xref: /docs/source.android.com/en/security/advisory/2016-03-18.html

<html devsite>
  <head>
    <title>Android Security Advisory&hairsp;&mdash;&hairsp;2016-03-18</title>
    <meta name="project_path" value="/_project.yaml" />
    <meta name="book_path" value="/_book.yaml" />
  </head>
  <body>
  <!--
      Copyright 2017 The Android Open Source Project

      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
      You may obtain a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
  -->



<p><em>Published March 18, 2016</em></p>

<p>Android Security Advisories are supplemental to the Nexus Security Bulletins.
Refer to our <a href="index.html">summary page</a> for more information about Security Advisories.</p>

<h2 id=summary>Summary</h2>

<p>Google has become aware of a rooting application using an unpatched local
elevation of privilege vulnerability in the kernel on some Android devices
(<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a>).
For this application to affect a device, the user must first install it. Google
already blocks installation of rooting applications that use this
vulnerability&hairsp;&mdash;&hairsp;both within Google Play and outside of Google
Play&hairsp;&mdash;&hairsp;using <a href="https://support.google.com/accounts/answer/2812853">
Verify Apps</a>, and have updated our systems to detect applications that use
this specific vulnerability.</p>

<p>To provide a final layer of defense for this issue, partners were provided
with a patch for this issue on March 16, 2016. Nexus updates are being created
and will be released within a few days. Source code patches for this issue have
been released to the Android Open Source Project (AOSP) repository.</p>

<h3 id=background>Background</h3>

<p>This is a known issue in the upstream Linux kernel that was fixed in April 2014
but wasnt called out as a security fix and assigned
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a>
until February 2, 2015. On February 19, 2016, C0RE Team notified Google that
the issue could be exploited on Android and a patch was developed to be included
in an upcoming regularly scheduled monthly update.</p>

<p>On March 15, 2016 Google received a
report from Zimperium that this vulnerability had been abused on a Nexus 5
device. Google has confirmed the existence of a publicly available rooting
application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide
the device user with root privileges.</p>

<p>This issue is rated as a
<a href="/security/overview/updates-resources.html#severity">
Critical severity issue</a> due to the possibility of a local privilege escalation
and arbitrary code execution leading to local permanent device compromise.</p>

<h3 id=scope>Scope</h3>


<p>This advisory applies to all unpatched Android devices on kernel versions 3.4,
3.10 and 3.14, including all Nexus devices. Android devices using Linux kernel
version 3.18 or higher are not vulnerable.</p>

<h3 id=mitigations>Mitigations</h3>


<p>The following are mitigations that reduce the likelihood users are impacted
by this issue: </p>

<ul>
  <li> Verify Apps has been updated to block the installation of applications that
we have learned are attempting to exploit this vulnerability both within and outside
of Google Play.
  <li> Google Play does not allow rooting applications, like the one seeking to
exploit this issue.
  <li> Android devices using <a href="https://support.google.com/nexus/answer/4457705">
Linux kernel version 3.18</a> or higher are not vulnerable.
</ul>

<h3 id=acknowledgements>Acknowledgements</h3>


<p>Android would like to thank the <a href="http://c0reteam.org/">C0RE Team</a> and
<a href="https://www.zimperium.com/">Zimperium</a> for their contributions to
this advisory.</p>

<h3 id=suggested_actions>Suggested actions</h3>


<p>Android encourages all users to accept updates to their devices when they
are available.</p>

<h3 id=fixes>Fixes</h3>


<p>Google has released a fix in the AOSP repository for multiple kernel versions.
Android partners have been notified of these fixes and are encouraged to apply
them. If further updates are required, Android will publish them directly to ASOP.</p>

<table>
 <tr>
    <th>Kernel Version</th>
    <th>Patch</th>
 </tr>
 <tr>
    <td>3.4</td>
    <td><a href="https://android.googlesource.com/kernel/common/+/f7ebfe91b806501808413c8473a300dff58ddbb5">AOSP patch</a></td>
 </tr>
 <tr>
    <td>3.10</td>
    <td><a href="https://android.googlesource.com/kernel/common/+/4a5a45669796c5b4617109182e25b321f9f00beb">AOSP patch</a></td>
 </tr>
 <tr>
    <td>3.14</td>
    <td><a href="https://android.googlesource.com/kernel/common/+/bf010e99c9bc48002f6bfa1ad801a59bf996270f">AOSP patch</a></td>
 </tr>
 <tr>
    <td>3.18+</td>
    <td>Patched in public Linux kernel</td>
 </tr>
</table>


<h2 id=common_questions_and_answers>Common Questions and Answers</h2>


<p><strong>1. What's the problem?</strong></p>

<p>An elevation of privilege vulnerability in the kernel could enable a local
malicious application to execute arbitrary code in the kernel. This issue is
rated as a Critical severity due to the possibility of a local permanent device
compromise and the device would possibly need to be repaired by re-flashing the
operating system.</p>

<p><strong>2. How would an attacker seek to exploit this issue?</strong></p>

<p>Users who install an application that seeks to exploit this issue are at
risk. Rooting applications (like the one that is exploiting this issue) are
prohibited in Google Play, and Google is blocking the installation of
this application outside of Google Play through Verify Apps. An
attacker would need to convince a user to manually install an affected
application.</p>

<p><strong>3. Which devices could be affected?</strong></p>

<p>Google has confirmed that this exploit works on Nexus 5 and 6; however all
unpatched versions of Android contain the vulnerability.</p>

<p><strong>4. Has Google seen evidence of this vulnerability being abused?</strong></p>

<p>Yes, Google has seen evidence of this vulnerability being abused on a Nexus 5 using a
publicly available rooting tool. Google has not observed any exploitation that
would be classified as malicious.</p>

<p><strong>5. How will you be addressing this issue?</strong></p>

<p><a href="https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf">
Google Play</a> prohibits apps attempting to
exploit this issue. Similarly, Verify Apps blocks the installation of apps
from outside of Google Play that attempt to exploit this issue. Google Nexus
devices will also be patched as soon as an update is ready and weve notified
Android partners so they can release similar updates.</p>

<p><strong>6. How do I know if I have a device that contains a fix for this issue?</strong></p>

<p>Android has provided two options to our partners to communicate that their
devices are not vulnerable to this issue. Android devices with a security patch
level of March 18, 2016 are not vulnerable. Android devices with a security
patch level of April 2, 2016 and later are not vulnerable to this issue. Refer
to <a href="https://support.google.com/nexus/answer/4457705">this article</a>
for instructions on how to check the security patch level.</p>

<h2 id=revisions>Revisions</h2>


<ul>
  <li> March 18, 2016: Advisory published.
</ul>


  </body>
</html>