Vulnerability Note VU#787952
Android and iOS apps contain multiple vulnerabilities
Android apps, including those pre-installed on some mobile devices, contain multiple vulnerabilities. All of these vulnerabilities were reported by Kryptowire. Vulnerabilities in pre-installed apps were presented at DEF CON 26 and a set of different vulnerabilities were previously coordinated by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and National Cybersecurity and Communications Integration Center (NCCIC).
Many Android mobile devices come with OEM-pre-installed apps. Some apps have been identified as having incorrect access control settings, allowing malicious third-party apps to exploit and bypass system permissions and settings. Additionally, some Android and iOS apps embed a hard-coded cryptographic key or use a weak cryptographic algorithm that allows an attacker to obtain elevated access.
Kryptowire has released a paper documenting 38 vulnerabilities in various Android smartphone devices. These vulnerabilities are largely attributed to incorrect user permissions and access control settings via pre OEM pre-installed apps, and may be exploitable via malicious third-party apps installed by the user. Two of the vulnerabilities are exploitable via the Android debug bridge (adb).
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER (CVE-2017-13103) This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.
The CVSS score below reflects a worst-case scenario of code execution as a system user, however many devices and vulnerabilities have significantly lower impacts and therefore lower CVSS scores.
The impacts are wide-ranging depending on the device, however a remote unauthenticated attacker may be able to at worst execute commands as a system user if a victim can be enticed to install a malicious app capable of exploiting the vulnerability. Affected users are encouraged to review the specific impacts in the paper from Kryptowire.
Apply an update
Use caution installing third-party apps
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|cheetah mobile||Affected||07 Nov 2017||14 Aug 2018|
|distinctdev||Affected||07 Nov 2017||14 Aug 2018|
|Gameloft||Affected||07 Nov 2017||14 Aug 2018|
|Hi Security Lab||Affected||22 Dec 2017||14 Aug 2018|
|Live Me||Affected||07 Nov 2017||14 Aug 2018|
|psafe||Affected||07 Nov 2017||14 Aug 2018|
|Tik Tok||Affected||07 Nov 2017||14 Aug 2018|
|UberEats||Affected||07 Nov 2017||14 Aug 2018|
|Not Affected||07 Nov 2017||31 Aug 2018|
CVSS Metrics (Learn More)
Thanks to Brian Schulte at Kryptowire for reporting this vulnerability.
This document was written by Laurie Tyzenhaus and Garret Wassermann.
- CVE IDs: CVE-2017-13100 CVE-2017-13101 CVE-2017-13102 CVE-2017-13104 CVE-2017-13105 CVE-2017-13106 CVE-2017-13107 CVE-2017-13108 CVE-2017-13103
- Date Public: 10 Aug 2018
- Date First Published: 14 Aug 2018
- Date Last Updated: 14 Sep 2018
- Document Revision: 65
If you have feedback, comments, or additional information about this vulnerability, please send us email.