Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Android and iOS apps contain multiple vulnerabilities
Informations
Name VU#787952 First vendor Publication 2018-08-14
Vendor VU-CERT Last vendor Modification 2018-09-14
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#787952

Android and iOS apps contain multiple vulnerabilities

Original Release date: 14 Aug 2018 | Last revised: 14 Sep 2018

Overview

Android apps, including those pre-installed on some mobile devices, contain multiple vulnerabilities. All of these vulnerabilities were reported by Kryptowire. Vulnerabilities in pre-installed apps were presented at DEF CON 26 and a set of different vulnerabilities were previously coordinated by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and National Cybersecurity and Communications Integration Center (NCCIC).

Description

Many Android mobile devices come with OEM-pre-installed apps. Some apps have been identified as having incorrect access control settings, allowing malicious third-party apps to exploit and bypass system permissions and settings. Additionally, some Android and iOS apps embed a hard-coded cryptographic key or use a weak cryptographic algorithm that allows an attacker to obtain elevated access.

Kryptowire has released a paper documenting 38 vulnerabilities in various Android smartphone devices. These vulnerabilities are largely attributed to incorrect user permissions and access control settings via pre OEM pre-installed apps, and may be exploitable via malicious third-party apps installed by the user. Two of the vulnerabilities are exploitable via the Android debug bridge (adb).

Kryptowire, in collaboration with DHS S&T and the NCCIC, previously discovered and reported the following vulnerabilities.

CWE-295: Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.

Vulnerable app:
(CVE-2017-13105) Virus Cleaner ( Hi Security ) - Antivirus, Booster, 3.7.1.1329


CWE-798: Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Vulnerable apps:
(CVE-2017-13100) The Moron Test, 6.3.1, 2017-05-04, iOS
(CVE-2017-13101) musical.ly - your video social network, 6.1.6, 2017-10-03, iOS
(CVE-2017-13102) Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS
(CVE-2017-13104) UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS
(CVE-2017-13105) Virus Cleaner ( Hi Security ) - Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android
(CVE-2017-13106) CM Launcher 3D - Theme,wallpaper,Secure,Efficient, 5.0.3, 2017-09-19, Android
(CVE-2017-13107) Live.me - live stream video chat, 3.7.20, 2017-11-06, Android
(CVE-2017-13108) DFNDR Security: Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER (CVE-2017-13103) This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.

The CVSS score below reflects a worst-case scenario of code execution as a system user, however many devices and vulnerabilities have significantly lower impacts and therefore lower CVSS scores.

Impact

The impacts are wide-ranging depending on the device, however a remote unauthenticated attacker may be able to at worst execute commands as a system user if a victim can be enticed to install a malicious app capable of exploiting the vulnerability. Affected users are encouraged to review the specific impacts in the paper from Kryptowire.

Solution

Apply an update

If available, update your device's system version of Android and apply any available Google Play / Apple Store updates to installed apps.

Use caution installing third-party apps

Apps should be installed only from official sources. Users should consider if any given third-party app is necessary to the usage of the device and take appropriate action.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
cheetah mobileAffected07 Nov 201714 Aug 2018
distinctdevAffected07 Nov 201714 Aug 2018
GameloftAffected07 Nov 201714 Aug 2018
Hi Security LabAffected22 Dec 201714 Aug 2018
Live MeAffected07 Nov 201714 Aug 2018
psafeAffected07 Nov 201714 Aug 2018
Tik TokAffected07 Nov 201714 Aug 2018
UberEatsAffected07 Nov 201714 Aug 2018
PinterestNot Affected07 Nov 201731 Aug 2018
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.6AV:N/AC:H/Au:N/C:C/I:C/A:C
Temporal6.0E:POC/RL:OF/RC:C
Environmental6.0CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Ryan%20Johnson%20and%20Angelos%20Stavrou%20-%20Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-Updated.pdf
  • https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Ryan%20Johnson%20and%20Angelos%20Stavrou%20-%20Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf
  • http://cwe.mitre.org/data/definitions/295.html
  • http://cwe.mitre.org/data/definitions/798.html
  • https://www.dhs.gov/sites/default/files/publications/Securing%20Mobile%20Apps%20for%20First%20Responders%20v13_Approved_Final_508.pdf
  • https://www.dhs.gov/science-and-technology/news/2017/12/18/news-release-st-pilot-project-helps-secure-first-responder

Credit

Thanks to Brian Schulte at Kryptowire for reporting this vulnerability.

This document was written by Laurie Tyzenhaus and Garret Wassermann.

Other Information

  • CVE IDs:CVE-2017-13100CVE-2017-13101CVE-2017-13102CVE-2017-13104CVE-2017-13105CVE-2017-13106CVE-2017-13107CVE-2017-13108CVE-2017-13103
  • Date Public:10 Aug 2018
  • Date First Published:14 Aug 2018
  • Date Last Updated:14 Sep 2018
  • Document Revision:65

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/787952

CWE : Common Weakness Enumeration

% Id Name
88 % CWE-798 Use of Hard-coded Credentials (CWE/SANS Top 25)
12 % CWE-295 Certificate Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
Date Informations
2018-10-10 21:21:58
  • Multiple Updates
2018-09-15 00:18:21
  • Multiple Updates
2018-09-05 17:18:46
  • Multiple Updates
2018-09-05 00:18:48
  • Multiple Updates
2018-08-31 21:19:09
  • Multiple Updates
2018-08-16 05:20:18
  • Multiple Updates
2018-08-15 21:18:53
  • Multiple Updates
2018-08-15 05:17:24
  • First insertion