Connect with us

Hi, what are you looking for?


Mobile & Wireless

Security Bug Lurked in Nexus 9 Kernel for Two Years

A security vulnerability that allowed a privileged attacker to arbitrary write values within kernel space lurked in Nexus 9’s kernel for two years before being patched, IBM security researchers reveal.

A security vulnerability that allowed a privileged attacker to arbitrary write values within kernel space lurked in Nexus 9’s kernel for two years before being patched, IBM security researchers reveal.

Tracked as CVE-2016-3873, the vulnerability was found in the Tegra kernel branch and was assigned a high severity rating. It was found to plague Nexus 9 ever since its inception in November 2014, and was fixed in the security patch level of 2016-09-05, after being discovered in June 2016.

In its Sept. 2016 Security Bulletin, Google noted that this was an elevation of privilege vulnerability in the NVIDIA kernel and that local malicious applications could leverage it to execute arbitrary code within the context of the kernel. The bug first requires compromising a privileged process, thus was assigned a High severity rating.

IBM X-Force Application Security Research Team’s Sagi Kedmi, the researcher who discovered the bug, explains that a similar issue (CVE-2016-2443) was discovered by security researcher Marco Grassi in spring 2013. Found in the Qualcomm MDP Driver, this bug was patched in Google’s May 2016 Android Security Bulletin.

“Kernel arbitrary write primitives can be used to achieve kernel code execution, which completely compromises the security of the device, not including TrustZone. It increases the TrustZone attack surface and allows attackers to access application data and override the Security-Enhanced Linux (SELinux) policy,” Kedmi explains.

The vulnerable code in Nexus 9 begins with the registers debugfs file node, which is initialized with a specific file operation where, on write system call, the cl_register_write() function securely copies a user space buffer and parses its contents as two numeric values, val and offs. Next, the cl_dvfs_writel() function is fed the two values, and __raw_writel() is used to write value val at offs+, which results in an arbitrary kernel write.

The researcher analyzed the Discretionary Access Control (DAC) and Mandatory Access Control (MAC; SELinux on Android) to determine what active processes can trigger the vulnerability. When it comes to DAC, the attacker needs to execute the code under root within the debugfs SELinux context, so the researcher then looked at the contexts that could write to a debugfs file.

Advertisement. Scroll to continue reading.

Looking into Nexus 9’s sepolicy (MOB30M), Kedmi found that SELinux-wise, all domains can open, write and append to any file with the debugfs context, and discovered that code execution within the zygote process, several system processes and some other processes can trigger and exploit the Android vulnerability.

“To exploit the vulnerability from an untrusted application security context, start by escalating privileges from an untrusted app to one of the contexts of the aforementioned processes. The commit that fixed the vulnerability indicates that Google simply removed the registers file from the debug file system. Clearly, the registers file node was not needed on production builds,” the researcher concludes.

Related: Google Patches High Risk Vulnerability in Android Bootloader

Related: Google Patches 22 Critical Android Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...