Google’s Android Security Bulletin for November 2016 patched a total of 83 vulnerabilities in the operating system, one of which was the Dirty COW flaw in Linux kernel that was disclosed a few weeks back.
Discovered by Phil Oester, the flaw was dubbed Dirty COW because it relies on a race condition in the Linux kernel, which could result in the kernel writing data to read-only memory mapping, instead of making a private copy first. The issue is caused by the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings and it can even escape containers.
Tracked as CVE-2016-5195, the bug was found to impact Android devices as well, and security researchers even published exploit codes to prove that. The Dirty COW vulnerability could be exploited to gain root access on affected Android products, and all devices running a Linux kernel higher than 2.6.22 are believed to be affected by the issue, especially with many of them not being patched in due time.
Only a few weeks after the flaw was publicly disclosed, Google released a patch for it as part of the Android Security Bulletin for November 2016, which came out on Monday. According to Google, the vulnerability is resolved on devices running the security patch level of 2016-11-06, which was the third security patch level in the new set of updates.
In its advisory, Google described the vulnerability as an elevation of privilege vulnerability in the kernel memory subsystem, explaining that it could be leveraged by a local malicious application to execute arbitrary code within the context of the kernel. The bug was rated Critical because it could lead to a local permanent device compromise, supposedly requiring a reflash of the operating system to repair the device.
All devices running Android with security patch level of 2016-11-06 include a fix for this issue. In fact, Google underlines that they also have fixes for the issues associated with the 2016-11-01 and 2016-11-05 patch levels.
One of these flaws was a Denial of service vulnerability in Proxy Auto Config (CVE-2016-6723), which could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. Considered only of Moderate severity, the bug was found to affect devices running Android 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, and 7.0.
According to Nightwatch Cybersecurity researchers, the flaw can be triggered to crash a device by downloading a large Proxy Auto Config (PAC) file when adjusting the Android networking settings. The PAC files can be used as part of the network settings configuration to define the proxy servers that should be used for different types of requests.
These text files usually contain a JavaScript function that the web browser can call to determine the proxy server to use, and Android users can indicate a PAC URL to be used to download the file. Because Android doesn’t check whether the PAC file may be too large to load into memory, a Man-in-the-Middle attacker who can intercept the file could replace it with a large one of their own and crash the Android phone.
If the served file is larger than the memory available on the device, all memory is exhausted and the phone halts and then soft reboots. No data should be lost during the soft reboot, but the researchers believe that attackers could leverage the flaw to achieve remote code execution.
However, because the Denial of service bug is mitigated by multiple factors, the likelihood of exploitation is low, the researchers explain. The attack requires the user to configure a PAC file, an attacker to know about that file, and for the file to be served without SSL. Moreover, because Android doesn’t support Web Proxy Auto-Discovery Protocol (WPAD) to retrieve PAC files automatically, the flaw can’t be exploited using a rogue access point or network.
Related: Google Patches 23 Critical Vulnerabilities in Android
Related: Android Root Exploits Abuse Dirty COW Vulnerability