Dell IoT top5 security best practices

September 2, 2015 ~ hucktech ~ Leave a comment

Yesterday, after a recent security event of theirs, Dell announced some IoT security best practice guidance for organizations. Excerpt:

1) Put Security First:
Be vigilant and ensure data is secured and encrypted from the data center or the cloud to the endpoint and everything in between. Dell advocates a holistic approach to security that includes looking at endpoint security, network security, identity and access management, and more. Be aware of the data device vendors collect. If they are collecting data on all of their customers, this consolidated data set may be a very attractive target for hackers.

2) Research the Devices:
Evaluate the IoT devices accessing and planning to access the system. Understand what they do, what data they collect and communicate, who owns the data collected from the device, where the data is being collected, and any vulnerability assessments or certifications the devices have.

3) Audit the Network:
It is critical to understand the impact of IoT on network traffic in the current ‘as-is’ state. Do an audit to understand what is currently accessing the system, when, what it does when it sees data, and what it communicates to and where. This will enable an organization to reassess its network performance and identify any changes on an ongoing basis as additional devices are knowingly or unknowingly added or removed.

4) Compartmentalize Traffic:
Employ a ‘no-trust’ policy when it comes to IoT devices. Ensure they are on a separate network segment or virtual LAN (VLAN) so they are not able to access or interfere with critical corporate data.

5) Educate Everyone:
IoT is the ‘Wild West’ and will continue to evolve and change rapidly over the coming months and years. As such, it will be critical to ensure IT, security and network teams educate themselves about the latest devices, standards, and issues. Be prepared for consolidation and emerging standards, but understand today, little of that exists as some devices have weak or no security.

Full announcement:

http://www.dell.com/learn/us/en/uscorp1/press-releases/2015-09-01-dell-shares-best-practices-for-internet?c=us&l=en&s=corp&ref=rss&delphi:gr=true

http://www.dellpeakperformance.com/

fwupd and Linux Vendor Firmware Service

September 2, 2015 ~ hucktech ~ Leave a comment

I haven’t been covering LVFS and fwupd much. Luckily, Michael Larabel of Phoronix.com has been doing a good job. Richard Hughes has built a Firmware Update for GNOME-based Linux systems. Excerpting from some of Richard’s posts, including his asking for help getting word out to vendors to support it:

fwupd is a simple daemon to allow session software to update device firmware on your local machine. It’s designed for desktops, but this project is also usable on phones, tablets and on headless servers. You can either use a GUI software manager like GNOME Software to view and apply updates, the command-line tool or the system D-Bus interface directly.

I’ve spent the last couple of months talking with various Red Hat partners and other OpenHardware vendors that produce firmware updates. These include most of the laptop vendors that you know and love, along with a few more companies making very specialized hardware. We’ve now got a process, fwupd, that is capable of taking the packaged update and applying it to the hardware using various forms of upload mechanism. We’ve got a specification, AppStream, which is used to describe the updates and provide metadata for what firmware updates are available to be installed. What we were missing was to “close the circle” and provide a web service for small and medium size vendors to use to upload new firmware and make it available to Linux users. Microsoft already provides such a thing for vendors to use, and it’s part of the Microsoft Update service. From the vendors I’ve talked to, the majority don’t want to run any tools on their firmware to generate metadata. Most of them don’t even want to commit to hosting the metadata or firmware files in the same place forever, and with a couple of exceptions actually like the Microsoft Update model. I’ve created a simple web service that’s being called Linux Vendor Firmware Service (perhaps not the final name). You can see the site in action here, although it’s not terribly useful or exciting if you’re not a hardware vendor. If you are vendor that produces firmware and want an access key for the beta site, please let me know. All firmware uploaded will be transferred to the final site, although I’m still waiting to hear back from Red Hat legal about a longer version of the redistribution agreement.

Over the last couple of months I’ve been emailing various tech companies trying to get hold of the right people to implement this. So far the reaction from companies has been enthusiastic and apathetic in equal measures. I’ve had a few vendors testing the process, but I can’t share those names just yet as most companies have been testing with unreleased hardware. This is where you come in. On your Linux computer right now, think about what hardware you own that works in Linux that you know has user-flashable firmware? What about your BIOS, your mouse, or your USB3 hub? Your network card, your RAID card, or your video card? Things I want you to do:

* Find the vendor on the internet, and either raise a support case or send an email. Try and find a technical contact, not just some sales or marketing person
* Tell the vendor that you would like firmware updates when using Linux, and that you’re not able to update the firmware booting to Windows or OS-X
* Tell the vendor that you’re more likely to buy from them again if firmware updates work on Linux
* Inform the vendor about the LVFS project : https://beta-lvfs.rhcloud.com/

At all times I need you to be polite and courteous, after all we’re asking the vendor to spend time (money) on doing something extra for a small fraction of their userbase. Ignoring one email from me is easy, but getting tens or hundreds of support tickets about the same issue is a great way to get an issue escalated up to the people that can actually make changes. So please, spend 15 minutes opening a support ticket or sending an email to a vendor now.

If you know of any vendors, please try to help Richard out with his above request. I hope Richard has contacts at the USB and UEFI trade groups, to directly get word out to their member-vendors.

http://www.fwupd.org/
https://beta-lvfs.rhcloud.com/
https://github.com/hughsie/fwupd
http://www.freedesktop.org/software/appstream/docs/

Linux Vendor Firmware Service: We Need Your Help

Introducing the Linux Vendor Firmware Service

Embargoed firmware updates in LVFS

http://www.phoronix.com/scan.php?page=news_item&px=Linux-LVFS-Embargoed
https://www.phoronix.com/scan.php?page=news_item&px=Linux-Vendor-Firmware-S
http://www.phoronix.com/scan.php?page=news_item&px=linux-lvfs-embargoed

insecure baby monitors

September 2, 2015 ~ hucktech ~ Leave a comment

Rapid7 did an IoT security study of baby monitors, that’s currently being covered by the Verge and a lot of other news sites today.

The results were abysmal. Eight of the nine cameras received a failing F, while the other received a D. The security failures included a number of known vulnerabilities, including transmitting video and sending data to servers without encryption. Many of the connected devices also had built-in passwords that could be guessed (or worse, published) by the attacker, a long-standing concern in embedded devices.

http://www.theverge.com/2015/9/2/9241661/baby-monitors-vulnerable-hacking-patch-zero-day
https://www.rapid7.com/resources/iot/index.jsp

tool: hackers-grep

September 2, 2015 ~ hucktech ~ Leave a comment

https://github.com/codypierce/hackers-grep

Pushed my tool hackers-grep that lets you statically search debug symbols and more. I use it to find new targets. https://t.co/tFwgfCNnNx

— codypierce (@codypierce) September 1, 2015

Cody Pierce released a new PE tool recently:

“hackers-grep is a utility to search for strings in PE executables including imports, exports, and debug symbols.”

UEFI uses a Terse Executable format, based on PE image format. If hacker-group doesn’t work today with UEFI TE images, it’ll just require a small patch.

UBU-Helpers is a tool that currently searches for strings in UEFI binaries, but this has symbol support.

Tool review: UBU-helpers

Intel announces Core 6 Skylake

September 2, 2015 ~ hucktech ~ Leave a comment

I don’t give enough news to new CPUs. Skylake has been in the news for a while, but Intel just officially announced it:

Chip Shot: Intel Announces its 6th Gen Intel® Core™ Processor Family http://t.co/PLuspEdzbR

— Intel News (@intelnews) September 2, 2015

Excerpt from press release:

“Coming Soon: Intel® Iris™ Graphics, Intel® vPro™ for business, and products for IoT
In the coming months, Intel plans to deliver more than 48 processors in the 6th Gen Intel Core processor family, featuring Intel® Iris™ and Iris Pro graphics, as well as Intel Xeon E3-1500M processor family for mobile workstations and 6th Gen Intel® vPro™ processors for business and enterprises. A variety of devices across a wide range of form factors will be available now and over the coming months from manufacturers around the world. In addition, Intel is offering more than 25 products for the Internet of Things (IoT) with up to 7-year long-life supply and error correcting code (ECC) at multiple TDP levels. Retail, medical, industrial, and digital surveillance and security industries will all benefit from the new 6th Gen Intel Core processor improvements and includes IoT designs from the edge to the cloud.”

http://newsroom.intel.com/community/intel_newsroom/blog/2015/09/01/introducing-6th-generation-intel-core-intels-best-processor-ever

http://www.intel.com/content/www/us/en/processors/core/core-processor-family.html?linkId=16730362

http://newsroom.intel.com/community/intel_newsroom/blog/2015/09/01/intel-announces-its-6th-gen-intel-core-processor-family

Avast teams with Qualcomm on Snapdragon security

September 1, 2015September 1, 2015 ~ hucktech ~ Leave a comment

Qualcomm makes the Snapdragon 820 processor, and is working with Avast Software to include a new kernel-level security technology that is able to detect 0day malware using machine learning, expected to be in consumer devices next year. Excerpting their press release:

“Avast is pleased to work together with Qualcomm Technologies to provide hardware-based security that is integrated into the hardware and firmware of Snapdragon processors,” said Vince Steckler, chief executive officer of Avast. “With threats increasing every day, OEMs and mobile operators need to protect their users in real-time. Snapdragon Smart Protect will provide hardware-based security at the processor level, which is designed to help improve consumer safety from rogue applications, zero day attacks, and ransomware.” Traditional security software can only scan and monitor software behavior at the application and framework layer level. Avast is utilizing Snapdragon Smart Protect on-device, machine-learning technology at the processor level to address zero-day attacks and differentiate between clean and malicious software applications. While consumers will benefit from better protection, OEMs and mobile operators will benefit from reducing the risk of data leakage and malware attacks for their users.

Full press release:

https://press.avast.com/avast-builds-threat-detection-based-on-machine-learning-to-protect-users-from-zero-day-attacks-malware-and-privacy-threats

https://www.qualcomm.com/news/snapdragon
https://www.avast.com/

FCC bans firmware mods

September 1, 2015 ~ hucktech ~ 1 Comment

As reported earlier, FCC was thinking about banning modifications to wifi routers:

New FCC requirements may impact use of open source firmware

Well, it looks like they did it:

FCC Introduces Rules Banning WiFi Router Firmware Modification

Ext4 encryption

September 1, 2015September 1, 2015 ~ hucktech ~ Leave a comment

QuarksLab has a new blog on encryption support of Linux’s Ext4 file system:

[BLOG] A glimpse of ext4 filesystem-level encryption http://t.co/OthggoUJq4

— quarkslab (@quarkslab) August 6, 2015

Excerpting the beginning of the post:

Linux 4.1 has arrived with a new feature for its popular ext4 filesystem: filesystem-level encryption! This feature appears to have been implemented by Google since they plan to use it for future versions of Android and Chrome OS. Android filesystem encryption currently relies on dm-crypt. Google’s motivations for pushing encryption to ext4 seem:
* To avoid using a stacked filesystem design (for better performance?).
* To encrypt data with integrity.
* To allow multiple users to encrypt their files with different keys on the same filesystem.

More Information:

http://blog.quarkslab.com/a-glimpse-of-ext4-filesystem-level-encryption.html

Also see this article from April:
https://lwn.net/Articles/639427/

UPDATE: See-also this recent talk from Google at the 2015 Linux Security Summit:
Encrypting Android Devices
Paul Lawrence and Mike Halcrow, Google

Click to access halcrow.pdf

Intel August malware report released

September 1, 2015 ~ hucktech ~ Leave a comment

Intel Security Group’s McAfee Labs Threat Report for August 2015 has been released. Firmware is listed, more than once. 🙂

Just released, Intel Security Group’s McAfee Labs Threat Report Aug 2015 http://t.co/nDH24zdMSa @McAfee_Labs pic.twitter.com/RR5gLPmqiv

— Matthew Rosenquist (@Matt_Rosenquist) September 1, 2015

https://blogs.mcafee.com/mcafee-labs/malware-trend-continues-relentless-climb/

Click to access rp-quarterly-threats-aug-2015.pdf

Intel KGT

September 1, 2015 ~ hucktech ~ 1 Comment

Wow, I wasn’t aware of Intel’s Kernel-Guard Technology (KGT) for Linux, until today. 😦

As found on the Twitter feed of Alex Bazhaniuk (@ABazhaniuk):

@mjg59 can be interesting: https://t.co/vhCwkkB1uI

— Alex Bazhaniuk (@ABazhaniuk) September 1, 2015

Intel Kernel-Guard Technology (Intel KGT) is a policy specification and enforcement framework for ensuring runtime integrity of kernel and platform assets. The Intel® KGT framework allows policy writers to specify:
* Which OS/platform resources to monitor
* Actions to take when the monitored resource is accessed
* A policy

A policy can be specified at build-time (embedded in the code), boot-time (such as through grub module), or at runtime (via configfs and script), and is enforced by an outside-OS component. The Intel KGT framework, along with an appropriate policy, can be used to achieve immutability and runtime integrity of critical resources such as kernel code pages, kernel pagetable mappings, kernel interrupt descriptor table (IDT), control registers (CRs), MSRs, and MMIO regions. The Intel KGT is based on xmon, which is a thin VT-x component. Xmon runs in vmx-root (ring -1), de-privileges the OS, and uses VTx controls to trap access to specified resources and enforce policy specified actions. Xmon is not limited to using VT-x and, in the future, is expected to incorporate other CPU and platform features in addition to VT-x to enforce policy.

Their Overview page gives a good introduction.
https://01.org/intel-kgt/overview

It looks like the last release was August 7th, with Intel TXT/tboot support:
https://lists.01.org/pipermail/intel-kgt/2015-August/000012.html

More Information:
https://github.com/01org/ikgt-manifest
https://01.org/intel-kgt/

OS X Yosemite Security Guide

September 1, 2015 ~ hucktech ~ Leave a comment

As found on the Twitter feed of David Barroso (‏@lostinsecurity):

OS X Yosemite Security and Privacy Guide https://t.co/S6Nvhld71u <- recommended read

— David Barroso (@lostinsecurity) August 31, 2015

DrDuh has a new Github project which is a Mac OSX Yosemite security/privacy guide. There is a brief section on firmware, using Apple’s new Firmware Password feature.

OS X Yosemite Security and Privacy Guide
https://github.com/drduh/OS-X-Yosemite-Security-and-Privacy-Guide

Linux Foundation IT Security Policies: firmware guidance

August 31, 2015 ~ hucktech ~ Leave a comment

A few days ago, the Linux Foundation released new guidance for securing Linux systems. Since the Linux Foundation has mostly remote workers, there are currently 2 documents: one on hardening Linux Workstations, and one for secure group communications, the latter something like a CryptoParty Handbook. Here’s an excerpt of the Hardware/Firmware/Pre-OS section from the Workstation document:

Choosing the right hardware

We do not mandate that our admins use a specific vendor or a specific model, so this section addresses core considerations when choosing a work system.

Checklist

    System supports SecureBoot (CRITICAL)
    System has no firewire, thunderbolt or ExpressCard ports (MODERATE)
    System has a TPM chip (LOW)

Considerations

SecureBoot

Despite its controversial nature, SecureBoot offers prevention against many attacks targeting workstations (Rootkits, “Evil Maid,” etc), without introducing too much extra hassle. It will not stop a truly dedicated attacker, plus there is a pretty high degree of certainty that state security agencies have ways to defeat it (probably by design), but having SecureBoot is better than having nothing at all. Alternatively, you may set up Anti Evil Maid which offers a more wholesome protection against the type of attacks that SecureBoot is supposed to prevent, but it will require more effort to set up and maintain.

Firewire, thunderbolt, and ExpressCard ports

Firewire is a standard that, by design, allows any connecting device full direct memory access to your system (see Wikipedia). Thunderbolt and ExpressCard are guilty of the same, though some later implementations of Thunderbolt attempt to limit the scope of memory access. It is best if the system you are getting has none of these ports, but it is not critical, as they usually can be turned off via UEFI or disabled in the kernel itself.

TPM Chip

Trusted Platform Module (TPM) is a crypto chip bundled with the motherboard separately from the core processor, which can be used for additional platform security (such as to store full-disk encryption keys), but is not normally used for day-to-day workstation operation. At best, this is a nice-to-have, unless you have a specific need to use TPM for your workstation security.

Pre-boot environment

This is a set of recommendations for your workstation before you even start with OS installation.

Checklist

    UEFI boot mode is used (not legacy BIOS) (CRITICAL)
    Password is required to enter UEFI configuration (CRITICAL)
    SecureBoot is enabled (CRITICAL)
    UEFI-level password is required to boot the system (LOW)

Considerations

UEFI and SecureBoot

UEFI, with all its warts, offers a lot of goodies that legacy BIOS doesn’t, such as SecureBoot. Most modern systems come with UEFI mode on by default.

Make sure a strong password is required to enter UEFI configuration mode. Pay attention, as many manufacturers quietly limit the length of the password you are allowed to use, so you may need to choose high-entropy short passwords vs. long passphrases (see below for more on passphrases).

Depending on the Linux distribution you decide to use, you may or may not have to jump through additional hoops in order to import your distribution’s SecureBoot key that would allow you to boot the distro. Many distributions have partnered with Microsoft to sign their released kernels with a key that is already recognized by most system manufacturers, therefore saving you the trouble of having to deal with key importing.

As an extra measure, before someone is allowed to even get to the boot partition and try some badness there, let’s make them enter a password. This password should be different from your UEFI management password, in order to prevent shoulder-surfing. If you shut down and start a lot, you may choose to not bother with this, as you will already have to enter a LUKS passphrase and this will save you a few extra keystrokes.

Full information:

https://github.com/lfit/itpol

https://github.com/lfit/itpol/blob/master/linux-workstation-security.md

http://linuxfoundation.org/

PS: The Linux Foundation also just started a Core Infrastructure Initiative, which has security implications, which I’ve got to find out more on, and will blog on later.

SuspendResume

August 31, 2015 ~ hucktech ~ Leave a comment

I also learned about Intel’s SuspendResume project today. Again, it is not new, it has been around since 2014. See this recent SmackeralOfOpinion blog for a screenshot and a better description:

http://smackerelofopinion.blogspot.com/2015/08/identifying-suspendresume-delays.html

The Suspend/Resume project provides a tool for system developers to visualize the activity between suspend and resume, allowing them to identify inefficiencies and bottlenecks. The use of Suspend/Resume is an excellent way to save power in Linux platforms, whether in Intel based mobile devices or large-scale server farms. Optimizing the performance of suspend/resume has become extremely important because the more time spent entering and exiting low power modes, the less the system can be in use. Using a kernel image, built with a few extra options enabled the tool will execute a suspend, and will capture dmesg and ftrace data from suspend start to resume completion. This data is transformed into a set of timelines and callgraphs to give a quick and detailed view of which devices and kernel processes are taking the most time in suspend/resume. The output of the tool is a single html file which makes use of embedded CSS and JavaScript to create the timelines and callgraphs. The file can be viewed in any Linux browser, such as Firefox or Chromium. This project is for kernel developers, testers, debuggers, and other contributors working on Intel-based client or server systems.

https://01.org/suspendresume

EFIDroid

August 31, 2015 ~ hucktech ~ Leave a comment

I just learned about EFIDroid, “a multiboot solution for mobile devices”. It is not new, EFIDroid was announced Feburary 2014 on the Xiaomi.eu mailing lists:

“Opensource (multiboot) Bootloader: Efidroid (formerly Grub4android):
This is the successor of GRUB4Android – a project to bring multiboot to Android. Even though most people hate UEFI on computers(users because of secureboot and devs because it doesn’t change many problems of BIOS afaik), Intel’s implementation (“EDKII”) actually is quite good and perfectly fits our needs. Also, it still allows you to boot GRUB – just in case you wanna do that.”

It is a Google+-based community, with over a hundred members. There’s been a lot of recent Github activity for the project, including an interesting Linux kernel module.

https://github.com/efidroid
https://plus.google.com/communities/114053643671219382368
http://xiaomi.eu/community/threads/dev-opensource-multiboot-bootloader-efidroid-formerly-grub4android.23615/

Tweets by m11kkaa

https://plus.google.com/u/0/MichaelZimmermann
http://mzimmermann.info/

Joanna Rutkowska to speak in Sweden next month

August 31, 2015 ~ hucktech ~ Leave a comment

Joanna Rutkowska is one of the speakers at “Next Generation Threats“, taking place in Stockholm, Sweden in September.

Is our digital life safe? @rootkovska will tell you more about it @ #threats2015 http://t.co/xLtgOYHSd4 pic.twitter.com/1DRh2bUxAU

— TechWorld (@techworldsweden) August 27, 2015

Trust as the no. 1 enemy of security: the client systems study

We are forced to trust a lot of things: the files we receive or websites we visit, that they are not going to exploit bugs in our (trusted) apps, the (trusted) software we use has no backdoors built in or added by 3rd parties. Also that the (trusted) OS components are secure and can protect our data, that the underlying (trusted) firmware and hardware is not subverting security mechanisms implemented by our (trusted) Operating System. The more trust we are forced into, the less secure our digital lives are, of course. Trust is the #1 enemy of security. Is there anything we can do about it? What’s the smallest reasonable amount of trust we need in case of a typical client (desktop) system today? Can trust be distributed?

Bio:
Joanna Rutkowska is a founder of Invisible Things Lab and the Qubes OS project, which she has been leading since its inception in 2010. Prior to that she has been focusing on system-level offensive security research. Together with her team at ITL, she has presented numerous attacks on virtualization systems and Intel security technologies, including the famous series of exploits against the Intel Trusted Execution Technology (TXT), the still-only-one software attack demonstrating Intel VT-d escape, and also supervised her team with the pioneering research on breaking into the Intel vPro BIOS and AMT/MT technology. She is also known for writing Blue Pill, the first hardware virtualization-based rootkit, introducing Evil Maid attack, and for her prior work on kernel-mode malware for Windows and Linux in the first half of the 2000s.

http://techworld.event.idg.se/event/ngt15-sthlm/

ROW Hammer video available

August 30, 2015 ~ hucktech ~ Leave a comment

Black Hat Briefings has released the video of the recent ROW HAMMER talk:

NEW #BHUSA VIDEO: "Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges" by @Mark_Seaborn & @halvarflake http://t.co/pLdZTlp8VD

— Black Hat (@BlackHatEvents) August 29, 2015

Modern ROM dumper for Apple II systems

August 30, 2015 ~ hucktech ~ Leave a comment

Quinn Dunki has a nice article showing how to build a ROM dumper for Apple II systems.

I know of a group of “retro computer” enthusiasts which will be building one…

Retro use aside, it sounds like the tool will be extended to other EEPROM use beyond Apple II systems, so watch for future releases of EETool.

Brian on Secure Boot -vs- Nemesis

https://github.com/blondie7575/EETool

UEFITool 0.20.8 released

August 30, 2015August 30, 2015 ~ hucktech ~ Leave a comment

Nikolaj Schlej has released a new version of UEFITool:

UEFITool 0.20.8 is out, with a bunch of small bugfixes.
Big thanks to Lordkag for very helpful report.https://t.co/kge7Z3LGJU

— Nikolaj Schlej (@NikolajSchlej) August 30, 2015

https://github.com/LongSoft/UEFITool/releases/tag/0.20.8

159 additions and 61 deletions:
https://github.com/LongSoft/UEFITool/commit/9c4ddbec6218302e86955cfc53e7dfcc8f858eca

Features:
– data after the latest region of Intel image is in tree now
– added Intel, Lenovo and Toshiba-specific capsule GUIDs to the list of known GUIDs
– fixed bogus “File with invalid size” message while working on almost full volumes
– pressing Cancel on “Open in new window” dialog now works as expected

BEEBS: benchmarks for embedded platform energy usage

August 29, 2015 ~ hucktech ~ Leave a comment

Andreas Olofsson of Adapteva pointed out an embedded test suite I was not aware of:

An open source benchmark suite from Bristol University and @Embecosm. https://t.co/1tXDLVVBWG cc @risc_v

— Andreas Olofsson (@zeroasic) August 25, 2015

The Bristol/Embecosm Embedded Benchmark Suite (BEEBS) are a set of benchmarks are designed to test the performance of deeply embedded systems, particularly with regard to energy consumed. As such they assume the presence of no OS and in particular no output stream.

http://arxiv.org/abs/1308.5174
https://github.com/mageec/beebs

August Android Security Update for Nexus

August 29, 2015 ~ hucktech ~ Leave a comment

Ryan pointed out that Google just started announcing security updates for Nexus:

Google is finally using the Android Security updates bulletin? 😀 https://t.co/EciGm1lL7y

— Ryan Welton (@Fuzion24) August 28, 2015

Android Security Updates: Nexus Security Bulletin (August 2015)

On August 5, 2015, we released an over-the-air (OTA) update for Nexus 4/5/6/7/9/10 and Nexus Player devices that includes several security fixes. The patches for these fixes have also been released to the Android Open Source Project (AOSP) source repository. These issues are categorized and provided in decreasing order of severity. We have also provided an assessment of each issue, given the information we have at the time of the publication of this bulletin.

Here are brief details on the 6 CVEs listed in this bulletin, see full announcement for full details:

CVE-2015-1538: Integer overflows during MP4 atom processing
ID: ANDROID-20139950
Versions: 5.1 and below
Severity: Critical
Partners notified: May 4, 2015 (Bulletin 2015-07)
Fixed in Nexus Build: 5.1.1 (LMY48I)
Credit: Joshua Drake

CVE-2015-1539: An integer underflow in ESDS processing
ID: ANDROID-20139950
Versions: 5.1 and below
Severity: Critical
Partners notified: May 4, 2015 (Bulletin 2015-07)
Fixed in Nexus Build: 5.1.1 (LMY48I)
Credit: Joshua Drake

CVE-2015-3824: Integer overflow in libstagefright when parsing the MPEG4 tx3g atom
ID: ANDROID-20923261
Versions: Android 5.1 and below
Severity: Critical
Partners notified: June 25th, 2015 (Bulletin 2015-09)
Fixed in Nexus Build: 5.1.1 (LMY48I)
Credit: Joshua Drake

CVE-2015-3827: Integer underflow in libstagefright when processing MPEG4 covr atoms
ID: ANDROID-20923261
Versions: Android 5.1 and below
Severity: Critical
Partners notified: June 25th, 2015 (Bulletin 2015-09)
Fixed in Nexus Build: 5.1.1 (LMY48I)
Credit: Joshua Drake

CVE-2015-3828: Integer underflow in libstagefright if size is below 6 while processing 3GPP metadata
ID: ANDROID-20923261
Versions: Android 5.0 and above
Severity: Critical
Partners notified: June 25th, 2015 (Bulletin 2015-09)
Fixed in Nexus Build: 5.1.1 (LMY48I)
Credit: Joshua Drake

CVE-2015-3829: Integer overflow in libstagefright processing MPEG4 covr atoms when chunk_data_size is SIZE_MAX
ID: ANDROID-20923261
Versions: Android 5.1 and below
Severity: Critical
Partners notified: June 25th, 2015 (Bulletin 2015-09)
Fixed in Nexus Build: 5.1.1 (LMY48I)
Credit: not listed

Full announcement:

https://groups.google.com/forum/#!topic/android-security-updates/Ugvu3fi6RQM
https://source.android.com/devices/tech/security/overview/updates-resources.html