CVE-2016-3840

Vulnerability

The vulnerability resides in the Conscrypt TLS library used in Android versions 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before the August 2016 security patch level. The library incorrectly determines session reuse by comparing session IDs, which can be identical when TLS session tickets are used. This flaw allows an attacker to force session reuse without proper validation [1][2].

Exploitation

An attacker with network access to a vulnerable Android device can send a crafted TLS session ticket that triggers the session reuse logic. No authentication is required. The attacker can exploit this by establishing a TLS connection and providing a malicious session ticket that the server incorrectly treats as a reused session, leading to memory corruption [1].

Impact

Successful exploitation allows remote code execution with the privileges of the application using the Conscrypt library. This can lead to full compromise of the affected device, including data theft and further propagation [1].

Mitigation

Google released a fix in the Android Security Bulletin for August 2016. The fix is implemented in commit 5af5e93463f4333187e7e35f3bd2b846654aa214 [2]. Users should update to Android versions 4.4.4, 5.0.2, 5.1.1, or the August 2016 security patch level for Android 6.x. No workaround is available [1].