Vulnerability Note VU#924951
Android Stagefright contains multiple vulnerabilities
Stagefright is the media playback service for Android, introduced in Android 2.2 (Froyo). Stagefright in versions of Android prior to 5.1.1_r9 may contain multiple vulnerabilities, including several integer overflows, which may allow a remote attacker to execute code on the device.
According to a Zimperium zLabs blog post, Android's Stagefright engine contains multiple vulnerabilities, including several integer overflows, allowing a remote attacker to access files or possibly execute code on the device. This vulnerability may at least partially affect all versions of Android starting from 2.2 (Froyo) and prior to 5.1.1_r9 (Lollipop).
An attacker with a victim's cell phone number may send maliciously crafted multimedia messages (MMS) which may be improperly parsed by the Stagefright tool. Other attack vectors include client-side (web browsers, downloads, email), physically adjacent (NFC, Bluetooth, VCards), physical (SD cards, USB on-the-go, USB Media Transfer Protocol and Picture Transfer Protocol), Gallery, and possibly others not yet identified.
In the November 2015 Security Bulletin, Google announced fixes for the Stagefright 2.0 vulnerabilities will soon be applied to the Android Open Source Project (AOSP) code.
Address Space Layout Randomization (ASLR) appears to partially mitigate this issue; Forbes reports that Android before 4.1 (Jelly Bean) have "inadequate exploit mitigations." ASLR was introduced in Android 4.0 and fully enabled in Android 4.1.
A remote attacker may be able to execute code on the Android device.
Apply an update
Block all text messages from unknown senders
If your default text messaging app does not allow blocking of senders, you may also disable the auto retrieve feature for multimedia messages. This may prevent the autoloading of MMS content into Stagefright.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Amazon||Affected||-||28 Jul 2015|
|Barnes and Noble||Affected||-||28 Jul 2015|
|Affected||-||28 Jul 2015|
|HTC||Affected||-||15 Aug 2015|
|Huawei Technologies||Affected||-||28 Jul 2015|
|Kyocera Communications||Affected||-||28 Jul 2015|
|LG Electronics||Affected||-||28 Jul 2015|
|Motorola, Inc.||Affected||-||28 Jul 2015|
|Mozilla||Affected||-||08 Jan 2016|
|Samsung Mobile||Affected||-||07 Aug 2015|
|Sony Corporation||Affected||-||28 Jul 2015|
CVSS Metrics (Learn More)
Thanks to Joshua Drake at Zimperium’s zLabs for working with Google to develop patches and publicly disclose these vulnerabilities. Thanks to Jordan Gruskovnjak and Aaron Portnov of Exodus Intelligence for identifying and disclosing the issues with the original patches.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-1538 CVE-2015-1539 CVE-2015-3824 CVE-2015-3826 CVE-2015-3827 CVE-2015-3828 CVE-2015-3829 CVE-2015-3864 CVE-2015-6602
- Date Public: 21 Jul 2015
- Date First Published: 28 Jul 2015
- Date Last Updated: 08 Jan 2016
- Document Revision: 126
If you have feedback, comments, or additional information about this vulnerability, please send us email.