Sign-up

ID

VAR-201904-0566


CVE

CVE-2018-14993


TITLE

ASUS Zenfone V Live Android Command injection vulnerability in devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-015349

DESCRIPTION

The ASUS Zenfone V Live Android device with a build fingerprint of asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1802.78-20180313:user/release-keys and the Asus ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys both contain a pre-installed platform app with a package name of com.asus.splendidcommandagent (versionCode=1510200090, versionName=1.2.0.18_160928) that contains an exported service named com.asus.splendidcommandagent.SplendidCommandAgentService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user's text messages, and more. ASUS Zenfone V Live and Asus ZenFone 3 Max are both smartphones based on the Android platform of Taiwan's ASUS (ASUS). ASUS Zenfone V Live (build fingerprint is asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1802.78-20180313:user/release-keys) and Asus ZenFone 3 Max (build fingerprint is asus/US_Phone/ASUS_X008_1:7.0/NRD90M /US_Phone-14.14.1711.92-20171208: user/release-keys) has a security vulnerability in the com.asus.splendidcommandagent package (versionCode=1510200090, versionName=1.2.0.18_160928)

Trust: 2.25

sources: NVD: CVE-2018-14993 // JVNDB: JVNDB-2018-015349 // CNVD: CNVD-2020-22301 // VULHUB: VHN-125208

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-22301

AFFECTED PRODUCTS

vendor:asusmodel:zenfone 3 maxscope:eqversion: -

Trust: 1.0

vendor:asusmodel:zenfone v livescope:eqversion: -

Trust: 1.0

vendor:asustek computermodel:zenfone 3 maxscope: - version: -

Trust: 0.8

vendor:asustek computermodel:zenfone v livescope: - version: -

Trust: 0.8

vendor:asusmodel:zenfone maxscope:eqversion:3

Trust: 0.6

vendor:asusmodel:zenfone livescope:eqversion:v

Trust: 0.6

sources: CNVD: CNVD-2020-22301 // JVNDB: JVNDB-2018-015349 // NVD: CVE-2018-14993

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-14993
value: HIGH

Trust: 1.0

NVD: CVE-2018-14993
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-22301
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201904-1178
value: HIGH

Trust: 0.6

VULHUB: VHN-125208
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-14993
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-22301
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-125208
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-14993
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2020-22301 // VULHUB: VHN-125208 // JVNDB: JVNDB-2018-015349 // CNNVD: CNNVD-201904-1178 // NVD: CVE-2018-14993

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-125208 // JVNDB: JVNDB-2018-015349 // NVD: CVE-2018-14993

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201904-1178

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201904-1178

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015349

PATCH
title:Top Pageurl:https://www.asustor.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-015349

EXTERNAL IDS
db:NVDid:CVE-2018-14993
Trust: 3.1
db:JVNDBid:JVNDB-2018-015349
Trust: 0.8
db:CNVDid:CNVD-2020-22301
Trust: 0.7
db:CNNVDid:CNNVD-201904-1178
Trust: 0.6
db:VULHUBid:VHN-125208
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-22301 // 
            
            
            
            VULHUB: VHN-125208 // 
            
            
            
            JVNDB: JVNDB-2018-015349 // 
            
            
            
            CNNVD: CNNVD-201904-1178 // 
            
            
            
            NVD: CVE-2018-14993

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2018-14993
Trust: 2.0
url:https://www.kryptowire.com/portal/android-firmware-defcon-2018/
Trust: 1.7
url:https://www.kryptowire.com/portal/wp-content/uploads/2018/12/defcon-26-johnson-and-stavrou-vulnerable-out-of-the-box-an-eval-of-android-carrier-devices-wp-updated.pdf
Trust: 1.7
url:https://www.kryptowire.com
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14993
Trust: 0.8
url:https://www.kryptowire.com/android-firmware-defcon-2018/
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2020-22301 // 
            
            
            
            VULHUB: VHN-125208 // 
            
            
            
            JVNDB: JVNDB-2018-015349 // 
            
            
            
            CNNVD: CNNVD-201904-1178 // 
            
            
            
            NVD: CVE-2018-14993

SOURCES
db:CNVDid:CNVD-2020-22301
db:VULHUBid:VHN-125208
db:JVNDBid:JVNDB-2018-015349
db:CNNVDid:CNNVD-201904-1178
db:NVDid:CVE-2018-14993

LAST UPDATE DATE
2024-11-23T22:12:06.636000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-22301date:2020-04-11T00:00:00
db:VULHUBid:VHN-125208date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2018-015349date:2019-05-29T00:00:00
db:CNNVDid:CNNVD-201904-1178date:2019-10-23T00:00:00
db:NVDid:CVE-2018-14993date:2024-11-21T03:50:16.837

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-22301date:2020-04-11T00:00:00
db:VULHUBid:VHN-125208date:2019-04-25T00:00:00
db:JVNDBid:JVNDB-2018-015349date:2019-05-29T00:00:00
db:CNNVDid:CNNVD-201904-1178date:2019-04-25T00:00:00
db:NVDid:CVE-2018-14993date:2019-04-25T20:29:00.897