Overview
Android apps, including those pre-installed on some mobile devices, contain multiple vulnerabilities. All of these vulnerabilities were reported by Kryptowire. Vulnerabilities in pre-installed apps were presented at DEF CON 26 and a set of different vulnerabilities were previously coordinated by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and National Cybersecurity and Communications Integration Center (NCCIC).
Description
Many Android mobile devices come with OEM-pre-installed apps. Some apps have been identified as having incorrect access control settings, allowing malicious third-party apps to exploit and bypass system permissions and settings. Additionally, some Android and iOS apps embed a hard-coded cryptographic key or use a weak cryptographic algorithm that allows an attacker to obtain elevated access. Kryptowire has released a paper documenting 38 vulnerabilities in various Android smartphone devices. These vulnerabilities are largely attributed to incorrect user permissions and access control settings via pre OEM pre-installed apps, and may be exploitable via malicious third-party apps installed by the user. Two of the vulnerabilities are exploitable via the Android debug bridge (adb).
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER (CVE-2017-13103) This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. The CVSS score below reflects a worst-case scenario of code execution as a system user, however many devices and vulnerabilities have significantly lower impacts and therefore lower CVSS scores. |
Impact
The impacts are wide-ranging depending on the device, however a remote unauthenticated attacker may be able to at worst execute commands as a system user if a victim can be enticed to install a malicious app capable of exploiting the vulnerability. Affected users are encouraged to review the specific impacts in the paper from Kryptowire. |
Solution
Apply an update |
Use caution installing third-party apps |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.6 | AV:N/AC:H/Au:N/C:C/I:C/A:C |
| Temporal | 6 | E:POC/RL:OF/RC:C |
| Environmental | 6.0 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Ryan%20Johnson%20and%20Angelos%20Stavrou%20-%20Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-Updated.pdf
- https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Ryan%20Johnson%20and%20Angelos%20Stavrou%20-%20Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf
- http://cwe.mitre.org/data/definitions/295.html
- http://cwe.mitre.org/data/definitions/798.html
- https://www.dhs.gov/sites/default/files/publications/Securing%20Mobile%20Apps%20for%20First%20Responders%20v13_Approved_Final_508.pdf
- https://www.dhs.gov/science-and-technology/news/2017/12/18/news-release-st-pilot-project-helps-secure-first-responder
Acknowledgements
Thanks to Brian Schulte at Kryptowire for reporting this vulnerability.
This document was written by Laurie Tyzenhaus and Garret Wassermann.
Other Information
| CVE IDs: | CVE-2017-13100, CVE-2017-13101, CVE-2017-13102, CVE-2017-13104, CVE-2017-13105, CVE-2017-13106, CVE-2017-13107, CVE-2017-13108, CVE-2017-13103 |
| Date Public: | 2018-08-10 |
| Date First Published: | 2018-08-14 |
| Date Last Updated: | 2018-09-14 19:19 UTC |
| Document Revision: | 67 |