Sunday, 25 December 2016

DirtyCow and Drammer vulnerabilities "hijack Android devices"

The vulnerabilities are known colloquially as DirtyCow (CVE-2016-5195) and Drammer (CVE-2016-6728). While they are unrelated, they both represent a real risk to Android users as individuals have already published proof-of-concept exploit code online for both vulnerabilities, thus minimizing the time attackers would need  to understand and develop their own exploits from scratch. Additionally, industry researchers have already seen attackers using DirtyCow  to exploit Linux-based systems in the wild.


Given that the CVEs and the POC code are publicly available, enterprises should see this as a concern. If an attacker roots a device, she has full control over it, which means she may also be able to collect sensitive data from the device. If the victim is an employee, that may mean company information is being leaked. Having visibility into the kinds of apps, rooted devices, or outdated software running on the corporate network is critical.

DirtyCow

The vulnerability extends back nine years and affects all versions of Android including the latest Android 7.0 Nougat. While Linus Torvalds created and released a patch for the Linux Kernel – which Android uses – the patch has not been released as a security update for Android users yet.

DirtyCow is an easy vulnerability to understand and proof-of-concept exploit code is already in the wild, available to researchers and attackers alike. . We expect to to see this issue patched in the November 2016 Android Security Update at the earliest.

Drammer

The second vulnerability, called Drammer and discovered by VUSec, is the first time the Rowhammer vulnerability has been applied to ARM-based devices, in this case Android devices. Drammer is a hardware bug that can manipulate memory it doesn’t control by reading or “hammering” a row in memory to effectively induce another spot in memory to have its bit “flip” or change value. If an attacker does this hammering enough times, he or she can control which space in memory it points to so that a device can eventually be compromised and rooted. Drammer likely works on all versions of Android including the latest, but the mileage may vary.

Patches

They have banned the Drammer POC app from the Google Play Store. Lookout customers are protected from this test app. Our investigation revealed that the banned POC app published by the academic researchers is not overtly malicious, but it does exploit the vulnerability and has been observed to cause local denial-of-service on failed exploit attempts.

Enterprises should use a mobile security partner to gain awareness into the apps running on their employees’ devices and to receive timely alerts when one of those apps is risky or malicious.