Sign-up

ID

VAR-201812-0109


CVE

CVE-2018-14987


TITLE

MXQ TV Box Android Device permission vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-014553

DESCRIPTION

The MXQ TV Box 4.4.2 Android device with a build fingerprint of MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys contains the Android framework with a package name of android (versionCode=19, versionName=4.4.2-20170213) that dynamically registers a broadcast receiver app component named com.android.server.MasterClearReceiver instead of statically registering it in the AndroidManifest.xml file of the core Android package, as done in Android Open Source Project (AOSP) code for Android 4.4.2. The dynamic-registration of the MasterClearReceiver broadcast receiver app component is not protected with the android.permission.MASTER_CLEAR permission during registration, so any app co-located on the device, even those without any permissions, can programmatically initiate a factory reset of the device. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of core Android process. MXQ TV Box Android The device contains a permission vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. MXQ TV Box is a network set-top box based on Android platform

Trust: 1.71

sources: NVD: CVE-2018-14987 // JVNDB: JVNDB-2018-014553 // VULHUB: VHN-125201

AFFECTED PRODUCTS

vendor:mxqmodel:tv boxscope:eqversion:4.4.2

Trust: 1.0

vendor:mxqprojectmodel:mxq tv boxscope:eqversion:4.4.2

Trust: 0.8

sources: JVNDB: JVNDB-2018-014553 // NVD: CVE-2018-14987

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-14987
value: HIGH

Trust: 1.0

NVD: CVE-2018-14987
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201812-1250
value: HIGH

Trust: 0.6

VULHUB: VHN-125201
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-14987
severity: MEDIUM
baseScore: 5.6
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-125201
severity: MEDIUM
baseScore: 5.6
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-14987
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.2
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-125201 // JVNDB: JVNDB-2018-014553 // CNNVD: CNNVD-201812-1250 // NVD: CVE-2018-14987

PROBLEMTYPE DATA

problemtype:CWE-732

Trust: 1.1

problemtype:CWE-275

Trust: 0.9

sources: VULHUB: VHN-125201 // JVNDB: JVNDB-2018-014553 // NVD: CVE-2018-14987

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201812-1250

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201812-1250

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-014553

EXTERNAL IDS
db:NVDid:CVE-2018-14987
Trust: 2.5
db:JVNDBid:JVNDB-2018-014553
Trust: 0.8
db:CNNVDid:CNNVD-201812-1250
Trust: 0.7
db:VULHUBid:VHN-125201
Trust: 0.1
sources:
            
            
            VULHUB: VHN-125201 // 
            
            
            
            JVNDB: JVNDB-2018-014553 // 
            
            
            
            CNNVD: CNNVD-201812-1250 // 
            
            
            
            NVD: CVE-2018-14987

REFERENCES
url:https://www.kryptowire.com/portal/wp-content/uploads/2018/12/defcon-26-johnson-and-stavrou-vulnerable-out-of-the-box-an-eval-of-android-carrier-devices-wp-updated.pdf
Trust: 2.5
url:https://www.kryptowire.com/portal/android-firmware-defcon-2018/
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14987
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-14987
Trust: 0.8
url:https://www.kryptowire.com/android-firmware-defcon-2018/
Trust: 0.8
sources:
            
            
            VULHUB: VHN-125201 // 
            
            
            
            JVNDB: JVNDB-2018-014553 // 
            
            
            
            CNNVD: CNNVD-201812-1250 // 
            
            
            
            NVD: CVE-2018-14987

SOURCES
db:VULHUBid:VHN-125201
db:JVNDBid:JVNDB-2018-014553
db:CNNVDid:CNNVD-201812-1250
db:NVDid:CVE-2018-14987

LAST UPDATE DATE
2024-11-23T23:04:55.943000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-125201date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2018-014553date:2019-03-26T00:00:00
db:CNNVDid:CNNVD-201812-1250date:2020-10-23T00:00:00
db:NVDid:CVE-2018-14987date:2024-11-21T03:50:15.600

SOURCES RELEASE DATE
db:VULHUBid:VHN-125201date:2018-12-28T00:00:00
db:JVNDBid:JVNDB-2018-014553date:2019-03-26T00:00:00
db:CNNVDid:CNNVD-201812-1250date:2018-12-29T00:00:00
db:NVDid:CVE-2018-14987date:2018-12-28T21:29:00.497