Sign-up

ID

VAR-201701-0480


CVE

CVE-2016-10135


TITLE

MTK Use chipset LG Vulnerabilities in devices that allow access to arbitrary third-party applications

Trust: 0.8

sources: JVNDB: JVNDB-2016-006891

DESCRIPTION

An issue was discovered on LG devices using the MTK chipset with L(5.0/5.1), M(6.0/6.0.1), and N(7.0) software, and RCA Voyager Tablet, BLU Advance 5.0, and BLU R1 HD devices. The MTKLogger app with a package name of com.mediatek.mtklogger has application components that are accessible to any application that resides on the device. Namely, the com.mediatek.mtklogger.framework.LogReceiver and com.mediatek.mtklogger.framework.MTKLoggerService application components are exported since they contain an intent filter, are not protected by a custom permission, and do not explicitly set the android:exported attribute to false. Therefore, these components are exported by default and are thus accessible to any third party application by using android.content.Intent object for communication. These application components can be used to start and stop the logs using Intent objects with embedded data. The available logs are the GPS log, modem log, network log, and mobile log. The base directory that contains the directories for the 4 types of logs is /sdcard/mtklog which makes them accessible to apps that require the READ_EXTERNAL_STORAGE permission. The GPS log contains the GPS coordinates of the user as well as a timestamp for the coordinates. The modem log contains AT commands and their parameters which allow the user's outgoing and incoming calls and text messages to be obtained. The network log is a tcpdump network capture. The mobile log contains the Android log, which is not available to third-party apps as of Android 4.1. The LG ID is LVE-SMP-160019. MTK Use chipset LG The device contains a vulnerability that allows access to arbitrary third-party applications. Lgmobile is an Android smartphone owned by LG. There are multiple security bypass vulnerabilities in several LGAndroid MobileDevices. An attacker could exploit the vulnerability to bypass certain security restrictions and perform unauthorized operations

Trust: 2.43

sources: NVD: CVE-2016-10135 // JVNDB: JVNDB-2016-006891 // CNVD: CNVD-2017-05315 // BID: 96846

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-05315

AFFECTED PRODUCTS

vendor:lgmodel:mobilescope:eqversion:5.0

Trust: 2.2

vendor:lgmodel:mobilescope:eqversion:5.1

Trust: 2.2

vendor:lgmodel:mobilescope:eqversion:6.0

Trust: 2.2

vendor:lgmodel:mobilescope:eqversion:6.0.1

Trust: 2.2

vendor:lgmodel:mobilescope:eqversion:7.0

Trust: 2.2

vendor:lgmodel:mobilescope: - version: -

Trust: 0.8

vendor:googlemodel:androidscope:eqversion:6.0.1

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:7.0

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:6.0

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:5.1

Trust: 0.3

vendor:googlemodel:androidscope:eqversion:5.0

Trust: 0.3

vendor:blumodel:r1 hdscope:eqversion:0

Trust: 0.3

vendor:blumodel:advancescope:eqversion:5.0

Trust: 0.3

vendor:alcomodel:electronics rca voyager tabletscope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2017-05315 // BID: 96846 // JVNDB: JVNDB-2016-006891 // CNNVD: CNNVD-201701-366 // NVD: CVE-2016-10135

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-10135
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-10135
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-05315
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201701-366
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2016-10135
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-05315
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2016-10135
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-05315 // JVNDB: JVNDB-2016-006891 // CNNVD: CNNVD-201701-366 // NVD: CVE-2016-10135

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2016-006891 // NVD: CVE-2016-10135

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201701-366

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201701-366

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-006891

PATCH
title:LG Mobile Security Maintenance Releases (SMR-JAN-2017)url:https://lgsecurity.lge.com/security_updates.html
Trust: 0.8
title:Multiple LGAndroid MobileDevices have multiple security bypass bugsurl:https://www.cnvd.org.cn/patchInfo/show/92354
Trust: 0.6
title:Various mobile phone product information disclosure vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74760
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-05315 // 
            
            
            
            JVNDB: JVNDB-2016-006891 // 
            
            
            
            CNNVD: CNNVD-201701-366

EXTERNAL IDS
db:NVDid:CVE-2016-10135
Trust: 3.3
db:BIDid:96846
Trust: 1.9
db:JVNDBid:JVNDB-2016-006891
Trust: 0.8
db:CNVDid:CNVD-2017-05315
Trust: 0.6
db:CNNVDid:CNNVD-201701-366
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-05315 // 
            
            
            
            BID: 96846 // 
            
            
            
            JVNDB: JVNDB-2016-006891 // 
            
            
            
            CNNVD: CNNVD-201701-366 // 
            
            
            
            NVD: CVE-2016-10135

REFERENCES
url:https://lgsecurity.lge.com/security_updates.html
Trust: 1.9
url:http://www.securityfocus.com/bid/96846
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-10135
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-10135
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2016-10135
Trust: 0.6
url:http://www.lge.com/index.do
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-05315 // 
            
            
            
            BID: 96846 // 
            
            
            
            JVNDB: JVNDB-2016-006891 // 
            
            
            
            CNNVD: CNNVD-201701-366 // 
            
            
            
            NVD: CVE-2016-10135

CREDITS
The vendor reported these issues.
Trust: 0.3
sources:
            
            
            BID: 96846

SOURCES
db:CNVDid:CNVD-2017-05315
db:BIDid:96846
db:JVNDBid:JVNDB-2016-006891
db:CNNVDid:CNNVD-201701-366
db:NVDid:CVE-2016-10135

LAST UPDATE DATE
2025-04-20T23:40:12.422000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-05315date:2017-04-25T00:00:00
db:BIDid:96846date:2017-03-16T01:02:00
db:JVNDBid:JVNDB-2016-006891date:2017-01-30T00:00:00
db:CNNVDid:CNNVD-201701-366date:2017-09-29T00:00:00
db:NVDid:CVE-2016-10135date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-05315date:2017-04-25T00:00:00
db:BIDid:96846date:2017-01-13T00:00:00
db:JVNDBid:JVNDB-2016-006891date:2017-01-30T00:00:00
db:CNNVDid:CNNVD-201701-366date:2017-01-13T00:00:00
db:NVDid:CVE-2016-10135date:2017-01-13T09:59:00.140