Sign-up

ID

VAR-201911-0469


CVE

CVE-2019-15400


TITLE

Asus ZenFone 3 Ultra Android Vulnerability with improper permission assignment to critical resources on devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-012424

DESCRIPTION

The Asus ZenFone 3 Ultra Android device with a build fingerprint of asus/WW_Phone/ASUS_A001:7.0/NRD90M/14.1010.1804.75-20180612:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Asus ZenFone 3 Ultra Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUS ZenFone 3 Ultra is a smartphone from ASUS, Taiwan. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use the vulnerability on other devices on the device to execute unauthorized commands

Trust: 2.16

sources: NVD: CVE-2019-15400 // JVNDB: JVNDB-2019-012424 // CNVD: CNVD-2020-04134

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-04134

AFFECTED PRODUCTS

vendor:asusmodel:zenfone 3 ultrascope:eqversion: -

Trust: 1.0

vendor:asustek computermodel:zenfone 3 ultrascope: - version: -

Trust: 0.8

vendor:asusmodel:zenfone ultra build fingerprint: asus ww phone asus a001: nrd90m user release-keysscope:eqversion:3//7.0//14.1010.1804.75-20180612:/

Trust: 0.6

sources: CNVD: CNVD-2020-04134 // JVNDB: JVNDB-2019-012424 // NVD: CVE-2019-15400

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15400
value: HIGH

Trust: 1.0

NVD: CVE-2019-15400
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-04134
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201911-903
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-15400
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-04134
severity: MEDIUM
baseScore: 6.8
vectorString: AV:L/AC:L/AU:S/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.1
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-15400
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-15400
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-04134 // JVNDB: JVNDB-2019-012424 // CNNVD: CNNVD-201911-903 // NVD: CVE-2019-15400

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-732

Trust: 0.8

sources: JVNDB: JVNDB-2019-012424 // NVD: CVE-2019-15400

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201911-903

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201911-903

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-012424

PATCH
title:ZenFone 3 Ultra (ZU680KL)url:https://www.asus.com/jp/Phone/ZenFone-3-Ultra-ZU680KL/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-012424

EXTERNAL IDS
db:NVDid:CVE-2019-15400
Trust: 3.0
db:JVNDBid:JVNDB-2019-012424
Trust: 0.8
db:CNVDid:CNVD-2020-04134
Trust: 0.6
db:CNNVDid:CNNVD-201911-903
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-04134 // 
            
            
            
            JVNDB: JVNDB-2019-012424 // 
            
            
            
            CNNVD: CNNVD-201911-903 // 
            
            
            
            NVD: CVE-2019-15400

REFERENCES
url:https://www.kryptowire.com/android-firmware-2019/
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2019-15400
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15400
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2020-04134 // 
            
            
            
            JVNDB: JVNDB-2019-012424 // 
            
            
            
            CNNVD: CNNVD-201911-903 // 
            
            
            
            NVD: CVE-2019-15400

SOURCES
db:CNVDid:CNVD-2020-04134
db:JVNDBid:JVNDB-2019-012424
db:CNNVDid:CNNVD-201911-903
db:NVDid:CVE-2019-15400

LAST UPDATE DATE
2024-11-23T21:51:50.859000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-04134date:2020-02-07T00:00:00
db:JVNDBid:JVNDB-2019-012424date:2019-12-02T00:00:00
db:CNNVDid:CNNVD-201911-903date:2020-08-25T00:00:00
db:NVDid:CVE-2019-15400date:2024-11-21T04:28:38.403

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-04134date:2020-02-07T00:00:00
db:JVNDBid:JVNDB-2019-012424date:2019-12-02T00:00:00
db:CNNVDid:CNNVD-201911-903date:2019-11-14T00:00:00
db:NVDid:CVE-2019-15400date:2019-11-14T17:15:19.817