Understanding Your Exposure to Stagefright Vulnerabilities
By now, you have, no doubt, heard about the vulnerabilities made public in a component of the Android Operating System that may give an attacker complete control over affected devices via something as simple as a multimedia message (MMS). But, just in case you have been hiding in a cave the last couple of weeks, let's quickly review what we know about this issue today.
Android security researcher and all around nice guy Joshua Drake discovered some serious vulnerabilities in a component of the Android Operating System called Stagefright. According to the Android documentation, Stagefright provides a media playback engine that comes built-in with software based codecs for many popular media formats. Basically, Stagefright is responsible for audio and video playback on Android devices. You can review Joshua's presentation slides here.
Initially, Joshua discovered, disclosed and provided a patch for 7 different vulnerabilities, however, at time of writing, there are now a total of 10 which have been assigned the following CVEs:
- CVE-2015-1538, P0006, Google Stagefright ‘stsc’ MP4 Atom Integer Overflow Remote Code Execution
- CVE-2015-1538, P0004, Google Stagefright ‘ctts’ MP4 Atom Integer Overflow Remote Code Execution
- CVE-2015-1538, P0004, Google Stagefright ‘stts’ MP4 Atom Integer Overflow Remote Code Execution
- CVE-2015-1538, P0004, Google Stagefright ‘stss’ MP4 Atom Integer Overflow Remote Code Execution
- CVE-2015-1539, P0007, Google Stagefright ‘esds’ MP4 Atom Integer Underflow Remote Code Execution
- CVE-2015-3827, P0008, Google Stagefright ‘covr’ MP4 Atom Integer Underflow Remote Code Execution
- CVE-2015-3826, P0009, Google Stagefright 3GPP Metadata Buffer Overread
- CVE-2015-3828, P0010, Google Stagefright 3GPP Integer Underflow Remote Code Execution
- CVE-2015-3824, P0011, Google Stagefright ‘tx3g’ MP4 Atom Integer Overflow Remote Code Execution
- CVE-2015-3829, P0012, Google Stagefright ‘covr’ MP4 Atom Integer Overflow Remote Code Execution
The availability of patches for these issues is dependent on your mobile device vendor and, in some cases, your mobile carrier. However, as pointed out by Exodus Intelligence, the current patches are not effective at completely fixing the publicly known vulnerabilities. Of course, this situation is very fluid and as new bugs are identified, patches will be generated and eventually rolled out via OTA updates.
In the meantime, a partial mitigation is to disable the automatic downloading of MMS messages on your device. In addition, devices running Android version 4.1 and above, while still vulnerable, are much harder to exploit due to the introduction of ASLR.
So What Does This Mean for Duo Security Customers?
Based on our data, 29% of devices using our service are running versions of Android that are vulnerable. 9% of those vulnerable devices are running an Android version below 4.1 and the most popular version of Android we see on devices is 4.4.2 which was released back in December 2013.
If you happen to be using our new Platform Edition, you can easily understand the risk that these vulnerabilities present to your organization by first understanding how many vulnerable devices you have in your organization and then, if deemed necessary, create a policy to prevent those devices from being used to access corporate assets.
Creating a Custom Policy with Duo Platform Edition
Administrators should first login to their console and select the Device Insight section.
Once in the Device Insight section, you can easily see the breakdown of devices used to access your enterprise.
Based on this data, administrators may wish to create a policy, from the policy screen, to restrict vulnerable devices until they are brought up to date or patched for the Stagefright vulnerabilities.
Understanding your exposure to these vulnerabilities is the first step in not only compelling users to upgrade and patch (when available), but is also essential in understanding the risk that mobile vulnerabilities present to your organization.