and the Qualcomm Wi-Fi Driver, both of which allow for elevation of privilege for an attacker and can be leveraged to launch further attacks.

The Qualcomm performance event manager component for ARM processors can be exploited using a local application to run code at the kernel level. Google said “permanent device compromise” is possible, requiring firmware to be re-flashed in order to patch the operating system.

The Qualcomm Wi-Fi driver, meanwhile, can be attacked using a local application to run code at the kernel level as well. Both bugs were disclosed in November.

The final critically rated vulnerability was patched in the Debuggerd component and opens the door to the phone being rooted. Debuggerd is a tool used to debug and analyze Android crashes. The flaw, CVE-2016-0807, was found internally, Google said.

Today’s bulletin also patches an elevation of privilege flaw in the Android Wi-Fi component, a denial-of-service flaw in the Minikin library, and an information disclosure vulnerability in libmediaplayerservice—all of which were rated High severity—and factory reset protection bypass vulnerabilities in the Setup Wizard.