CERTVU:787952Android and iOS apps contain multiple vulnerabilities
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
64.3%
Overview
Android apps, including those pre-installed on some mobile devices, contain multiple vulnerabilities. All of these vulnerabilities were reported by Kryptowire. Vulnerabilities in pre-installed apps were presented at DEF CON 26 and a set of different vulnerabilities were previously coordinated by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and National Cybersecurity and Communications Integration Center (NCCIC).
Description
Many Android mobile devices come with OEM-pre-installed apps. Some apps have been identified as having incorrect access control settings, allowing malicious third-party apps to exploit and bypass system permissions and settings. Additionally, some Android and iOS apps embed a hard-coded cryptographic key or use a weak cryptographic algorithm that allows an attacker to obtain elevated access.
Kryptowire has released a paper documenting 38 vulnerabilities in various Android smartphone devices. These vulnerabilities are largely attributed to incorrect user permissions and access control settings via pre OEM pre-installed apps, and may be exploitable via malicious third-party apps installed by the user. Two of the vulnerabilities are exploitable via the Android debug bridge (adb).
Kryptowire, in collaboration with DHS S&T and the NCCIC, previously discovered and reported the following vulnerabilities.
CWE-295: Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Vulnerable app:
(CVE-2017-13105) Virus Cleaner ( Hi Security ) - Antivirus, Booster, 3.7.1.1329
CWE-798: Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Vulnerable apps:
(CVE-2017-13100) The Moron Test, 6.3.1, 2017-05-04, iOS
(CVE-2017-13101) musical.ly - your video social network, 6.1.6, 2017-10-03, iOS
(CVE-2017-13102) Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS
(CVE-2017-13104) UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS
(CVE-2017-13105) Virus Cleaner ( Hi Security ) - Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android
(CVE-2017-13106) CM Launcher 3D - Theme,wallpaper,Secure,Efficient, 5.0.3, 2017-09-19, Android
(CVE-2017-13107) Live.me - live stream video chat, 3.7.20, 2017-11-06, Android
(CVE-2017-13108) DFNDR Security: Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android
REJECT DO NOT USE THIS CANDIDATE NUMBER (CVE-2017-13103) This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.
The CVSS score below reflects a worst-case scenario of code execution as a system user, however many devices and vulnerabilities have significantly lower impacts and therefore lower CVSS scores.
Impact
The impacts are wide-ranging depending on the device, however a remote unauthenticated attacker may be able to at worst execute commands as a system user if a victim can be enticed to install a malicious app capable of exploiting the vulnerability. Affected users are encouraged to review the specific impacts in the paper from Kryptowire.
Solution
Apply an update
If available, update your device’s system version of Android and apply any available Google Play / Apple Store updates to installed apps.
Use caution installing third-party apps
Apps should be installed only from official sources. Users should consider if any given third-party app is necessary to the usage of the device and take appropriate action.
Vendor Information
787952
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Gameloft __ Affected
Notified: November 07, 2017 Updated: August 14, 2018
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
(CVE-2017-13102) Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Hi Security Lab __ Affected
Notified: December 22, 2017 Updated: August 14, 2018
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
(CVE-2017-13105) Virus Cleaner ( Hi Security ) - Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Live Me __ Affected
Notified: November 07, 2017 Updated: August 14, 2018
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
(CVE-2017-13107) Live.me - live stream video chat, 3.7.20, 2017-11-06, Android,
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Tik Tok __ Affected
Notified: November 07, 2017 Updated: August 14, 2018
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
(CVE-2017-13101) musical.ly - your video social network, 6.1.6, 2017-10-03, iOS,
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
UberEats __ Affected
Notified: November 07, 2017 Updated: August 14, 2018
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
(CVE-2017-13104) UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS,
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
cheetah mobile __ Affected
Notified: November 07, 2017 Updated: August 14, 2018
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
(CVE-2017-13106) CM Launcher 3D - Theme,wallpaper,Secure,Efficient, 5.0.3, 2017-09-19, Android,
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
distinctdev __ Affected
Notified: November 07, 2017 Updated: August 14, 2018
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
(CVE-2017-13100) The Moron Test, 6.3.1, 2017-05-04, iOS.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
psafe __ Affected
Notified: November 07, 2017 Updated: August 14, 2018
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
(CVE-2017-13108) DFNDR Security: Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android,.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Pinterest __ Not Affected
Notified: November 07, 2017 Updated: August 31, 2018
Statement Date: August 31, 2018
Status
Not Affected
Vendor Statement
Pinterest was not affected by the vulnerability. Pinterest uses an encryption key for the sole purpose of hindering the reverse engineering of our app. This safety practice is an industry standard that has been used for decades, and it helps Pinterest keep our app safe for our users.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
DISPUTED (CVE-2017-13103) Pinterest, 6.37, 2017-10-24, iOS.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.6 | AV:N/AC:H/Au:N/C:C/I:C/A:C |
| Temporal | 6 | E:POC/RL:OF/RC:C |
| Environmental | 6.0 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- <https://media.defcon.org/DEF CON 26/DEF CON 26 presentations/Ryan Johnson and Angelos Stavrou - Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-Updated.pdf>
- <https://media.defcon.org/DEF CON 26/DEF CON 26 presentations/Ryan Johnson and Angelos Stavrou - Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf>
- <http://cwe.mitre.org/data/definitions/295.html>
- <http://cwe.mitre.org/data/definitions/798.html>
- <https://www.dhs.gov/sites/default/files/publications/Securing Mobile Apps for First Responders v13_Approved_Final_508.pdf>
- <https://www.dhs.gov/science-and-technology/news/2017/12/18/news-release-st-pilot-project-helps-secure-first-responder>
Acknowledgements
Thanks to Brian Schulte at Kryptowire for reporting this vulnerability.
This document was written by Laurie Tyzenhaus and Garret Wassermann.
Other Information
| CVE IDs: | CVE-2017-13100, CVE-2017-13101, CVE-2017-13102, CVE-2017-13104, CVE-2017-13105, CVE-2017-13106, CVE-2017-13107, CVE-2017-13108, CVE-2017-13103 |
|---|---|
| Date Public: | 2018-08-10 Date First Published: |
References
cwe.mitre.org/data/definitions/295.html
cwe.mitre.org/data/definitions/798.html
media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Ryan%20Johnson%20and%20Angelos%20Stavrou%20-%20Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-Updated.pdf
media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Ryan%20Johnson%20and%20Angelos%20Stavrou%20-%20Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf
www.dhs.gov/science-and-technology/news/2017/12/18/news-release-st-pilot-project-helps-secure-first-responder
www.dhs.gov/sites/default/files/publications/Securing%20Mobile%20Apps%20for%20First%20Responders%20v13_Approved_Final_508.pdf
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
64.3%