Android Security Bulletin Tackles Additional Critical Mediaserver Issues

Google released their security bulletin for May, which once again tackles Critical vulnerabilities in Android’s Mediaserver component, a prevailing theme for the past few bulletins. Google Pixel and Nexus users can get over-the-air (OTA) updates for their devices, while service providers and manufacturers of Android OEM devices will be responsible for distributing the updates to non-native Android users.

Mediaserver is the system service in Android’s operating system that handles media processing, including media playback, recording and analysis. A large number of the component’s vulnerabilities can be attributed to the decoder’s complications in dealing with buffers—which also make the discovery of these vulnerabilities difficult. We were able to discover and disclose two of these vulnerabilities: CVE-2017-0587 and CVE-2017-0590. CVE-2017-0590 is the remaining vulnerability from the H.265-related vulnerabilities we disclosed last month, while CVE-2017-0587 is a new vulnerability that involves the MPEG2 video format. These vulnerabilities are exploited when a specially crafted file–such as an MPEG2 video—causes memory corruption during the media file and data processing. This vulnerability is particularly dangerous because it can potentially give attackers the ability to execute code from a remote location. These two vulnerabilities share the same problem of buffer range handle when decoding malformed formats, which is similar to the Mediaserver issues from the past Android security bulletins.

Here is the complete list of Critical remote code execution vulnerabilities relating to Mediaserver:

• CVE-2017-0587

• CVE-2017-0588

• CVE-2017-0589

• CVE-2017-0590

• CVE-2017-0591

• CVE-2017-0592

We also discovered three more vulnerabilities in Mediaserver, this time involving denial-of-service (DOS) attacks. CVE-2017-0599 and CVE-2017-0600 are linked to issues with the H.263 decoder. Exploiting these vulnerabilities allows attackers to perform a denial-of-service attack from a remote location using using a specially crafted file to cause device stoppages or reboots. We also disclosed CVE-2017-0635, another DOS vulnerability categorized with a lower severity compared to the previous two vulnerabilities.

In addition to the vulnerabilities included in Android’s Security Bulletin, we also disclosed a vulnerability (CVE-2017-8246) to Qualcomm Innovation Center, Inc. (QuIC). This vulnerability was found in the Advanced Linux Sound Architecture (ALSA) System on Chip (ASoC) architecture used by chip vendors to develop drivers for their sound codecs. Attackers exploiting this vulnerability will expose the kernel to compromise, which means they will be able to gain root privilege on the target’s device. The ASoC driver in Android kernel is notable for being a completely vulnerable but often overlooked attack surface.

The other Critical vulnerabilities included in the bulletin:

CVE-2015-7555: A remote code execution vulnerability that exists in GIFLIB that could enable an attacker to use a specially crafted file to cause memory corruption during media file and data processing.

CVE-2016-10274: An elevation of privilege vulnerability in the MediaTek touchscreen driver that could enable attackers to use local malicious application to execute arbitrary code within the context of the kernel.

CVE-2016-10275, CVE-2016-10276: An elevation of privilege vulnerability in the Qualcomm bootloader that could enable attackers to use a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2016-9794: An elevation of privilege vulnerability in the kernel sound subsystem that could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2016-10277: An elevation of privilege vulnerability in the Motorola bootloader that could enable a local malicious application to execute arbitrary code within the context of the bootloader.

CVE-2017-0331: An elevation of privilege vulnerability in the Nvidia video driver that could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2017-0604: An elevation of privilege vulnerability in the kernel Qualcomm power driver that could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2017-0605: An elevation of privilege vulnerability in the kernel trace subsystem that could enable a local malicious application to execute arbitrary code within the context of the kernel.