A Critical Elevation of Privilege (EoP) vulnerability in the Qualcomm Secure Execution Environment (QSEE) affects around 60 percent of all Android devices around the world, despite being already fixed, researchers warn.
The culprit is an EoP flaw in the Widevine QSEE TrustZone application, namely CVE-2015-6639, which was resolved in January when Google issued patches for 12 security flaws in Android. The bug could enable a compromised, privileged application with access to QSEECOM to execute arbitrary code in the Trustzone context.
A short explanation of how the bug works would be the following: QSEECOM is a Linux kernel device that allows regular user-space processes such as the mediaserver (which runs in the normal operating system, or “Normal World”) to communicate with trusted applications (or trustlets) in a secure OS that manages protected services and hardware (which is called “Secure World”). Thus, malicious code running in the Normal World can call trustlets and exploit vulnerabilities in them to compromise the device.
The TrustZone kernel operates within the Secure World, while QSEECOM within the Normal World, but both are part of the Kernel Mode. In this specific case, an attacker able to run malicious code in mediaserver can exploit an application running in the Secure World (Widevine’s DRM software) to gain full control over the affected device by modifying the Normal World’s Linux kernel.
Gal Beniamini explained in a recent blog post that QSEE is extremely privileged, which allows it to interact directly with the TrustZone kernel and access the hardware-secured TrustZone file-system (SFS). Moreover, it has direct access to the system’s memory, which allows an attacker to hijack the Linux Kernel without having to find and exploit a Kernel vulnerability.
However, the attacker would still have to exploit a vulnerability in mediaserver, and those are not in short supply, that’s for sure. Starting with mid-2015, when the Stagefright vulnerability was initially disclosed, Google has been patching bugs in mediaserver monthly, and the May 2016 security update for Nexus devices included such a patch as well.
The issue, discovered last year by Gal Beniamini, affects 75 percent of all Android devices powered by a Qualcomm processor, security firm Duo Security claims. According to Duo, around 80 percent of all Android devices have a Qualcomm processor inside, but just 25 percent of users have applied the patch, meaning that 60 percent of devices continue to be vulnerable.
While eligible devices already received the January 2016 security update, there are millions of them that haven’t. With this patch being the only fix for the vulnerability, manufacturers need to apply it to their devices and send it to carriers, while carriers need to approve and deploy it. However, the process is slow and older devices are most often left out of this update cycle, meaning that millions of users won’t receive the patch. Ever.
According to Duo researchers, an analysis of their dataset of 500,000 enterprise devices revealed that around 27 percent of all Android devices out there remain permanently vulnerable to this bug. To mitigate that, manufacturers and carriers would need to build and approve a patch for the specific Android version the affected devices run under.
In March, researchers at FireEye published the details of a serious information disclosure vulnerability affecting a Qualcomm software package found in hundreds of Android device models. The issue was found in the Qualcomm tethering controller (CVE-2016-2060) and could allow a malicious application to access user information.
Also in March, Google released an emergency security patch for Android devices in an attempt to resolve a local elevation of privilege vulnerability in the kernel, after researchers discovered that the flaw was already being abused by rooting applications.