Vulnerability in Android Operating System - Stagefright

Number: AL15-012
Date: 31 July 2015

Purpose

The purpose of this alert is to bring attention to a recently discovered vulnerability in the Android operating system that exists in the Stagefright media engine.

Assessment

CCIRC is aware of a vulnerability in the Android operating system's Stagefright framework which when exploited allows for remote code execution. Depending on the configuration of the affected device set by the manufacturer, arbitrary code can be run on an exploited device with media or system level privileges. This vulnerability exists in Android versions 2.2 to 5.1.1_r5.

The Stagefright framework is used as a media playback engine for the operating system, and also may be leveraged by third-party applications of which their developers chose to utilize the framework.

An attacker can exploit this vulnerability by delivering a specially crafted media file to an application utilizing the Stagefright framework. Classes of applications especially susceptible as exploit vectors include messaging (including pre-installed Android applications: Hangouts, Messages, Messenger) and web browsers. In messaging applications, the enabling of automatic fetching of MMS (multimedia messaging service) messages may be sufficient for system exploitation without requiring user action.

CVE References: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829

Suggested action

CCIRC recommends that systems administrators identify affected products in their environment and follow their patch management process accordingly as updates become available. This applies to Android operating system updates, as well as applications that leverage the Stagefright framework.

When possible, users should disable automatic downloading of MMS message fetching. Instructions for some of the popular messaging applications can be found in our references below in “Avast! Blog: Big Brother(s) Could be Watching You Thanks to Stagefright.” Note that while this workaround will help prevent automatic exploitation of this vulnerability without user action, the device is still vulnerable should a user open a specially crafted media file manually.

Users should be aware of this vulnerability and be vigilant before opening any unsolicited or suspicious media files received on their devices.

References

CERT: Vulnerability Note VU#924951
http://www.kb.cert.org/vuls/id/924951

Zimperium: Experts Found a Unicorn in the Heart of Android
http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

Avast! Blog: Big Brother(s) Could be Watching You Thanks to Stagefright
https://blog.avast.com/2015/07/29/big-brothers-could-be-watching-you-thanks-to-stagefright/

Arstechnica: 950 million Android phones can be hijacked by malicious text messages
http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: