Stagefright (security vulnerability)

from Wikipedia, the free encyclopedia

Stagefright ( English for " stage fright ") describes several security gaps that became known in July 2015 in the multimedia framework of the same name in the Android operating system from Google .

Affected Devices

The Stagefright framework has been used as the standard library for processing multimedia files since Android version 2.3. The Android versions 2.2 up to version 5.1.1 are affected by the security gaps in the framework. Estimates assume that 95% of all current Android devices were affected at the time. This corresponds to a number of 950 million devices. According to another source, around 1 billion Android devices were sold in 2014 alone, all of which came with a vulnerable version.

Since Android 4.0, the protective function Address Space Layout Randomization (ASLR) has been built in, which makes it difficult to exploit the security gap, but does not completely prevent it.

discovery

The vulnerabilities were discovered by Joshua Drake from the IT security company "Zimperium zLabs", reported to Google in April and May and informed the public on July 27, 2015.

The Stagefright gaps have the CVE numbers

On September 9, 2015, Zimperium published an exploit that uses the CVE-2015-1538 vulnerability.

impact

A specially prepared multimedia file such as an MP4 video can crash the multimedia framework. The resulting buffer overflow on the heap memory (English: Heap Overflow ) can then be used to execute malicious program code.

As a result, audio recordings or videos, for example, can be created on the affected Android device without the user having to do anything. The Android device can thus be misused as a listening device . The attacker would also have access to the media gallery and the Bluetooth interface. The attack itself can take place by sending an MMS or Hangouts message, via a messenger , using apps, e-mails, USB , Bluetooth , vCard , SD card , NFC or visiting a prepared website.

In the case of MMS, as long as automatic downloading is not switched off on the recipient side, it is sufficient to send such a message for a successful attack. Since the Stagefright framework processes a file as soon as it is received, the automatic download of a sent file is sufficient in other cases to compromise a device without user intervention, i.e. H. the file does not need to be called up and played back explicitly.

Adrian Ludwig, head of security for Android at Google, announced in a lecture at a security conference in February 2017 that there are no known cases of confirmed cases in which the Stagefright vulnerability on devices has actually been exploited by users.

Protective measures

As a countermeasure, turning off the automatic reception of MMS is recommended. In "Hangouts", the option Automatic MMS download or in the app "Get SMS / MMS" automatically must be deactivated. If other communication apps offer the possibility, the automatic retrieval of files should also be deactivated for these. Only a new Android version (also known as firmware ) that has been corrected for errors offers complete protection .

Many devices with the alternative Android firmware CyanogenMod (CM) with CM versions 11.0, 12.0 and beta version 12.1 were supplied with a secured nightly software version on July 14, 2015 . Whether an Android device also receives an officially corrected version of the operating system depends on the respective maintainer .

Android devices with original firmware are dependent on the willingness of the respective manufacturer or provider. Many devices receive the latest Android versions very late or not at all (see the article on the availability of current versions for existing Android devices ).

In the Google Play store an app from the discoverer of the vulnerability is available, with the vulnerability of the local device can be safely tested.

New security holes

August 2015

On August 13, 2015, it became known that one of the bug fixes published by Google at the beginning of August (see reactions ) does not completely close the CVE-2015-3824 vulnerability. This means that millions of devices remain vulnerable to at least one of the Stagefright security vulnerabilities. The new Stagefright vulnerability has been assigned the CVE number CVE-2015-3864. The revised patch was released by Google on September 9, 2015 for its Android 5.1.1-based Nexus devices , with the exception of the first Nexus 7 .

The new security gap in the source code of the CyanogenMod versions CM 10.1 to 12.1 was closed on August 13, 2015. A corrected nightly version of the faulty patch is available for Android devices with version CM 12.1 and some devices with CM 11.0 and 12.0 . At the end of August 2015 a stable version was released for the CyanogenMod versions CM 11.0 to 12.1, which closes all Stagefright security gaps known up to then.

October 2015

On October 1, 2015, Joshua Drake from Zimperium reported two more critical security vulnerabilities in the Stagefright library that affect all Android versions. The security vulnerabilities with the CVE numbers CVE-2015-3876 and CVE-2015-6602, also known as Stagefright 2.0, were fixed by Google on October 5, 2015 in the Android version for the in-house Nexus devices.

Subsequent months

Google's change logs for the monthly security updates published in November and December 2015 show that other security vulnerabilities classified as critical existed in the Stagefright library and have been closed. Some of the holes also affect Android version 6.0 (Marshmallow) , which was released in October 2015 .

Reactions

In response, the operator temporarily deactivated the automatic MMS reception in the Deutsche Telekom network .

The manufacturers Acer , Google , Fairphone , HTC , Huawei , Lenovo , LG , Motorola , Samsung and Sony stated that they want to close the security gaps for some of their Android devices by means of a system update.

On August 5, 2015, Google released the first security updates for its Android 5.1.1-based Nexus devices (with the exception of the first Nexus 7 generation from 2012). Further Stagefright security holes for these devices were closed by Google updates on September 9th and October 5th, 2015.

For versions CM 11 to 12.1 of the alternative Android firmware CyanogenMod , a stable version was released at the end of August 2015, after the Stagefright security gaps had already been closed in some nightly build versions .

As a further measure, Google, LG and Samsung have announced that they will be distributing monthly security updates for their current devices in the future.

As part of the development of Android 7 Nougat , which was released in August 2016, Google revised and hardened the multimedia framework to better protect it from being compromised.

Web links

Individual evidence

  1. a b c Stagefright vulnerability: Eleven ways to take over an Android system. Golem.de, August 6, 2015, accessed on August 6, 2015 .
  2. a b Android smartphones: 950 million devices threatened by security holes. Spiegel Online, July 28, 2015, accessed August 6, 2015 .
  3. Android Breaks 1B Mark For 2014, 81% Of All 1.3B Smartphones Shipped. TechCrunch, January 29, 2015, accessed August 6, 2015 .
  4. Stagefright: Android smartphones can be attacked via short messages. In: heise.de. July 27, 2015, accessed July 29, 2015 .
  5. ^ Experts Found a Unicorn in the Heart of Android. In: zimperium.com. July 27, 2015, accessed July 29, 2015 .
  6. EStagefright source code now public, updates not yet. In: Golem.de. September 10, 2015, accessed September 11, 2015 .
  7. The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes. In: zimperium.com. September 9, 2015, accessed September 11, 2015 .
  8. Stagefright gaps: proof-of-concept is circulating on the internet, situation for Android users is getting worse. In: heise.de. August 4, 2015, accessed August 4, 2015 .
  9. ↑ The “Stagefright” vulnerability cannot only be exploited via MMS. In: zdnet.de. August 3, 2015, accessed August 3, 2015 .
  10. Google claims 'massive' Stagefright Android bug had 'sod all effect'. In: The Register. February 15, 2017. Retrieved April 28, 2017 .
  11. ^ CyanogenMod Code Review. Search for branch: cm-12.0 project: CyanogenMod / android_frameworks_av. (No longer available online.) In: http://review.cyanogenmod.org/ . July 14, 2015, archived from the original on December 19, 2012 ; accessed on August 7, 2015 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / review.cyanogenmod.org
  12. ^ CyanogenMod Code Review. Search for branch: cm-12.1 project: CyanogenMod / android_frameworks_av. (No longer available online.) In: http://review.cyanogenmod.org/ . July 14, 2015, archived from the original on December 19, 2012 ; accessed on August 7, 2015 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / review.cyanogenmod.org
  13. Stagefright security vulnerability. Recommended actions until the security update. In: areamobile.de. July 29, 2015, accessed July 30, 2015 .
  14. Stagefright Detector App
  15. Stagefright: Vulnerability Details, Stagefright Detector tool released
  16. Stagefright: Mission Accomplished? In: Exodus Intelligence. August 13, 2015, accessed August 15, 2015 .
  17. Google's Stagefright patch is incorrect. Google's Stagefright patch is incorrect. In: Golem.de. August 14, 2015, accessed August 15, 2015 .
  18. a b Nexus Security Bulletin - September 2015. September 9, 2015, accessed October 6, 2015 .
  19. Google Uploads LMY48M Bugfix Factory Images For The Nexus 4, 5, 6, 7, 9, And 10. In: Android Police. September 10, 2015, accessed September 10, 2015 .
  20. ^ CyanogenMod Code Review. Change 105961 - Merged. (No longer available online.) In: http://review.cyanogenmod.org/ . August 13, 2015, archived from the original on December 19, 2012 ; accessed on August 18, 2015 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / review.cyanogenmod.org
  21. a b ciwrl: More Stagefright. (No longer available online.) August 13, 2015, archived from the original on August 13, 2015 ; accessed on August 14, 2015 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.cyanogenmod.org
  22. a b Cyanogenmod brings CM12.1 release and Stagefright patches. In: Golem.de. September 2, 2015, accessed September 10, 2015 .
  23. Stagefright 2.0: Security hole makes 1 billion Android devices vulnerable. In: Golem.de. October 1, 2015, accessed October 6, 2015 .
  24. a b Nexus Security Bulletin - October 2015. October 5, 2015, accessed October 6, 2015 .
  25. Nexus Security Bulletin - November 2015. November 2, 2015, accessed December 7, 2015 .
  26. Nexus Security Bulletin - December 2015. December 7, 2015, accessed December 7, 2015 .
  27. Stefan Beiersmann: Google is plugging further Stagefright vulnerabilities in Android. In: ZDNet.de. November 3, 2015, accessed December 7, 2015 .
  28. Protection against Android vulnerabilities: Telekom temporarily switches MMS reception. In: telekom.com. August 5, 2015, accessed August 6, 2015 .
  29. Fairphone: Software update 1.8.7 log. (No longer available online.) August 18, 2015, formerly in the original ; accessed on August 23, 2015 .  ( Page no longer available , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.@1@ 2Template: Dead Link / fairphone.zendesk.com  
  30. Huawei: Stagefright Vulnerability in Multiple Huawei Android Products. August 9, 2015, accessed August 23, 2015 .
  31. Motorola: StageFright MMS messaging issue. Retrieved August 23, 2015 .
  32. Sascha Ostermaier: Motorola gives details of the Stagefright patch, it will be distributed from August 10th. In: Cashy's blog. August 8, 2015, accessed August 8, 2015 .
  33. Stagefright gaps in Android: Device manufacturers leave users in the dark. In: heise.de. August 7, 2015, accessed August 8, 2015 .
  34. Nexus Security Bulletin - August 2015. August 5, 2015, accessed October 6, 2015 .
  35. ^ Adrian Ludwig: An Update to Nexus Devices. In: Official Android Blog. August 5, 2015, accessed August 11, 2015 .
  36. LG Security Bulletins. In: LG. Retrieved September 22, 2017 .
  37. Android Security Updates. In: Samsung Mobile Security. Retrieved September 22, 2017 .
  38. Jörg Wirtgen: StageFright: Samsung and Nexus devices receive monthly security updates. In: heise.de. August 5, 2015, accessed August 6, 2015 .
  39. ^ Daniel Cooper: LG commits to monthly Android security updates. In: Engadget. August 7, 2015, accessed August 8, 2015 .
  40. ^ Hardening the media stack. In: Android Security Blog. May 5, 2016. Retrieved April 28, 2017 .
  41. Xiaowen Xin: Keeping Android safe: Security enhancements in Nougat. In: Google Security Blog. September 6, 2016, accessed April 28, 2017 .