Docs: Create advisory section, index, and 2016-03-18
Bug: 27718193
Change-Id: I47a2529e5b328c46ea425e60f83cb7222e34ef33
diff --git a/src/security/advisory/2016-03-18.jd b/src/security/advisory/2016-03-18.jd
new file mode 100644
index 0000000..5b1aa81
--- /dev/null
+++ b/src/security/advisory/2016-03-18.jd
@@ -0,0 +1,191 @@
+page.title=Android Security Advisory — 2016-03-18
+@jd:body
+
+<!--
+ Copyright 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<div id="qv-wrapper">
+ <div id="qv">
+ <h2>In this document</h2>
+ <ol id="auto-toc">
+ </ol>
+ </div>
+</div>
+
+<p><em>Published March 18, 2016</em></p>
+
+<p>Android Security Advisories are supplemental to the Nexus Security Bulletins.
+Refer to our <a href="index.html">summary page</a> for more information about Security Advisories.</p>
+
+<h2 id=summary>Summary</h2>
+
+<p>Google has become aware of a rooting application using an unpatched local
+elevation of privilege vulnerability in the kernel on some Android devices
+(<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a>).
+For this application to affect a device, the user must first install it. Google
+already blocks installation of rooting applications that use this
+vulnerability — both within Google Play and outside of Google
+Play — using <a href="https://support.google.com/accounts/answer/2812853">
+Verify Apps</a>, and have updated our systems to detect applications that use
+this specific vulnerability.</p>
+
+<p>To provide a final layer of defense for this issue, partners were provided
+with a patch for this issue on March 16, 2016. Nexus updates are being created
+and will be released within a few days. Source code patches for this issue have
+been released to the Android Open Source Project (AOSP) repository.</p>
+
+<h3 id=background>Background</h3>
+
+<p>This is a known issue in the upstream Linux kernel that was fixed in April 2014
+but wasn’t called out as a security fix and assigned
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a>
+until February 2, 2015. On February 19, 2016, C0RE Team notified Google that
+the issue could be exploited on Android and a patch was developed to be included
+in an upcoming regularly scheduled monthly update.</p>
+
+<p>On March 15, 2016 Google received a
+report from Zimperium that this vulnerability had been abused on a Nexus 5
+device. Google has confirmed the existence of a publicly available rooting
+application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide
+the device user with root privileges.</p>
+
+<p>This issue is rated as a
+<a href="{@docRoot}security/overview/updates-resources.html#severity">
+Critical severity issue</a> due to the possibility of a local privilege escalation
+and arbitrary code execution leading to local permanent device compromise.</p>
+
+<h3 id=scope>Scope</h3>
+
+
+<p>This advisory applies to all unpatched Android devices on kernel versions 3.4,
+3.10 and 3.14, including all Nexus devices. Android devices using Linux kernel
+version 3.18 or higher are not vulnerable.</p>
+
+<h3 id=mitigations>Mitigations</h3>
+
+
+<p>The following are mitigations that reduce the likelihood users are impacted
+by this issue: </p>
+
+<ul>
+ <li> Verify Apps has been updated to block the installation of applications that
+we have learned are attempting to exploit this vulnerability both within and outside
+of Google Play.
+ <li> Google Play does not allow rooting applications, like the one seeking to
+exploit this issue.
+ <li> Android devices using <a href="https://support.google.com/nexus/answer/4457705">
+Linux kernel version 3.18</a> or higher are not vulnerable.
+</ul>
+
+<h3 id=acknowledgements>Acknowledgements</h3>
+
+
+<p>Android would like to thank the <a href="http://c0reteam.org/">C0RE Team</a> and
+<a href="https://www.zimperium.com/">Zimperium</a> for their contributions to
+this advisory.</p>
+
+<h3 id=suggested_actions>Suggested actions</h3>
+
+
+<p>Android encourages all users to accept updates to their devices when they
+are available.</p>
+
+<h3 id=fixes>Fixes</h3>
+
+
+<p>Google has released a fix in the AOSP repository for multiple kernel versions.
+Android partners have been notified of these fixes and are encouraged to apply
+them. If further updates are required, Android will publish them directly to ASOP.</p>
+
+<table>
+ <tr>
+ <th>Kernel Version</th>
+ <th>Patch</th>
+ </tr>
+ <tr>
+ <td>3.4</td>
+ <td><a href="https://android.googlesource.com/kernel/common/+/f7ebfe91b806501808413c8473a300dff58ddbb5">AOSP patch</a></td>
+ </tr>
+ <tr>
+ <td>3.10</td>
+ <td><a href="https://android.googlesource.com/kernel/common/+/4a5a45669796c5b4617109182e25b321f9f00beb">AOSP patch</a></td>
+ </tr>
+ <tr>
+ <td>3.14</td>
+ <td><a href="https://android.googlesource.com/kernel/common/+/bf010e99c9bc48002f6bfa1ad801a59bf996270f">AOSP patch</a></td>
+ </tr>
+ <tr>
+ <td>3.18+</td>
+ <td>Patched in public Linux kernel</td>
+ </tr>
+</table>
+
+
+<h2 id=common_questions_and_answers>Common Questions and Answers</h2>
+
+
+<p><strong>1. What's the problem?</strong></p>
+
+<p>An elevation of privilege vulnerability in the kernel could enable a local
+malicious application to execute arbitrary code in the kernel. This issue is
+rated as a Critical severity due to the possibility of a local permanent device
+compromise and the device would possibly need to be repaired by re-flashing the
+operating system.</p>
+
+<p><strong>2. How would an attacker seek to exploit this issue?</strong></p>
+
+<p>Users who install an application that seeks to exploit this issue are at
+risk. Rooting applications (like the one that is exploiting this issue) are
+prohibited in Google Play, and Google is blocking the installation of
+this application outside of Google Play through Verify Apps. An
+attacker would need to convince a user to manually install an affected
+application.</p>
+
+<p><strong>3. Which devices could be affected?</strong></p>
+
+<p>Google has confirmed that this exploit works on Nexus 5 and 6; however all
+unpatched versions of Android contain the vulnerability.</p>
+
+<p><strong>4. Has Google seen evidence of this vulnerability being abused?</strong></p>
+
+<p>Yes, Google has seen evidence of this vulnerability being abused on a Nexus 5 using a
+publicly available rooting tool. Google has not observed any exploitation that
+would be classified as “malicious.”</p>
+
+<p><strong>5. How will you be addressing this issue?</strong></p>
+
+<p><a href="https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf">
+Google Play</a> prohibits apps attempting to
+exploit this issue. Similarly, Verify Apps blocks the installation of apps
+from outside of Google Play that attempt to exploit this issue. Google Nexus
+devices will also be patched as soon as an update is ready and we’ve notified
+Android partners so they can release similar updates.</p>
+
+<p><strong>6. How do I know if I have a device that contains a fix for this issue?</strong></p>
+
+<p>Android has provided two options to our partners to communicate that their
+devices are not vulnerable to this issue. Android devices with a security patch
+level of March 18, 2016 are not vulnerable. Android devices with a security
+patch level of April 2, 2016 and later are not vulnerable to this issue. Refer
+to <a href="https://support.google.com/nexus/answer/4457705">this article</a>
+for instructions on how to check the security patch level.</p>
+
+<h2 id=revisions>Revisions</h2>
+
+
+<ul>
+ <li> March 18, 2016: Advisory published.
+</ul>
+
diff --git a/src/security/advisory/index.jd b/src/security/advisory/index.jd
new file mode 100644
index 0000000..fc8f4ec
--- /dev/null
+++ b/src/security/advisory/index.jd
@@ -0,0 +1,49 @@
+page.title=Android Security Advisories
+@jd:body
+
+<!--
+ Copyright 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<p>Android Security Advisories are a supplement to the
+<a href="{@docRoot}security/bulletin/index.html">Nexus Security Bulletins</a>.
+Android publishes advisories to address issues that may not require security patches
+or Nexus device updates but could still affect an Android user’s overall
+security. Nexus Security Bulletins are accompanied by
+<a href="https://developers.google.com/android/nexus/images">factory device images</a>
+and over-the-air (OTA) device updates to protect users against known
+security issues in the Android ecosystem. Android Security Advisories are meant
+to provide users detailed information and guidance on Android-related
+security issues potentially <em>without</em> an accompanying software update.</p>
+
+<p>However, when updates are available to address issues described in an Android
+Security Advisory, those updates will be made available in a Nexus Security
+Bulletin for Nexus devices. In the Nexus Security Bulletin, we will reference
+the Android Security Advisories that the bulletin addresses.</p>
+
+<p>As with the bulletins, join the
+<a href="https://groups.google.com/forum/#!forum/android-security-updates">Android Security Updates</a>
+group to receive a notification when we publish an advisory.</p>
+
+<table>
+ <tr>
+ <th>Android Security Advisory</th>
+ <th>Published Date</th>
+ </tr>
+ <tr>
+ <td><a href="2016-03-18.html">2016-03-18</a></td>
+ <td>March 18, 2016</td>
+ </tr>
+</table>
+
diff --git a/src/security/security_toc.cs b/src/security/security_toc.cs
index 6e4954c..7b1f074 100644
--- a/src/security/security_toc.cs
+++ b/src/security/security_toc.cs
@@ -50,6 +50,16 @@
</a>
</div>
<ul>
+ <li class="nav-section">
+ <div class="nav-section-header">
+ <a href="<?cs var:toroot ?>security/advisory/index.html">
+ <span class="en">Advisories</span>
+ </a>
+ </div>
+ <ul>
+ <li><a href="<?cs var:toroot ?>security/advisory/2016-03-18.html">2016-03-18</a></li>
+ </ul>
+ </li>
<li><a href="<?cs var:toroot ?>security/bulletin/2016-03-01.html">March 2016</a></li>
<li><a href="<?cs var:toroot ?>security/bulletin/2016-02-01.html">February 2016</a></li>
<li><a href="<?cs var:toroot ?>security/bulletin/2016-01-01.html">January 2016</a></li>
