Google Downplays Impact of Linux Kernel Flaw on Android

Google has released a patch for Android to address a Linux kernel vulnerability disclosed earlier this week by Perception Point, but the search giant believes the number of affected devices is smaller than initially reported.

Perception Point revealed on Tuesday that millions of Linux PCs and servers, and roughly two-thirds of Android smartphones and tablets could be affected by a local privilege escalation flaw (CVE-2016-0728) that allows an attacker to achieve kernel code execution and gain root privileges on the targeted system.

The vulnerability is related to the keyring, a facility that allows drivers to retain and cache security data, encryption and authentication keys, and other data in the kernel. The security bug, caused by a reference leak in the keyring, can be exploited by an attacker that has an account on the system, or is able to instruct the system to run code on their behalf.

The Israel-based security startup said the vulnerability impacts version 3.8 and later of the Linux kernel and Android devices running version 4.4 and later.

Many Linux distributions have already released patches to address the issue. Despite not being notified before the details of the vulnerability were disclosed, Google’s Android Security Team has also prepared a fix, which it released to open source and provided to its partners earlier this week.

“This patch will be required on all devices with a security patch level of March 1 2016 or greater,” Google’s Adrian Ludwig said in a post on Google+.

Ludwig says the company is investigating the impact of the flaw, but believes that Nexus devices are not vulnerable and devices with Android 5.0 and greater are protected by the SELinux policy, which prevents third party apps from reaching the buggy code. The search giant believes many devices running Android 4.4 and earlier are not affected since they don’t contain the problematic code.

According to Perception Point, while SELinux might make it more difficult to exploit the vulnerability, the protection can be bypassed. Furthermore, Red Hat’s advisory for the security bug says SELinux does not mitigate the issue.

Some experts said the Linux PoC exploit released by Perception Point is stable, but others could not get it to work properly. The security firm said it takes roughly 30 minutes to run the exploit on an Intel Core i7-5500 CPU, but noted that time is usually not an issue when it comes to privilege escalation exploits. A PoC exploit for Android has yet to be released.