The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Android: privilege escalation via Serialization

Synthesis of the vulnerability 

A local attacker, or a malicious application, can thus use the Serialization on Android OS, in order to escalate his privileges.
Impacted systems: Android Applications ~ not comprehensive, ArcGIS for Desktop, Android OS, Unix (platform) ~ not comprehensive.
Severity of this alert: 2/4.
Number of vulnerabilities in this bulletin: 8.
Creation date: 12/08/2015.
Références of this alert: CVE-2015-2000, CVE-2015-2001, CVE-2015-2002, CVE-2015-2003, CVE-2015-2004, CVE-2015-2020, CVE-2015-3825-REJECT, CVE-2015-3837, VIGILANCE-VUL-17645.

Description of the vulnerability 

A Java class can:
 - be serializable, and
 - contain a finalize method, and
 - contain an attacker-controlled field

However, in this case, an attacker can change the attribute, and thus inject code which is run during the finalize() method by the Android garbage collector.

There are several Java classes with the three required characteristics:
 - the OpenSSLX509Certificate class of Android OS (CVE-2015-3825, CVE-2015-3837)
 - classes from the SDK Jumio (CVE-2015-2000), used by applications built with this SDK
 - classes from the SDK MetaIO (CVE-2015-2001), used by applications built with this SDK
 - classes from the SDK PJSIP PJSUA2 (CVE-2015-2003), used by applications built with this SDK
 - classes from the SDK GraceNote GNSDK (CVE-2015-2004), used by applications built with this SDK
 - classes from the SDK MyScript (CVE-2015-2020), used by applications built with this SDK
 - classes from the SDK esri ArcGis (CVE-2015-2002), used by applications built with this SDK

A local attacker, or a malicious application, can thus use the Serialization on Android OS, in order to escalate his privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as Android Applications ~ not comprehensive, ArcGIS for Desktop, Android OS, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of user account.

This bulletin is about 8 vulnerabilities.

An attacker with a expert ability can exploit this threat note.

Solutions for this threat 

Android OS: patch for Serialization.
A patch is available:
  Android 4.4: commit ID b9d6334acde7460502face82417de40e438a3f4
  Android 5.0, 5.1: commit ID de55e62f6c7ecd57d0a91f2b497885c3bdc661d3

Android SDK: solution for Serialization.
The solution is to update the following SDK:
 - Jumio
 - MetaIO
 - PJSIP PJSUA2
 - GraceNote GNSDK
 - MyScript
 - esri ArcGis
Then, dependent applications have to be recompiled, and reinstalled.

SWIG: version 3.0.7.
The version 3.0.7 is fixed:
  http://www.swig.org/
Then, dependent applications have to be recompiled, and reinstalled.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an applications vulnerabilities patch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.