| page.title=Android Security Advisory — 2016-03-18 |
| @jd:body |
| |
| <!-- |
| Copyright 2016 The Android Open Source Project |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <div id="qv-wrapper"> |
| <div id="qv"> |
| <h2>In this document</h2> |
| <ol id="auto-toc"> |
| </ol> |
| </div> |
| </div> |
| |
| <p><em>Published March 18, 2016</em></p> |
| |
| <p>Android Security Advisories are supplemental to the Nexus Security Bulletins. |
| Refer to our <a href="index.html">summary page</a> for more information about Security Advisories.</p> |
| |
| <h2 id=summary>Summary</h2> |
| |
| <p>Google has become aware of a rooting application using an unpatched local |
| elevation of privilege vulnerability in the kernel on some Android devices |
| (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a>). |
| For this application to affect a device, the user must first install it. Google |
| already blocks installation of rooting applications that use this |
| vulnerability — both within Google Play and outside of Google |
| Play — using <a href="https://support.google.com/accounts/answer/2812853"> |
| Verify Apps</a>, and have updated our systems to detect applications that use |
| this specific vulnerability.</p> |
| |
| <p>To provide a final layer of defense for this issue, partners were provided |
| with a patch for this issue on March 16, 2016. Nexus updates are being created |
| and will be released within a few days. Source code patches for this issue have |
| been released to the Android Open Source Project (AOSP) repository.</p> |
| |
| <h3 id=background>Background</h3> |
| |
| <p>This is a known issue in the upstream Linux kernel that was fixed in April 2014 |
| but wasn’t called out as a security fix and assigned |
| <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a> |
| until February 2, 2015. On February 19, 2016, C0RE Team notified Google that |
| the issue could be exploited on Android and a patch was developed to be included |
| in an upcoming regularly scheduled monthly update.</p> |
| |
| <p>On March 15, 2016 Google received a |
| report from Zimperium that this vulnerability had been abused on a Nexus 5 |
| device. Google has confirmed the existence of a publicly available rooting |
| application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide |
| the device user with root privileges.</p> |
| |
| <p>This issue is rated as a |
| <a href="{@docRoot}security/overview/updates-resources.html#severity"> |
| Critical severity issue</a> due to the possibility of a local privilege escalation |
| and arbitrary code execution leading to local permanent device compromise.</p> |
| |
| <h3 id=scope>Scope</h3> |
| |
| |
| <p>This advisory applies to all unpatched Android devices on kernel versions 3.4, |
| 3.10 and 3.14, including all Nexus devices. Android devices using Linux kernel |
| version 3.18 or higher are not vulnerable.</p> |
| |
| <h3 id=mitigations>Mitigations</h3> |
| |
| |
| <p>The following are mitigations that reduce the likelihood users are impacted |
| by this issue: </p> |
| |
| <ul> |
| <li> Verify Apps has been updated to block the installation of applications that |
| we have learned are attempting to exploit this vulnerability both within and outside |
| of Google Play. |
| <li> Google Play does not allow rooting applications, like the one seeking to |
| exploit this issue. |
| <li> Android devices using <a href="https://support.google.com/nexus/answer/4457705"> |
| Linux kernel version 3.18</a> or higher are not vulnerable. |
| </ul> |
| |
| <h3 id=acknowledgements>Acknowledgements</h3> |
| |
| |
| <p>Android would like to thank the <a href="http://c0reteam.org/">C0RE Team</a> and |
| <a href="https://www.zimperium.com/">Zimperium</a> for their contributions to |
| this advisory.</p> |
| |
| <h3 id=suggested_actions>Suggested actions</h3> |
| |
| |
| <p>Android encourages all users to accept updates to their devices when they |
| are available.</p> |
| |
| <h3 id=fixes>Fixes</h3> |
| |
| |
| <p>Google has released a fix in the AOSP repository for multiple kernel versions. |
| Android partners have been notified of these fixes and are encouraged to apply |
| them. If further updates are required, Android will publish them directly to ASOP.</p> |
| |
| <table> |
| <tr> |
| <th>Kernel Version</th> |
| <th>Patch</th> |
| </tr> |
| <tr> |
| <td>3.4</td> |
| <td><a href="https://android.googlesource.com/kernel/common/+/f7ebfe91b806501808413c8473a300dff58ddbb5">AOSP patch</a></td> |
| </tr> |
| <tr> |
| <td>3.10</td> |
| <td><a href="https://android.googlesource.com/kernel/common/+/4a5a45669796c5b4617109182e25b321f9f00beb">AOSP patch</a></td> |
| </tr> |
| <tr> |
| <td>3.14</td> |
| <td><a href="https://android.googlesource.com/kernel/common/+/bf010e99c9bc48002f6bfa1ad801a59bf996270f">AOSP patch</a></td> |
| </tr> |
| <tr> |
| <td>3.18+</td> |
| <td>Patched in public Linux kernel</td> |
| </tr> |
| </table> |
| |
| |
| <h2 id=common_questions_and_answers>Common Questions and Answers</h2> |
| |
| |
| <p><strong>1. What's the problem?</strong></p> |
| |
| <p>An elevation of privilege vulnerability in the kernel could enable a local |
| malicious application to execute arbitrary code in the kernel. This issue is |
| rated as a Critical severity due to the possibility of a local permanent device |
| compromise and the device would possibly need to be repaired by re-flashing the |
| operating system.</p> |
| |
| <p><strong>2. How would an attacker seek to exploit this issue?</strong></p> |
| |
| <p>Users who install an application that seeks to exploit this issue are at |
| risk. Rooting applications (like the one that is exploiting this issue) are |
| prohibited in Google Play, and Google is blocking the installation of |
| this application outside of Google Play through Verify Apps. An |
| attacker would need to convince a user to manually install an affected |
| application.</p> |
| |
| <p><strong>3. Which devices could be affected?</strong></p> |
| |
| <p>Google has confirmed that this exploit works on Nexus 5 and 6; however all |
| unpatched versions of Android contain the vulnerability.</p> |
| |
| <p><strong>4. Has Google seen evidence of this vulnerability being abused?</strong></p> |
| |
| <p>Yes, Google has seen evidence of this vulnerability being abused on a Nexus 5 using a |
| publicly available rooting tool. Google has not observed any exploitation that |
| would be classified as “malicious.”</p> |
| |
| <p><strong>5. How will you be addressing this issue?</strong></p> |
| |
| <p><a href="https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf"> |
| Google Play</a> prohibits apps attempting to |
| exploit this issue. Similarly, Verify Apps blocks the installation of apps |
| from outside of Google Play that attempt to exploit this issue. Google Nexus |
| devices will also be patched as soon as an update is ready and we’ve notified |
| Android partners so they can release similar updates.</p> |
| |
| <p><strong>6. How do I know if I have a device that contains a fix for this issue?</strong></p> |
| |
| <p>Android has provided two options to our partners to communicate that their |
| devices are not vulnerable to this issue. Android devices with a security patch |
| level of March 18, 2016 are not vulnerable. Android devices with a security |
| patch level of April 2, 2016 and later are not vulnerable to this issue. Refer |
| to <a href="https://support.google.com/nexus/answer/4457705">this article</a> |
| for instructions on how to check the security patch level.</p> |
| |
| <h2 id=revisions>Revisions</h2> |
| |
| |
| <ul> |
| <li> March 18, 2016: Advisory published. |
| </ul> |
| |