ID

VAR-201812-0123


CVE

CVE-2018-14979


TITLE

ASUS ZenFone 3 Max Android Information disclosure vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-014391

DESCRIPTION

The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). This app contains an exported service app component named com.asus.loguploader.LogUploaderService that, when accessed with a particular action string, will write a bugreport (kernel log, logcat log, and the state of system services including the text of active notifications), Wi-Fi Passwords, and other system data to external storage (sdcard). Any app with the READ_EXTERNAL_STORAGE permission on this device can read this data from the sdcard after it has been dumped there by the com.asus.loguploader. Third-party apps are not allowed to directly create a bugreport or access the user's stored wireless network credentials. Attackers can use the vulnerability to write vulnerability reports (kernel logs, logcat logs, and activity notification texts and other system service status), Wi-Fi passwords, and other system data to the SD card

Trust: 2.25

sources: NVD: CVE-2018-14979 // JVNDB: JVNDB-2018-014391 // CNVD: CNVD-2020-22296 // VULHUB: VHN-125192

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-22296

AFFECTED PRODUCTS

vendor:asusmodel:zenfone 3 maxscope:eqversion:7.0.0.55

Trust: 1.0

vendor:asustek computermodel:zenfone 3 maxscope:eqversion:7.0.0.55_170515

Trust: 0.8

vendor:asusmodel:zenfone maxscope:eqversion:3

Trust: 0.6

sources: CNVD: CNVD-2020-22296 // JVNDB: JVNDB-2018-014391 // NVD: CVE-2018-14979

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-14979
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-14979
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-22296
value: LOW

Trust: 0.6

CNNVD: CNNVD-201812-1246
value: MEDIUM

Trust: 0.6

VULHUB: VHN-125192
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-14979
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-22296
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-125192
severity: LOW
baseScore: 1.9
vectorString: AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-14979
baseSeverity: MEDIUM
baseScore: 4.7
vectorString: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.0
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2020-22296 // VULHUB: VHN-125192 // JVNDB: JVNDB-2018-014391 // CNNVD: CNNVD-201812-1246 // NVD: CVE-2018-14979

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-125192 // JVNDB: JVNDB-2018-014391 // NVD: CVE-2018-14979

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201812-1246

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201812-1246

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-014391

PATCH

title:Top Pageurl:https://www.asustor.com/

Trust: 0.8

sources: JVNDB: JVNDB-2018-014391

EXTERNAL IDS

db:NVDid:CVE-2018-14979

Trust: 3.1

db:JVNDBid:JVNDB-2018-014391

Trust: 0.8

db:CNVDid:CNVD-2020-22296

Trust: 0.7

db:CNNVDid:CNNVD-201812-1246

Trust: 0.7

db:VULHUBid:VHN-125192

Trust: 0.1

sources: CNVD: CNVD-2020-22296 // VULHUB: VHN-125192 // JVNDB: JVNDB-2018-014391 // CNNVD: CNNVD-201812-1246 // NVD: CVE-2018-14979

REFERENCES

url:https://www.kryptowire.com/portal/android-firmware-defcon-2018/

Trust: 2.5

url:https://www.kryptowire.com/portal/wp-content/uploads/2018/12/defcon-26-johnson-and-stavrou-vulnerable-out-of-the-box-an-eval-of-android-carrier-devices-wp-updated.pdf

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2018-14979

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14979

Trust: 0.8

sources: CNVD: CNVD-2020-22296 // VULHUB: VHN-125192 // JVNDB: JVNDB-2018-014391 // CNNVD: CNNVD-201812-1246 // NVD: CVE-2018-14979

SOURCES

db:CNVDid:CNVD-2020-22296
db:VULHUBid:VHN-125192
db:JVNDBid:JVNDB-2018-014391
db:CNNVDid:CNNVD-201812-1246
db:NVDid:CVE-2018-14979

LAST UPDATE DATE

2024-11-23T22:58:48.880000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-22296date:2020-04-11T00:00:00
db:VULHUBid:VHN-125192date:2019-02-22T00:00:00
db:JVNDBid:JVNDB-2018-014391date:2019-03-19T00:00:00
db:CNNVDid:CNNVD-201812-1246date:2019-02-25T00:00:00
db:NVDid:CVE-2018-14979date:2024-11-21T03:50:14.280

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-22296date:2020-04-11T00:00:00
db:VULHUBid:VHN-125192date:2018-12-28T00:00:00
db:JVNDBid:JVNDB-2018-014391date:2019-03-19T00:00:00
db:CNNVDid:CNNVD-201812-1246date:2018-12-29T00:00:00
db:NVDid:CVE-2018-14979date:2018-12-28T21:29:00.247