Sign-up

ID

VAR-201911-0458


CVE

CVE-2019-15389


TITLE

Haier A6 Access Control Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-14739 // CNNVD: CNNVD-201911-890

DESCRIPTION

The Haier A6 Android device with a build fingerprint of Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app. Executing commands as the system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user's text messages, and more. Haier A6 Android The device is vulnerable to improper assignment of permissions to critical resources.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Haier A6 is a smartphone from Haier of China. Haier A6 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to execute commands through an accessible application component

Trust: 2.16

sources: NVD: CVE-2019-15389 // JVNDB: JVNDB-2019-012475 // CNVD: CNVD-2020-14739

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-14739

AFFECTED PRODUCTS

vendor:haiermodel:a6scope: - version: -

Trust: 1.4

vendor:haier a6model:haier a6scope:eqversion: -

Trust: 1.0

sources: CNVD: CNVD-2020-14739 // JVNDB: JVNDB-2019-012475 // NVD: CVE-2019-15389

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15389
value: HIGH

Trust: 1.0

NVD: CVE-2019-15389
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-14739
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201911-890
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-15389
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-14739
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-15389
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-15389
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-14739 // JVNDB: JVNDB-2019-012475 // CNNVD: CNNVD-201911-890 // NVD: CVE-2019-15389

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-732

Trust: 0.8

sources: JVNDB: JVNDB-2019-012475 // NVD: CVE-2019-15389

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201911-890

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201911-890

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-012475

PATCH
title:トップページurl:https://www.haier.com/jp/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-012475

EXTERNAL IDS
db:NVDid:CVE-2019-15389
Trust: 3.0
db:JVNDBid:JVNDB-2019-012475
Trust: 0.8
db:CNVDid:CNVD-2020-14739
Trust: 0.6
db:CNNVDid:CNNVD-201911-890
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-14739 // 
            
            
            
            JVNDB: JVNDB-2019-012475 // 
            
            
            
            CNNVD: CNNVD-201911-890 // 
            
            
            
            NVD: CVE-2019-15389

REFERENCES
url:https://www.kryptowire.com/android-firmware-2019/
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2019-15389
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15389
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2020-14739 // 
            
            
            
            JVNDB: JVNDB-2019-012475 // 
            
            
            
            CNNVD: CNNVD-201911-890 // 
            
            
            
            NVD: CVE-2019-15389

SOURCES
db:CNVDid:CNVD-2020-14739
db:JVNDBid:JVNDB-2019-012475
db:CNNVDid:CNNVD-201911-890
db:NVDid:CVE-2019-15389

LAST UPDATE DATE
2024-11-23T21:36:32.404000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-14739date:2020-03-01T00:00:00
db:JVNDBid:JVNDB-2019-012475date:2019-12-03T00:00:00
db:CNNVDid:CNNVD-201911-890date:2020-08-25T00:00:00
db:NVDid:CVE-2019-15389date:2024-11-21T04:28:36.720

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-14739date:2020-03-01T00:00:00
db:JVNDBid:JVNDB-2019-012475date:2019-12-03T00:00:00
db:CNNVDid:CNNVD-201911-890date:2019-11-14T00:00:00
db:NVDid:CVE-2019-15389date:2019-11-14T17:15:19.083