Hot topics within this week for sure that is the technical bugs found on Android. Sounds horrible! There are two patches is waiting for vendor to release however the patch release date is unknown.From users point of view, should we wait for the security patches or we should take the pre-emptive action?
Technical bugs information background:
CVE-2016-2059 found in Qualcomm kernel module
Description: The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_router_core.c in the IPC router kernel module for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify that a port is a client port, which allows attackers to gain privileges or cause a denial of service (race condition and list corruption) by making many BIND_CONTROL_PORT ioctl calls.
CVE-2016-5340 presented in Qualcomm GPU driver
The is_ashmem_file function in drivers/staging/android/ashmem.c in a certain Qualcomm Innovation Center (QuIC) Android patch for the Linux kernel 3.x mishandles pointer validation within the KGSL Linux Graphics Module, which allows attackers to bypass intended access restrictions by using the /ashmem string as the dentry name.
What’s your risk?
1. The bigger risk right now are the users using non official OS version. In the sense that the jailbreak version is risky now!
2. Visits unknown website through email phishing or open unknown attachment are at risk.
In regards to these bugs, how attacker compromised your phone?
Found that engaged this so called high risk cyber attack must fulfill the following requirements.
i. Have root privileges on your Android phone.
ii. Relies on shared Memory (ashmem)
Category of attack Attack:
Category 1: How to receive root access premisson through privileges escaltion
Found the msm_ipc_router_bind_control_port() function does not check access privileges. An attacker can use the IPC Router of the CAF Linux kernel for MSM, in order to escalate his privileges.
Category 2: Relies on Shared memory (ashmem) design limitation
Android is designed to be used for resource limited embedded hardware. In order to maximize the memory resources. A system entity so called ashmem (anonymous shared memory) located at $AOSP/system/core which take care of the memory resources utilization. The operation of ashmem as simple as handling generic Linux file descriptor and . A file entry was created in the /dev/ashmem/. From technical point of view, it looks like a memory swap file of each process. However Ashmem allows processes which are not related by ancestry to share memory maps by name, which are cleaned up automatically.
Should we wait or we should take preemptive action?
Since CVE-2016-2059 and CVE-2016-5340 are the design limitation. It looks that the appropriate way is re-engineering the whole OS memory function. I speculated that may be this is the reason causes patch release date is unknown. As such, in the meantime Android users should take pre-emptive action (see below).
1. Do not jailbreak your android phone. If yes, the better idea is install the official OS version.
2. Verify your phone applications. Be aware the communication media software like WeCHAT, Whatsapp, Skype,…etc shall install updated version of software.
3. Avoid to visit online game zone and pornography web site.
4. Think it over before you open unknown email message
5. Think it over before your open unknown file attachment
For more details about these vulnerabilities. Please review below url for reference.
Status update on 11th Aug 2016
Sound strange! Found that the remediation and mitigation solution released by CodeAurora on Jul 2016. For instance CVE-2016-5340 (Invalid access to ashmem area in cases where someone deliberately set the dentry name to /ashmem)
Validate ashmem memory with fops pointer
Validate the ashmem memory entry against f_op pointer
rather then comparing its name with path of the dentry.
This is to avoid any invalid access to ashmem area in cases
where some one deliberately set the dentry name to /ashmem.
It looks that the solution is available. In the meantime mobile phone users need to wait for the next action of their mobile phone vendor.