1 page.title=Android Security Advisory — 2016-03-18 2 @jd:body 3 4 <!-- 5 Copyright 2016 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p><em>Published March 18, 2016</em></p> 28 29 <p>Android Security Advisories are supplemental to the Nexus Security Bulletins. 30 Refer to our <a href="index.html">summary page</a> for more information about Security Advisories.</p> 31 32 <h2 id=summary>Summary</h2> 33 34 <p>Google has become aware of a rooting application using an unpatched local 35 elevation of privilege vulnerability in the kernel on some Android devices 36 (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a>). 37 For this application to affect a device, the user must first install it. Google 38 already blocks installation of rooting applications that use this 39 vulnerability — both within Google Play and outside of Google 40 Play — using <a href="https://support.google.com/accounts/answer/2812853"> 41 Verify Apps</a>, and have updated our systems to detect applications that use 42 this specific vulnerability.</p> 43 44 <p>To provide a final layer of defense for this issue, partners were provided 45 with a patch for this issue on March 16, 2016. Nexus updates are being created 46 and will be released within a few days. Source code patches for this issue have 47 been released to the Android Open Source Project (AOSP) repository.</p> 48 49 <h3 id=background>Background</h3> 50 51 <p>This is a known issue in the upstream Linux kernel that was fixed in April 2014 52 but wasnt called out as a security fix and assigned 53 <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a> 54 until February 2, 2015. On February 19, 2016, C0RE Team notified Google that 55 the issue could be exploited on Android and a patch was developed to be included 56 in an upcoming regularly scheduled monthly update.</p> 57 58 <p>On March 15, 2016 Google received a 59 report from Zimperium that this vulnerability had been abused on a Nexus 5 60 device. Google has confirmed the existence of a publicly available rooting 61 application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide 62 the device user with root privileges.</p> 63 64 <p>This issue is rated as a 65 <a href="{@docRoot}security/overview/updates-resources.html#severity"> 66 Critical severity issue</a> due to the possibility of a local privilege escalation 67 and arbitrary code execution leading to local permanent device compromise.</p> 68 69 <h3 id=scope>Scope</h3> 70 71 72 <p>This advisory applies to all unpatched Android devices on kernel versions 3.4, 73 3.10 and 3.14, including all Nexus devices. Android devices using Linux kernel 74 version 3.18 or higher are not vulnerable.</p> 75 76 <h3 id=mitigations>Mitigations</h3> 77 78 79 <p>The following are mitigations that reduce the likelihood users are impacted 80 by this issue: </p> 81 82 <ul> 83 <li> Verify Apps has been updated to block the installation of applications that 84 we have learned are attempting to exploit this vulnerability both within and outside 85 of Google Play. 86 <li> Google Play does not allow rooting applications, like the one seeking to 87 exploit this issue. 88 <li> Android devices using <a href="https://support.google.com/nexus/answer/4457705"> 89 Linux kernel version 3.18</a> or higher are not vulnerable. 90 </ul> 91 92 <h3 id=acknowledgements>Acknowledgements</h3> 93 94 95 <p>Android would like to thank the <a href="http://c0reteam.org/">C0RE Team</a> and 96 <a href="https://www.zimperium.com/">Zimperium</a> for their contributions to 97 this advisory.</p> 98 99 <h3 id=suggested_actions>Suggested actions</h3> 100 101 102 <p>Android encourages all users to accept updates to their devices when they 103 are available.</p> 104 105 <h3 id=fixes>Fixes</h3> 106 107 108 <p>Google has released a fix in the AOSP repository for multiple kernel versions. 109 Android partners have been notified of these fixes and are encouraged to apply 110 them. If further updates are required, Android will publish them directly to ASOP.</p> 111 112 <table> 113 <tr> 114 <th>Kernel Version</th> 115 <th>Patch</th> 116 </tr> 117 <tr> 118 <td>3.4</td> 119 <td><a href="https://android.googlesource.com/kernel/common/+/f7ebfe91b806501808413c8473a300dff58ddbb5">AOSP patch</a></td> 120 </tr> 121 <tr> 122 <td>3.10</td> 123 <td><a href="https://android.googlesource.com/kernel/common/+/4a5a45669796c5b4617109182e25b321f9f00beb">AOSP patch</a></td> 124 </tr> 125 <tr> 126 <td>3.14</td> 127 <td><a href="https://android.googlesource.com/kernel/common/+/bf010e99c9bc48002f6bfa1ad801a59bf996270f">AOSP patch</a></td> 128 </tr> 129 <tr> 130 <td>3.18+</td> 131 <td>Patched in public Linux kernel</td> 132 </tr> 133 </table> 134 135 136 <h2 id=common_questions_and_answers>Common Questions and Answers</h2> 137 138 139 <p><strong>1. What's the problem?</strong></p> 140 141 <p>An elevation of privilege vulnerability in the kernel could enable a local 142 malicious application to execute arbitrary code in the kernel. This issue is 143 rated as a Critical severity due to the possibility of a local permanent device 144 compromise and the device would possibly need to be repaired by re-flashing the 145 operating system.</p> 146 147 <p><strong>2. How would an attacker seek to exploit this issue?</strong></p> 148 149 <p>Users who install an application that seeks to exploit this issue are at 150 risk. Rooting applications (like the one that is exploiting this issue) are 151 prohibited in Google Play, and Google is blocking the installation of 152 this application outside of Google Play through Verify Apps. An 153 attacker would need to convince a user to manually install an affected 154 application.</p> 155 156 <p><strong>3. Which devices could be affected?</strong></p> 157 158 <p>Google has confirmed that this exploit works on Nexus 5 and 6; however all 159 unpatched versions of Android contain the vulnerability.</p> 160 161 <p><strong>4. Has Google seen evidence of this vulnerability being abused?</strong></p> 162 163 <p>Yes, Google has seen evidence of this vulnerability being abused on a Nexus 5 using a 164 publicly available rooting tool. Google has not observed any exploitation that 165 would be classified as malicious.</p> 166 167 <p><strong>5. How will you be addressing this issue?</strong></p> 168 169 <p><a href="https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf"> 170 Google Play</a> prohibits apps attempting to 171 exploit this issue. Similarly, Verify Apps blocks the installation of apps 172 from outside of Google Play that attempt to exploit this issue. Google Nexus 173 devices will also be patched as soon as an update is ready and weve notified 174 Android partners so they can release similar updates.</p> 175 176 <p><strong>6. How do I know if I have a device that contains a fix for this issue?</strong></p> 177 178 <p>Android has provided two options to our partners to communicate that their 179 devices are not vulnerable to this issue. Android devices with a security patch 180 level of March 18, 2016 are not vulnerable. Android devices with a security 181 patch level of April 2, 2016 and later are not vulnerable to this issue. Refer 182 to <a href="https://support.google.com/nexus/answer/4457705">this article</a> 183 for instructions on how to check the security patch level.</p> 184 185 <h2 id=revisions>Revisions</h2> 186 187 188 <ul> 189 <li> March 18, 2016: Advisory published. 190 </ul> 191 192
