Google releases supplemental update to monthly Android Security Advisory

Google has released a supplemental update to its monthly Android Security Advisory after a critical flaw in the Linux kernel was found to be exploited in an unnamed rooting app.

An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system.

The flaw as originally reported was scheduled to be patched in a coming monthly security update, but that situation changed after researchers from Zimperium were able to demonstrate an exploit, and an application using it to root a Nexus 5 and a Nexus 6 was discovered.

This fact raised the issue to a Critical severity issue, and the patch has now been sent to AOSP and Android partners.

“Google has become aware of a rooting application using an unpatched local elevation of privilege vulnerability in the kernel on some Android devices (CVE-2015-1805). For this application to affect a device, the user must first install it. We already block installation of rooting applications that use this vulnerability — both within Google Play and outside of Google Play — using Verify Apps, and have updated our systems to detect applications that use this specific vulnerability.”

Google have confirmed that this exploit works on Nexus 5 and 6, and that all unpatched versions of Android contain the vulnerability.

Any Android device using Linux kernel version 3.18 or higher is not affected, such as the Samsung Galaxy S7 which employs Linux kernel 3.18.20

Fixes

Partners were provided with a patch for this issue on March 16, 2016 and Google has released a fix in the AOSP repository for multiple kernel versions.

Android partners have been notified of these fixes and are encouraged to apply them. If further updates are required Google will publish them directly to ASOP.
[table style=”table-striped”]

Kernel Version Patch
3.4 AOSP patch
3.10 AOSP patch
3.14 AOSP patch
3.18+ Patched in public Linux kernel

[/table]
Nexus updates are being created and will be released within a few days. Source code patches for this issue have been released to the Android Open Source Project (AOSP) repository.