5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
64.3%
Android apps, including those pre-installed on some mobile devices, contain multiple vulnerabilities. All of these vulnerabilities were reported by Kryptowire. Vulnerabilities in pre-installed apps were presented at DEF CON 26 and a set of different vulnerabilities were previously coordinated by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and National Cybersecurity and Communications Integration Center (NCCIC).
Many Android mobile devices come with OEM-pre-installed apps. Some apps have been identified as having incorrect access control settings, allowing malicious third-party apps to exploit and bypass system permissions and settings. Additionally, some Android and iOS apps embed a hard-coded cryptographic key or use a weak cryptographic algorithm that allows an attacker to obtain elevated access.
Kryptowire has released a paper documenting 38 vulnerabilities in various Android smartphone devices. These vulnerabilities are largely attributed to incorrect user permissions and access control settings via pre OEM pre-installed apps, and may be exploitable via malicious third-party apps installed by the user. Two of the vulnerabilities are exploitable via the Android debug bridge (adb).
Kryptowire, in collaboration with DHS S&T and the NCCIC, previously discovered and reported the following vulnerabilities.
CWE-295: Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Vulnerable app:
(CVE-2017-13105) Virus Cleaner ( Hi Security ) - Antivirus, Booster, 3.7.1.1329
CWE-798: Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Vulnerable apps:
(CVE-2017-13100) The Moron Test, 6.3.1, 2017-05-04, iOS
(CVE-2017-13101) musical.ly - your video social network, 6.1.6, 2017-10-03, iOS
(CVE-2017-13102) Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS
(CVE-2017-13104) UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS
(CVE-2017-13105) Virus Cleaner ( Hi Security ) - Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android
(CVE-2017-13106) CM Launcher 3D - Theme,wallpaper,Secure,Efficient, 5.0.3, 2017-09-19, Android
(CVE-2017-13107) Live.me - live stream video chat, 3.7.20, 2017-11-06, Android
(CVE-2017-13108) DFNDR Security: Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android
REJECT DO NOT USE THIS CANDIDATE NUMBER (CVE-2017-13103) This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.
The CVSS score below reflects a worst-case scenario of code execution as a system
user, however many devices and vulnerabilities have significantly lower impacts and therefore lower CVSS scores.
The impacts are wide-ranging depending on the device, however a remote unauthenticated attacker may be able to at worst execute commands as a system
user if a victim can be enticed to install a malicious app capable of exploiting the vulnerability. Affected users are encouraged to review the specific impacts in the paper from Kryptowire.
Apply an update
If available, update your device’s system version of Android and apply any available Google Play / Apple Store updates to installed apps.
Use caution installing third-party apps
Apps should be installed only from official sources. Users should consider if any given third-party app is necessary to the usage of the device and take appropriate action.
787952
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: November 07, 2017 Updated: August 14, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
(CVE-2017-13102) Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Notified: December 22, 2017 Updated: August 14, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
(CVE-2017-13105) Virus Cleaner ( Hi Security ) - Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Notified: November 07, 2017 Updated: August 14, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
(CVE-2017-13107) Live.me - live stream video chat, 3.7.20, 2017-11-06, Android,
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Notified: November 07, 2017 Updated: August 14, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
(CVE-2017-13101) musical.ly - your video social network, 6.1.6, 2017-10-03, iOS,
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Notified: November 07, 2017 Updated: August 14, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
(CVE-2017-13104) UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS,
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Notified: November 07, 2017 Updated: August 14, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
(CVE-2017-13106) CM Launcher 3D - Theme,wallpaper,Secure,Efficient, 5.0.3, 2017-09-19, Android,
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Notified: November 07, 2017 Updated: August 14, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
(CVE-2017-13100) The Moron Test, 6.3.1, 2017-05-04, iOS.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Notified: November 07, 2017 Updated: August 14, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
(CVE-2017-13108) DFNDR Security: Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android,.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Notified: November 07, 2017 Updated: August 31, 2018
Statement Date: August 31, 2018
Not Affected
Pinterest was not affected by the vulnerability. Pinterest uses an encryption key for the sole purpose of hindering the reverse engineering of our app. This safety practice is an industry standard that has been used for decades, and it helps Pinterest keep our app safe for our users.
We are not aware of further vendor information regarding this vulnerability.
DISPUTED (CVE-2017-13103) Pinterest, 6.37, 2017-10-24, iOS.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23787952 Feedback>).
Group | Score | Vector |
---|---|---|
Base | 7.6 | AV:N/AC:H/Au:N/C:C/I:C/A:C |
Temporal | 6 | E:POC/RL:OF/RC:C |
Environmental | 6.0 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
Thanks to Brian Schulte at Kryptowire for reporting this vulnerability.
This document was written by Laurie Tyzenhaus and Garret Wassermann.
CVE IDs: | CVE-2017-13100, CVE-2017-13101, CVE-2017-13102, CVE-2017-13104, CVE-2017-13105, CVE-2017-13106, CVE-2017-13107, CVE-2017-13108, CVE-2017-13103 |
---|---|
Date Public: | 2018-08-10 Date First Published: |
cwe.mitre.org/data/definitions/295.html
cwe.mitre.org/data/definitions/798.html
media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Ryan%20Johnson%20and%20Angelos%20Stavrou%20-%20Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-Updated.pdf
media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Ryan%20Johnson%20and%20Angelos%20Stavrou%20-%20Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf
www.dhs.gov/science-and-technology/news/2017/12/18/news-release-st-pilot-project-helps-secure-first-responder
www.dhs.gov/sites/default/files/publications/Securing%20Mobile%20Apps%20for%20First%20Responders%20v13_Approved_Final_508.pdf
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
64.3%