Check Point's researchers and Google have disagreed about the severity of CVE-2016-2059. While Qualcomm rated the flaw as high severity, Google rated it as low severity because it said it can be mitigated through SELinux.
SELinux is a kernel extension that makes exploitation of certain vulnerabilities much harder by enforcing access controls. The mechanism was used to enforce application sandbox boundaries starting with Android 4.3 (Jelly Bean).
Check Point doesn't agree with Google's assessment that SELinux mitigates this flaw. During Donenfeld's talk at DEF CON, he showed how the CVE-2016-2059 exploit can switch SELinux from enforcing to permissive mode, effectively disabling its protection.
It's hard to identify which devices are vulnerable because some manufacturers might wait for Google to release the missing patch before issuing their own firmware updates, while others might take it directly from Qualcomm. To help identify vulnerable devices, Check Point released a free application called QuadRooter Scanner on Google Play that allows users to check if their devices are affected by any of the four flaws.
Sign up for Computerworld eNewsletters.