Published June 06, 2016 | Updated June 08, 2016
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Nexus devices through an over-the-air (OTA) update. The Nexus firmware images have also been released to the Google Developer site. Security Patch Levels of June 01, 2016 or later address these issues. Refer to the Nexus documentation to learn how to check the security patch level.
Partners were notified about the issues described in the bulletin on May 02, 2016 or earlier. Where applicable, source code patches for these issues have been released to the Android Open Source Project (AOSP) repository.
The most severe issue is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.
We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Service Mitigations section for details on the Android security platform protections and service protections such as SafetyNet, which improve the security of the Android platform.
We encourage all customers to accept these updates to their devices.
Android and Google Service Mitigations
This is a summary of the mitigations provided by the Android security platform and service protections, such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.
- Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
- The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services, and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
- As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as Mediaserver.
Acknowledgements
We would like to thank these researchers for their contributions:
- Di Shen (@returnsme) of KeenLab (@keen_lab), Tencent: CVE-2016-2468
- Gal Beniamini (@laginimaineb): CVE-2016-2476
- Gengjia Chen (@chengjia4574), pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd.: CVE-2016-2492
- Hao Chen, Guang Gong, and Wenlin Yang of Mobile Safe Team, Qihoo 360 Technology Co. Ltd.: CVE-2016-2470, CVE-2016-2471, CVE-2016-2472, CVE-2016-2473, CVE-2016-2498
- Iwo Banas: CVE-2016-2496
- Jianqiang Zhao(@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 Technology Co. Ltd.: CVE-2016-2490, CVE-2016-2491
- Lee Campbell of Google: CVE-2016-2500
- Maciej Szawłowski of the Google Security Team: CVE-2016-2474
- Marco Nelissen and Max Spector of Google: CVE-2016-2487
- Mark Brand of Google Project Zero: CVE-2016-2494
- Mingjian Zhou (@Mingjian_Zhou), Chiachih Wu (@chiachih_wu), and Xuxian Jiang of C0RE Team: CVE-2016-2477, CVE-2016-2478, CVE-2016-2479, CVE-2016-2480, CVE-2016-2481, CVE-2016-2482, CVE-2016-2483, CVE-2016-2484, CVE-2016-2485, CVE-2016-2486
- Scott Bauer (@ScottyBauer1): CVE-2016-2066, CVE-2016-2061, CVE-2016-2465, CVE-2016-2469, CVE-2016-2489
- Vasily Vasilev: CVE-2016-2463
- Weichao Sun (@sunblate) of Alibaba Inc.: CVE-2016-2495
- Xiling Gong of Tencent Security Platform Department: CVE-2016-2499
- Zach Riggle (@ebeip90) of the Android Security Team: CVE-2016-2493
Security Vulnerability Details
In the sections below, we provide details for each of the security vulnerabilitiesi that apply to the 2016-06-01 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated Android bug, severity, updated Nexus devices, updated AOSP versions (where applicable), and date reported. When available, we will link the AOSP change that addressed the issue to the bug ID. When multiple changes relate to a single bug, additional AOSP references are linked to numbers following the bug ID.
Remote Code Execution Vulnerability in Mediaserver
A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. The Mediaserver process has access to audio and video streams, as well as access to privileges that third-party apps could not normally access.
The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
| CVE | Android bugs | Severity | Updated Nexus devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-2463 | 27855419 | Critical | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 25, 2016 |
Remote Code Execution Vulnerabilities in libwebm
Remote code execution vulnerabilities with libwebm could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. The Mediaserver process has access to audio and video streams, as well as access to privileges that third-party apps could not normally access.
The affected functionality is provided as a core part of the operating system, and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.
| CVE | Android bugs | Severity | Updated Nexus devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-2464 | 23167726 [2] | Critical | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Google Internal |
Elevation of Privilege Vulnerability in Qualcomm Video Driver
An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2465 | 27407865* | Critical | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P | Feb 21, 2016 |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in Qualcomm Sound Driver
An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2466 | 27947307* | Critical | Nexus 6 | Feb 27, 2016 |
| CVE-2016-2467 | 28029010* | Critical | Nexus 5 | Mar 13, 2014 |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in Qualcomm GPU Driver
An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2468 | 27475454* | Critical | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 | Mar 2, 2016 |
| CVE-2016-2062 | 27364029* | Critical | Nexus 5X, Nexus 6P | Mar 6, 2016 |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver
An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2474 | 27424603* | Critical | Nexus 5X | Google Internal |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in Broadcom Wi-Fi Driver
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to invoke system calls changing the device settings and behavior without the privileges to do so. This issue is rated as High because it could be used to gain local access to elevated capabilities.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2475 | 26425765* | High | Nexus 5, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Nexus Player, Pixel C | Jan 6, 2016 |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in Qualcomm Sound Driver
An elevation of privilege vulnerability in the Qualcomm sound driver could enable a malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service that can call the driver.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2066 | 26876409* | High | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P | Jan 29, 2016 |
| CVE-2016-2469 | 27531992* | High | Nexus 5, Nexus 6, Nexus 6P | Mar 4, 2016 |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in Mediaserver
An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High because it could be used to gain local access to elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.
| CVE | Android bugs | Severity | Updated Nexus devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-2476 | 27207275 [2] [3] [4] | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Feb 11, 2016 |
| CVE-2016-2477 | 27251096 | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Feb 17, 2016 |
| CVE-2016-2478 | 27475409 | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 3, 2016 |
| CVE-2016-2479 | 27532282 | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 6, 2016 |
| CVE-2016-2480 | 27532721 | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 6, 2016 |
| CVE-2016-2481 | 27532497 | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 6, 2016 |
| CVE-2016-2482 | 27661749 | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 14, 2016 |
| CVE-2016-2483 | 27662502 | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 14, 2016 |
| CVE-2016-2484 | 27793163 | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 22, 2016 |
| CVE-2016-2485 | 27793367 | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 22, 2016 |
| CVE-2016-2486 | 27793371 | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 22, 2016 |
| CVE-2016-2487 | 27833616 [2] [3] | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Google Internal |
Elevation of Privilege Vulnerability in Qualcomm Camera Driver
An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service that can call the driver.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2061 | 27207747* | High | Nexus 5X, Nexus 6P | Feb 15, 2016 |
| CVE-2016-2488 | 27600832* | High | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013) | Google Internal |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in Qualcomm Video Driver
An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service that can call the driver.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2489 | 27407629* | High | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P | Feb 21, 2016 |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in NVIDIA Camera Driver
An elevation of privilege vulnerability in the NVIDIA camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service to call the driver.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2490 | 27533373* | High | Nexus 9 | Mar 6, 2016 |
| CVE-2016-2491 | 27556408* | High | Nexus 9 | Mar 8, 2016 |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver
An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service that can call the driver.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2470 | 27662174* | High | Nexus 7 (2013) | Mar 13, 2016 |
| CVE-2016-2471 | 27773913* | High | Nexus 7 (2013) | Mar 19, 2016 |
| CVE-2016-2472 | 27776888* | High | Nexus 7 (2013) | Mar 20, 2016 |
| CVE-2016-2473 | 27777501* | High | Nexus 7 (2013) | Mar 20, 2016 |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in MediaTek Power Management Driver
An elevation of privilege in the MediaTek power management driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising the device and an elevation to root to call the driver.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2492 | 28085410* | High | Android One | Apr 7, 2016 |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Elevation of Privilege Vulnerability in SD Card Emulation Layer
An elevation of privilege vulnerability in the SD Card userspace emulation layer could enable a local malicious application to execute arbitrary code within the context of an elevated system application. This issue is rated as High because it could be used to gain local access to elevated capabilities, such as Signature or SignatureOrSystem permissions privileges, which are not accessible to a third-party application.
| CVE | Android bugs | Severity | Updated Nexus devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-2494 | 28085658 | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Apr 7, 2016 |
Elevation of Privilege Vulnerability in Broadcom Wi-Fi Driver
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a service to call the driver.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2493 | 26571522* | High | Nexus 5, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus Player, Pixel C | Google Internal |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Remote Denial of Service Vulnerability in Mediaserver
A remote denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service.
| CVE | Android bugs | Severity | Updated Nexus devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-2495 | 28076789 [2] | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Apr 6, 2016 |
Elevation of Privilege Vulnerability in Framework UI
An elevation of privilege vulnerability in the Framework UI permission dialog window could enable an attacker to gain access to unauthorized files in private storage. This issue is rated as Moderate because it could be used to improperly gain "dangerous" permissions.
| CVE | Android bugs | Severity | Updated Nexus devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-2496 | 26677796 [2] [3] | Moderate | All Nexus | 6.0, 6.1 | May 26, 2015 |
Information Disclosure Vulnerability in Qualcomm Wi-Fi Driver
An information disclosure in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a service that can call the driver.
| CVE | Android bugs | Severity | Updated Nexus devices | Date reported |
|---|---|---|---|---|
| CVE-2016-2498 | 27777162* | Moderate | Nexus 7 (2013) | Mar 20, 2016 |
* The patch for this issue is not in AOSP. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site.
Information Disclosure Vulnerability in Mediaserver
An information disclosure vulnerability in Mediaserver could allow an application to access sensitive information. This issue is rated as Moderate because it could be used to access data without permission.
| CVE | Android bugs | Severity | Updated Nexus devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-2499 | 27855172 | Moderate | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1 | Mar 24, 2016 |
Information Disclosure Vulnerability in Activity Manager
An information disclosure vulnerability in the Activity Manager component could allow an application to access sensitive information. This issue is rated Moderate because it could be used to access data without permission.
| CVE | Android bugs | Severity | Updated Nexus devices | Updated AOSP versions | Date reported |
|---|---|---|---|---|---|
| CVE-2016-2500 | 19285814 | Moderate | All Nexus | 5.0.2, 5.1.1, 6.0, 6.0.1 | Google Internal |
Common Questions and Answers
This section answers common questions that may occur after reading this bulletin.
1. How do I determine if my device is updated to address these issues?
Security Patch Levels of June 01, 2016 or later address these issues (refer to the Nexus documentation for instructions on how to check the security patch level). Device manufacturers that include these updates should set the patch string level to: [ro.build.version.security_patch]:[2016-06-01]
2. How do I determine which Nexus devices are affected by each issue?
In the Security Vulnerability Details section, each table has an Updated Nexus devices column that covers the range of affected Nexus devices updated for each issue. This column has a few options:
- All Nexus devices: If an issue affects all Nexus devices, the table will have “All Nexus” in the Updated Nexus devices column. “All Nexus” encapsulates the following supported devices: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Android One, Nexus Player, and Pixel C.
- Some Nexus devices: If an issue doesn’t affect all Nexus devices, the affected Nexus devices are listed in the Updated Nexus devices column.
- No Nexus devices: If no Nexus devices are affected by the issue, the table will have “None” in the Updated Nexus devices column.
Revisions
- June 06, 2016: Bulletin published.
- June 07, 2016:
- Bulletin revised to include AOSP links.
- CVE-2016-2496 removed from bulletin.
- June 08, 2016: CVE-2016-2496 added back to bulletin.