A newly discovered vulnerability in the Linux kernel could allow attackers to gain access to millions of Android devices as well as Linux PCs and servers.
Security firm Perception Point found the bug indexed as CVE-2016-0728, which has existed for almost three years since Linux kernel version 3.8 was released in 2013. The company recently developed a proof-of-concept and reported the flaw to developers who maintain the kernel.
The vulnerability could allow people with local access to servers to exploit it and gain complete root access. Similarly, on Android phones running version 4.4 (KitKat) and later, it could allow a malicious app to control underlying OS functions.
According to Perception Point, “this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices.” That’s worrying given that Android now powers more than 1.4 billion phones and tablets across the globe.
The company says that it hasn’t yet noticed instances of this flaw being exploited in the wild — but until Linux distributions release a fix for it and updates arrive for Android, millions of devices and systems remain at risk of being taken over by hackers.
Update: Google has confirmed that it’s releasing a fix for this issue. Adrian Ludwig from the Android Security team said:
We have prepared a patch, which has been released to open source and provided to partners today. This patch will be required on all devices with a security patch level of March 1 2016 or greater.
In addition, since this issue was released without prior notice to the Android Security Team, we are now investigating the claims made about the significance of this issue to the Android ecosystem. We believe that the number of Android devices affected is significantly smaller than initially reported.
We believe that no Nexus devices are vulnerable to exploitation by 3rd party applications. Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd party applications from reaching the affected code. Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in linux kernel 3.8, as those newer kernel versions not common on older Android devices.
➤ Analysis and exploitation of a Linux kernel vulnerability (CVE-2016-0728) [Perception Point via Ars Technica]