Sign-up

ID

VAR-201808-1007


CVE

CVE-2018-6599


TITLE

Orbic Wonder RC555L Vulnerability related to information disclosure from log files on devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-009600

DESCRIPTION

An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls. Orbic Wonder RC555L The device contains a vulnerability related to information disclosure from log files.Information may be obtained. OrbicWonder is a smartphone product from Orbic Corporation of the United States

Trust: 2.25

sources: NVD: CVE-2018-6599 // JVNDB: JVNDB-2018-009600 // CNVD: CNVD-2018-17529 // VULHUB: VHN-136631

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-17529

AFFECTED PRODUCTS

vendor:orbicmodel:wonder rc555lscope:eqversion:7.1.2

Trust: 1.6

vendor:orbicmodel:wonder rc555lscope:eqversion:7.1

Trust: 1.6

vendor:orbicmodel:wonder rc555lscope: - version: -

Trust: 0.8

vendor:orbicmodel:wonderscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2018-17529 // JVNDB: JVNDB-2018-009600 // CNNVD: CNNVD-201808-915 // NVD: CVE-2018-6599

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-6599
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-6599
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-17529
value: LOW

Trust: 0.6

CNNVD: CNNVD-201808-915
value: LOW

Trust: 0.6

VULHUB: VHN-136631
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-6599
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-17529
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-136631
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-6599
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-17529 // VULHUB: VHN-136631 // JVNDB: JVNDB-2018-009600 // CNNVD: CNNVD-201808-915 // NVD: CVE-2018-6599

PROBLEMTYPE DATA

problemtype:CWE-532

Trust: 1.9

sources: VULHUB: VHN-136631 // JVNDB: JVNDB-2018-009600 // NVD: CVE-2018-6599

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201808-915

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201808-915

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-009600

PATCH
title:Wonderurl:http://www.orbic.us/phones/details/10
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-009600

EXTERNAL IDS
db:NVDid:CVE-2018-6599
Trust: 3.1
db:JVNDBid:JVNDB-2018-009600
Trust: 0.8
db:CNNVDid:CNNVD-201808-915
Trust: 0.7
db:CNVDid:CNVD-2018-17529
Trust: 0.6
db:VULHUBid:VHN-136631
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-17529 // 
            
            
            
            VULHUB: VHN-136631 // 
            
            
            
            JVNDB: JVNDB-2018-009600 // 
            
            
            
            CNNVD: CNNVD-201808-915 // 
            
            
            
            NVD: CVE-2018-6599

REFERENCES
url:https://www.kryptowire.com/portal/android-firmware-defcon-2018/
Trust: 3.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-6599
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-6599
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2018-17529 // 
            
            
            
            VULHUB: VHN-136631 // 
            
            
            
            JVNDB: JVNDB-2018-009600 // 
            
            
            
            CNNVD: CNNVD-201808-915 // 
            
            
            
            NVD: CVE-2018-6599

SOURCES
db:CNVDid:CNVD-2018-17529
db:VULHUBid:VHN-136631
db:JVNDBid:JVNDB-2018-009600
db:CNNVDid:CNNVD-201808-915
db:NVDid:CVE-2018-6599

LAST UPDATE DATE
2024-11-23T22:52:00.415000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-17529date:2018-09-05T00:00:00
db:VULHUBid:VHN-136631date:2018-10-29T00:00:00
db:JVNDBid:JVNDB-2018-009600date:2018-11-22T00:00:00
db:CNNVDid:CNNVD-201808-915date:2018-08-30T00:00:00
db:NVDid:CVE-2018-6599date:2024-11-21T04:10:58.467

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-17529date:2018-09-05T00:00:00
db:VULHUBid:VHN-136631date:2018-08-29T00:00:00
db:JVNDBid:JVNDB-2018-009600date:2018-11-22T00:00:00
db:CNNVDid:CNNVD-201808-915date:2018-08-30T00:00:00
db:NVDid:CVE-2018-6599date:2018-08-29T19:29:01.187