diff options
Diffstat (limited to 'en/security/advisory/2016-03-18.html')
| -rw-r--r-- | en/security/advisory/2016-03-18.html | 193 |
1 files changed, 0 insertions, 193 deletions
diff --git a/en/security/advisory/2016-03-18.html b/en/security/advisory/2016-03-18.html deleted file mode 100644 index 24484009..00000000 --- a/en/security/advisory/2016-03-18.html +++ /dev/null @@ -1,193 +0,0 @@ -<html devsite> - <head> - <title>Android Security Advisory — 2016-03-18</title> - <meta name="project_path" value="/_project.yaml" /> - <meta name="book_path" value="/_book.yaml" /> - </head> - <body> - <!-- - Copyright 2017 The Android Open Source Project - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - --> - - - -<p><em>Published March 18, 2016</em></p> - -<p>Android Security Advisories are supplemental to the Nexus Security Bulletins. -Refer to our <a href="index.html">summary page</a> for more information about Security Advisories.</p> - -<h2 id=summary>Summary</h2> - -<p>Google has become aware of a rooting application using an unpatched local -elevation of privilege vulnerability in the kernel on some Android devices -(<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a>). -For this application to affect a device, the user must first install it. Google -already blocks installation of rooting applications that use this -vulnerability — both within Google Play and outside of Google -Play — using <a href="https://support.google.com/accounts/answer/2812853"> -Verify Apps</a>, and have updated our systems to detect applications that use -this specific vulnerability.</p> - -<p>To provide a final layer of defense for this issue, partners were provided -with a patch for this issue on March 16, 2016. Nexus updates are being created -and will be released within a few days. Source code patches for this issue have -been released to the Android Open Source Project (AOSP) repository.</p> - -<h3 id=background>Background</h3> - -<p>This is a known issue in the upstream Linux kernel that was fixed in April 2014 -but wasn’t called out as a security fix and assigned -<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805">CVE-2015-1805</a> -until February 2, 2015. On February 19, 2016, C0RE Team notified Google that -the issue could be exploited on Android and a patch was developed to be included -in an upcoming regularly scheduled monthly update.</p> - -<p>On March 15, 2016 Google received a -report from Zimperium that this vulnerability had been abused on a Nexus 5 -device. Google has confirmed the existence of a publicly available rooting -application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide -the device user with root privileges.</p> - -<p>This issue is rated as a -<a href="/security/overview/updates-resources.html#severity"> -Critical severity issue</a> due to the possibility of a local privilege escalation -and arbitrary code execution leading to local permanent device compromise.</p> - -<h3 id=scope>Scope</h3> - - -<p>This advisory applies to all unpatched Android devices on kernel versions 3.4, -3.10 and 3.14, including all Nexus devices. Android devices using Linux kernel -version 3.18 or higher are not vulnerable.</p> - -<h3 id=mitigations>Mitigations</h3> - - -<p>The following are mitigations that reduce the likelihood users are impacted -by this issue: </p> - -<ul> - <li> Verify Apps has been updated to block the installation of applications that -we have learned are attempting to exploit this vulnerability both within and outside -of Google Play. - <li> Google Play does not allow rooting applications, like the one seeking to -exploit this issue. - <li> Android devices using <a href="https://support.google.com/nexus/answer/4457705"> -Linux kernel version 3.18</a> or higher are not vulnerable. -</ul> - -<h3 id=acknowledgements>Acknowledgements</h3> - - -<p>Android would like to thank the <a href="http://c0reteam.org/">C0RE Team</a> and -<a href="https://www.zimperium.com/">Zimperium</a> for their contributions to -this advisory.</p> - -<h3 id=suggested_actions>Suggested actions</h3> - - -<p>Android encourages all users to accept updates to their devices when they -are available.</p> - -<h3 id=fixes>Fixes</h3> - - -<p>Google has released a fix in the AOSP repository for multiple kernel versions. -Android partners have been notified of these fixes and are encouraged to apply -them. If further updates are required, Android will publish them directly to AOSP.</p> - -<table> - <tr> - <th>Kernel Version</th> - <th>Patch</th> - </tr> - <tr> - <td>3.4</td> - <td><a href="https://android.googlesource.com/kernel/common/+/f7ebfe91b806501808413c8473a300dff58ddbb5">AOSP patch</a></td> - </tr> - <tr> - <td>3.10</td> - <td><a href="https://android.googlesource.com/kernel/common/+/4a5a45669796c5b4617109182e25b321f9f00beb">AOSP patch</a></td> - </tr> - <tr> - <td>3.14</td> - <td><a href="https://android.googlesource.com/kernel/common/+/bf010e99c9bc48002f6bfa1ad801a59bf996270f">AOSP patch</a></td> - </tr> - <tr> - <td>3.18+</td> - <td>Patched in public Linux kernel</td> - </tr> -</table> - - -<h2 id=common_questions_and_answers>Common Questions and Answers</h2> - - -<p><strong>1. What's the problem?</strong></p> - -<p>An elevation of privilege vulnerability in the kernel could enable a local -malicious application to execute arbitrary code in the kernel. This issue is -rated as a Critical severity due to the possibility of a local permanent device -compromise and the device would possibly need to be repaired by re-flashing the -operating system.</p> - -<p><strong>2. How would an attacker seek to exploit this issue?</strong></p> - -<p>Users who install an application that seeks to exploit this issue are at -risk. Rooting applications (like the one that is exploiting this issue) are -prohibited in Google Play, and Google is blocking the installation of -this application outside of Google Play through Verify Apps. An -attacker would need to convince a user to manually install an affected -application.</p> - -<p><strong>3. Which devices could be affected?</strong></p> - -<p>Google has confirmed that this exploit works on Nexus 5 and 6; however all -unpatched versions of Android contain the vulnerability.</p> - -<p><strong>4. Has Google seen evidence of this vulnerability being abused?</strong></p> - -<p>Yes, Google has seen evidence of this vulnerability being abused on a Nexus 5 using a -publicly available rooting tool. Google has not observed any exploitation that -would be classified as “malicious.”</p> - -<p><strong>5. How will you be addressing this issue?</strong></p> - -<p><a href="https://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf"> -Google Play</a> prohibits apps attempting to -exploit this issue. Similarly, Verify Apps blocks the installation of apps -from outside of Google Play that attempt to exploit this issue. Google Nexus -devices will also be patched as soon as an update is ready and we’ve notified -Android partners so they can release similar updates.</p> - -<p><strong>6. How do I know if I have a device that contains a fix for this issue?</strong></p> - -<p>Android has provided two options to our partners to communicate that their -devices are not vulnerable to this issue. Android devices with a security patch -level of March 18, 2016 are not vulnerable. Android devices with a security -patch level of April 2, 2016 and later are not vulnerable to this issue. Refer -to <a href="https://support.google.com/nexus/answer/4457705">this article</a> -for instructions on how to check the security patch level.</p> - -<h2 id=revisions>Revisions</h2> - - -<ul> - <li> March 18, 2016: Advisory published. -</ul> - - - </body> -</html> |