Vulnerability Description
AndroidManifest.xml in Android before 5.0.0 does not require the SEND_SMS permission for the SmsReceiver receiver, which allows attackers to send stored SMS messages, and consequently transmit arbitrary new draft SMS messages or trigger additional per-message charges from a network operator for old messages, via a crafted application that broadcasts an intent with the com.android.mms.transaction.MESSAGE_SENT action, aka Bug 17671795.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Android | <= 4.4.4 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/129282/Android-SMS-Resend.htmlExploit
- http://seclists.org/fulldisclosure/2014/Dec/8Exploit
- http://seclists.org/fulldisclosure/2014/Nov/85
- http://xteam.baidu.com/?p=164Exploit
- https://android.googlesource.com/platform/packages/apps/Mms/+/008d6202fca4002a7dVendor Advisory
- https://github.com/joswr1ght/drozer-modules/blob/master/whfs/smsdraftsend.pyExploit
- http://packetstormsecurity.com/files/129282/Android-SMS-Resend.htmlExploit
- http://seclists.org/fulldisclosure/2014/Dec/8Exploit
- http://seclists.org/fulldisclosure/2014/Nov/85
- http://xteam.baidu.com/?p=164Exploit
- https://android.googlesource.com/platform/packages/apps/Mms/+/008d6202fca4002a7dVendor Advisory
- https://github.com/joswr1ght/drozer-modules/blob/master/whfs/smsdraftsend.pyExploit
FAQ
What is CVE-2014-8610?
CVE-2014-8610 is a vulnerability with a CVSS score of 3.3 (LOW). AndroidManifest.xml in Android before 5.0.0 does not require the SEND_SMS permission for the SmsReceiver receiver, which allows attackers to send stored SMS messages, and consequently transmit arbitra...
How severe is CVE-2014-8610?
CVE-2014-8610 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-8610?
Check the references section above for vendor advisories and patch information. Affected products include: Google Android.