The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Google Android OS: multiple vulnerabilities

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of Google Android OS.
Vulnerable products: Android OS.
Severity of this weakness: 4/4.
Number of vulnerabilities in this bulletin: 36.
Creation date: 05/04/2016.
Références of this bulletin: 706, 711, CERTFR-2016-AVI-113, CVE-2016-0834, CVE-2016-0835, CVE-2016-0836, CVE-2016-0837, CVE-2016-0838, CVE-2016-0839, CVE-2016-0840, CVE-2016-0841, CVE-2016-0842, CVE-2016-0843, CVE-2016-0844, CVE-2016-0846, CVE-2016-0847, CVE-2016-0848, CVE-2016-0849, CVE-2016-0850, CVE-2016-1503, CVE-2016-2409, CVE-2016-2410, CVE-2016-2411, CVE-2016-2412, CVE-2016-2413, CVE-2016-2414, CVE-2016-2415, CVE-2016-2416, CVE-2016-2417, CVE-2016-2418, CVE-2016-2419, CVE-2016-2420, CVE-2016-2421, CVE-2016-2422, CVE-2016-2423, CVE-2016-2424, CVE-2016-2425, CVE-2016-2426, CVE-2016-2427, VIGILANCE-VUL-19302.

Description of the vulnerability 

Several vulnerabilities were announced in Google Android OS.

An attacker can use a vulnerability in DHCPCD, in order to run code. [severity:4/4; CVE-2016-1503]

An attacker can use a vulnerability in Media Codec, in order to run code. [severity:4/4; CVE-2016-0834]

An attacker can use a vulnerability in Mediaserver, in order to run code. [severity:4/4; CVE-2016-0835]

An attacker can use a vulnerability in Mediaserver, in order to run code. [severity:4/4; CVE-2016-0836]

An attacker can use a vulnerability in Mediaserver, in order to run code. [severity:4/4; CVE-2016-0837]

An attacker can use a vulnerability in Mediaserver, in order to run code. [severity:4/4; CVE-2016-0838]

An attacker can use a vulnerability in Mediaserver, in order to run code. [severity:4/4; CVE-2016-0839]

An attacker can use a vulnerability in Mediaserver, in order to run code. [severity:4/4; CVE-2016-0840]

An attacker can use a vulnerability in Mediaserver, in order to run code. [severity:4/4; CVE-2016-0841]

An attacker can use a vulnerability in libstagefright, in order to run code. [severity:4/4; CVE-2016-0842]

An attacker can bypass security features in Qualcomm Performance Module, in order to escalate his privileges. [severity:4/4; CVE-2016-0843]

An attacker can bypass security features in Qualcomm RF Component, in order to escalate his privileges. [severity:4/4; CVE-2016-0844]

An attacker can bypass security features in IMemory Native Interface, in order to escalate his privileges. [severity:3/4; CVE-2016-0846]

An attacker can bypass security features in Telecom Component, in order to escalate his privileges. [severity:3/4; CVE-2016-0847]

An attacker can bypass security features in Download Manager, in order to escalate his privileges. [severity:3/4; CVE-2016-0848]

An attacker can bypass security features in Recovery Procedure, in order to escalate his privileges. [severity:3/4; CVE-2016-0849]

An attacker can bypass security features in Bluetooth, in order to escalate his privileges. [severity:3/4; CVE-2016-0850]

An attacker can bypass security features in Texas Instruments Haptic Driver, in order to escalate his privileges. [severity:3/4; CVE-2016-2409]

An attacker can bypass security features in Video Kernel Driver, in order to escalate his privileges. [severity:3/4; CVE-2016-2410]

An attacker can bypass security features in Qualcomm Power Management Component, in order to escalate his privileges. [severity:3/4; CVE-2016-2411]

An attacker can bypass security features in System_server, in order to escalate his privileges. [severity:3/4; CVE-2016-2412]

An attacker can bypass security features in Mediaserver, in order to escalate his privileges. [severity:3/4; CVE-2016-2413]

An attacker can trigger a fatal error in Minikin, in order to trigger a denial of service. [severity:2/4; CVE-2016-2414]

An attacker can bypass security features in Exchange ActiveSync, in order to obtain sensitive information. [severity:3/4; CVE-2016-2415]

An attacker can bypass security features in Mediaserver, in order to obtain sensitive information. [severity:3/4; CVE-2016-2416]

An attacker can bypass security features in Mediaserver, in order to obtain sensitive information. [severity:3/4; CVE-2016-2417]

An attacker can bypass security features in Mediaserver, in order to obtain sensitive information. [severity:3/4; CVE-2016-2418]

An attacker can bypass security features in Mediaserver, in order to obtain sensitive information. [severity:3/4; CVE-2016-2419]

An attacker can bypass security features in Debuggerd Component, in order to escalate his privileges. [severity:2/4; CVE-2016-2420]

An attacker can bypass security features in Setup Wizard, in order to escalate his privileges. [severity:2/4; CVE-2016-2421]

An attacker can bypass security features in Wi-Fi, in order to escalate his privileges. [severity:2/4; CVE-2016-2422]

An attacker can bypass security features in Telephony, in order to escalate his privileges. [severity:2/4; CVE-2016-2423]

An attacker can trigger a fatal error in SyncStorageEngine, in order to trigger a denial of service. [severity:2/4; CVE-2016-2424]

An attacker can bypass security features in AOSP Mail, in order to obtain sensitive information. [severity:2/4; CVE-2016-2425]

An attacker can bypass security features in Framework, in order to obtain sensitive information. [severity:2/4; CVE-2016-2426]

An attacker can bypass security features in BouncyCastle, in order to obtain sensitive information. [severity:2/4; CVE-2016-2427]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security threat impacts software or systems such as Android OS.

Our Vigil@nce team determined that the severity of this computer weakness note is critical.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 36 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this computer threat alert.

Solutions for this threat 

Google Android OS: Security Patch Level 02/04/2016.
A patch is available:
  https://developers.google.com/android/nexus/images
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities alert. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.