The Dirty Cow vulnerability lived in Linux for close to a decade, and while it was patched in October in the kernel and in Linux distributions, Android users had to wait for more than a month for their fix.
Today, Google included a patch for CVE-2016-5195 in the monthly Android Security Bulletin, the final one for 2016. The Dirty Cow patch is one of 11 critical vulnerabilities, all of which are in the Dec. 5 patch level; a separate Dec. 1 patch level was also released today that included patches for 10 high-severity vulnerabilities.
In last month’s bulletin, Google partially addressed Dirty Cow with a supplemental firmware update for Nexus and Pixel handsets, while Samsung was the lone handset maker to release a patch in November.
Dirty Cow was patched in October after it was discovered in public exploits. The vulnerability was found in the copy-on-write (COW) feature in Linux and could be used by an attacker with local access to obtain root privileges on a Linux or Android device.
The flaw, which was introduced in 2007 in version 2.6.22 of the kernel, allows an attacker to elevate privileges by taking advantage of a race condition and gain write-access to read-only memory. Researcher Phil Oester disclosed the vulnerability and a proof-of-concept exploit.
“This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set,” Oester said.
Copy-on-write manages memory resources and allows for more than one process to share a page until a user writes to it, known in programming as marking a page dirty. The vulnerability allows an attacker to exploit the race condition to write to the original page before it’s marked dirty.
Google also patched a separate kernel memory subsystem bug rated critical. CVE-2016-4794 affects only the new Pixel, Pixel C and Pixel XL devices, and can also allow an attacker to elevate to root privileges.
Six other critical bugs were addressed in the NVIDIA GPU and video drivers; the GPU bugs affect only Nexus 9 devices, while one of the video driver flaws also affects the Pixel C. The patches, Google said, are not publicly available and instead are contained in the latest binary drivers for Google devices.
Two other critical bugs in the kernel, kernel ION driver were also patched today, all of which allow an attacker to elevate their privileges.
Google also patched additional vulnerabilities in Qualcomm components, which have been a sticking point this year in multiple updates and public attacks, most notably Quadrooter, which was patched in September. Quadrooter was disclosed this summer at DEF CON and put hundreds of millions of devices at risk, similar to Stagefright. Researchers at Check Point Software Technologies disclosed the privilege escalation vulnerabilities, which could be used in remote code execution attacks. Multiple subsystems of the Qualcomm chipset were affected and the vulnerabilities could have been exploited to bypass existing mitigations in the Android Linux kernel, allowing an attacker to gain root privileges, Check Point said.
Google said that today’s patch addresses flaws that could also lead to code execution.
“An elevation of privilege vulnerability in the Qualcomm MSM interface could enable a local malicious application to execute arbitrary code within the context of the kernel,” Google said.
The Dec. 5 patch level also includes patches for vulnerabilities rated high severity in the kernel, kernel file system, HTC sound code, MediaTek drivers, Qualcomm codecs and drivers, and NVIDIA drivers among others. Most of the flaws are elevation of privilege issues.
The Dec. 1 patch level includes a patch for a remote code execution vulnerability in CURL/LIBCURL.
“The most severe issue could enable a man-in-the-middle attacker using a forged certificate to execute arbitrary code within the context of a privileged process,” Google said. “This issue is rated as High due to the attacker needing a forged certificate.”
The remaining high-severity bugs in the Dec. 1 patch level affect libziparchive, Mediaserver, Framesequence and Telephony.