|
|
Subscribe / Log in / New account

Check Point's "QuadRooter" vulnerabilities

[Posted August 8, 2016 by corbet]

Check Point has discovered four local-root vulnerabilities in Qualcomm-based Android devices and is hyping the result as "QuadRooter". "QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device." Actually getting the report requires registration. All four vulnerabilities are in Android-specific code; three of them are in out-of-tree modules (kgsl and ipc_router); the fourth is in the "ashmem" code in the staging tree.
to post comments

Check Point's "QuadRooter" vulnerabilities

Posted Aug 8, 2016 19:12 UTC (Mon) by raptor (guest, #110391) [Link] (11 responses)

Franco (dev of Franco Kernel for Android) has more details on QuadRooter. He claims three vulnerabilities are already patched with Google's monthly patches and the forth already has a patch released. At least Nexus users should be relatively safe.

Details: https://plus.google.com/+FranciscoFranco1990/posts/BR6NRS...

Check Point's "QuadRooter" vulnerabilities

Posted Aug 8, 2016 20:27 UTC (Mon) by clump (subscriber, #27801) [Link] (10 responses)

The post alludes to a vulnerability being fixed in "September's list", which effectively means a known vulnerability will be exploitable for almost two months from now.

This is a best case scenario because the author is only talking about Nexus phones, while calling other phones "retarded".

Check Point's "QuadRooter" vulnerabilities

Posted Aug 9, 2016 9:00 UTC (Tue) by jrnorris (subscriber, #74233) [Link] (9 responses)

As a Nexus 6P user I can confirm that 3 of the 4 vulnerabilities have been patched already on patch level 5th August. The September list referred to is likely to be the one released at the start of September like the other patches, so at worst around 4 weeks not 2 months. For example the August patch was released on the first of August (with a second one update done the 5th).

This compared to other Android phones I've had that I've bought through carriers that haven't received updates (security or otherwise) for 12 months or more at a time. So while retarded might be a bit strong, I can see the point being made about supporting Android manufacturers that update regularly.

Check Point's "QuadRooter" vulnerabilities

Posted Aug 9, 2016 14:29 UTC (Tue) by clump (subscriber, #27801) [Link] (8 responses)

Official Android updates aren't reliably released. Monthly updates are not delivered to some Nexus devices until the middle or end of a given month. So if there's a security issue fixed in the next update, your phone could be vulnerable until about September 20th. This is pretty generous for attackers.

I don't believe the situation is "better" for non-Nexus devices, but that's not saying much.

Check Point's "QuadRooter" vulnerabilities

Posted Aug 10, 2016 7:51 UTC (Wed) by thestinger (guest, #91827) [Link] (7 responses)

The over-the-air updates are intentionally staggered. It usually takes about 7 days for it to ramp up to all devices being told that there's an update available. I don't know why they do it that way. I don't think they're ever actually backed out one of the monthly security updates since they're well tested before release.

They started publishing full over-the-air updates (all of the actual over-the-air updates are delta updates) at https://developers.google.com/android/nexus/ota for manually installing them.

Check Point's "QuadRooter" vulnerabilities

Posted Aug 10, 2016 14:59 UTC (Wed) by dany (guest, #18902) [Link] (6 responses)

I found this comment on twitter:

Imagine you have Windows security updates not from Microsoft, but from your ISP or PC maker (Dell, Lenovo,...). Funny right? Well its reality in Android world.

Check Point's "QuadRooter" vulnerabilities

Posted Aug 10, 2016 15:08 UTC (Wed) by pizza (subscriber, #46) [Link] (4 responses)

It's not that clear-cut.

For example, my work-supplied Lenovo laptop gets quite a few updates from the manufacturer -- the "Lenovo Updater" tool grabs updates for everything that Lenovo bundled with the system -- including Windows updates, device drivers, machine-specific applications, etc.

The other point is that PCs running Windows have commodity hardware with (very) standard interfaces capable of using a generic, off-the-shelf operating system installed by an end-user.

That's not the case with the overwhelming majority of Android devices.

Check Point's "QuadRooter" vulnerabilities

Posted Aug 11, 2016 9:00 UTC (Thu) by dany (guest, #18902) [Link] (3 responses)

You dont really need lenovo updater to get Windows security updates.

Check Point's "QuadRooter" vulnerabilities

Posted Aug 11, 2016 19:05 UTC (Thu) by Jonno (subscriber, #49613) [Link] (2 responses)

> You dont really need lenovo updater to get Windows security updates.
Only for security updates to components found in Windows proper, not for additional stuff installed by the OEM.

Remember that none of the four vulnerabilities discussed here are actually in Android proper: three are in OEM provided drivers, and one is in an OEM provided replacement for a stock driver. In the Windows ecosystem you wouldn't get security updates to such drivers through Windows Updates, so without something like the Lenovo updater you would have to manually poll the OEM homepage to see if they have released an update in order to get security updates.

Check Point's "QuadRooter" vulnerabilities

Posted Aug 12, 2016 0:29 UTC (Fri) by Fowl (subscriber, #65667) [Link] (1 responses)

OEMs do actually have the option to publish drivers and driver updates to Windows Updates. Since often "drivers" can be completely userspace components I'm not sure where MS draws the line as to what would be rejected.

Check Point's "QuadRooter" vulnerabilities

Posted Aug 12, 2016 1:40 UTC (Fri) by Jonno (subscriber, #49613) [Link]

> OEMs do actually have the option to publish drivers and driver updates to Windows Updates.
Yes, though the limits are quite restrictive (for example a Windows Update supplied driver are no allowed to include any feature not included in the driver boxed with the hardware as sold), and if there is a security vulnerability in the driver the OEM is screwed, as updated versions of drivers are only allowed under even more restrictive conditions (and a security vulnerability is not one of them [1]):

> 2.3.1.1. The driver is among the top 20 Online Crash Analysis (OCA) driver issues report for an OEM’s systems over the last 90 days; or
> 2.3.1.2. The previous version of the code causes 10% or 10,000 (whichever is lower) of an OEM's systems to stop unexpectedly during driver installation over a two-week period or lose basic device or system functionality. Examples of this include: sound cards no longer emit sounds; a mouse cannot move the cursor; a storage unit cannot be accessed; or
> 2.3.1.3. At the sole discretion of Microsoft, the existing code results in excessive product support calls by OEMs, IHVs, or Microsoft.

[1]: http://download.microsoft.com/download/9/c/5/9c5b2167-801...

Check Point's "QuadRooter" vulnerabilities

Posted Aug 10, 2016 17:46 UTC (Wed) by excors (subscriber, #95769) [Link]

Like when you have to manually download an update from Lenovo to fix a BIOS vulnerability (in code originally from Intel and modified by some BIOS vendor)?

On Windows I've got graphics drivers downloaded directly from NVIDIA, some other graphics card utilities from the card manufacturer, BIOS updates from the motherboard manufacturer, my SSD needed a firmware update from Crucial to stop it BSODding every hour after it was a couple of years old. My monitor and printer and keyboard came with driver CDs. My ISP offers me cloud storage software, my bank offers me security software. Web browsers and Flash etc have their own auto-updaters (some more irritating than others), most other applications can only be updated manually.

Android has a far more coherent model than that: the Play Store updates your apps, the device vendor is responsible for updating all the platform software and firmware and drivers, and that covers absolutely everything. (The only problem is that "is responsible for" != "actually does".)

Check Point's "QuadRooter" vulnerabilities

Posted Aug 9, 2016 5:51 UTC (Tue) by mjthayer (guest, #39183) [Link] (1 responses)

Out of interest, is there any good way, without installing something from the Google store, to quickly check what known vulnerabilities affect an Android phone?

Check Point's "QuadRooter" vulnerabilities

Posted Aug 9, 2016 13:06 UTC (Tue) by runekock (subscriber, #50229) [Link]

Compare the security baseline date in Settings to Google's list of monthly fixes.
If your phone doesn't show a security date, then you can be sure it is hopeless -- probably not fixed in 2016 at all.


Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds