Executive Summary
Summary | |
---|---|
Title | 802.1X password exploit on many HTC Android devices |
Informations | |||
---|---|---|---|
Name | VU#763355 | First vendor Publication | 2012-02-01 |
Vendor | VU-CERT | Last vendor Modification | 2012-02-01 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:H/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 2.6 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | High |
Cvss Expoit Score | 4.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#763355802.1X password exploit on many HTC Android devicesOverviewA user's 802.1X WiFi credentials and SSID information may be exposed to any application with basic WiFi permissions on certain HTC builds of Android.I. DescriptionAny Android application on an affected HTC build with the android.permission.ACCESS_WIFI_STATE permission can use the .toString() member of the WifiConfiguration class to view all 802.1X credentials and SSID information. If the same application also has the android.permission.INTERNET permission then that application can harvest the credentials and exfiltrate them to a server on the Internet.The following devices have been reported as affected:
II. ImpactAn attacker may be able to view and exfiltrate WiFi SSID information and credentials.III. SolutionApply an UpdateUsers with an affected HTC phone should visit the HTC support site for instructions on how to update their phone. In some cases, the update will be automatically delivered to the phone.
Referenceshttp://www.htc.com/www/help/ CreditThanks to Chris Hessing and Bret Jordan for reporting this vulnerability. This document was written by Jared Allar. Other Information
This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify |
Original Source
Url : http://www.kb.cert.org/vuls/id/763355 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Hardware | 2 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 | |
Hardware | 1 |