Google has released an emergency security patch to fix the local elevation of privilege vulnerability CVE-2015-1805 affecting the kernel of the Android OS of certain devices.
The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.
The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last month when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.
All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability, meanwhile devices based on Linux kernel version 3.18 or higher are not affected.
Google has already blocked the installation of software that triggers the flaw, both within Google Play and outside of Google Play, through Verify Apps.
“We already block installation of rooting applications that use this vulnerability — both within Google Play and outside of Google Play — using Verify Apps, and have updated our systems to detect applications that use this specific vulnerability.” states the advisory issued by Google.”To provide a final layer of defense for this issue, partners were provided with a patch for this issue on March 16, 2016. Nexus updates are being created and will be released within a few days. Source code patches for this issue have been released to the Android Open Source Project (AOSP) repository.”
Google warns owners of vulnerable devices that could be permanently compromised by exploiting the flaw and in some circumstances, it could be necessary a re-flash of the operating system in order to remove malicious applications.
“An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel. This issue is rated as a Critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system.” continue the advisory.
Google has collected evidence of this vulnerability being abused on a Nexus 5 using a publicly available rooting tool, but there is no malicious exploitation of the security flaw.
Google created Nexus updates that will be released within a few days, the company has already notified its partners on this security vulnerability.
“Source code patches for this issue have been released to the Android Open Source Project (AOSP) repository.” states the advisory.
To mitigate the risk of exposure, users should have on their Android devices a security patch level of March 18, 2016, or a security patch level of April 2, 2016 and later.
(Security Affairs – Android, CVE-2015-1805)