CVE-2018-14979 — MEDIUM (4.7)

Vulnerability Description

The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). This app contains an exported service app component named com.asus.loguploader.LogUploaderService that, when accessed with a particular action string, will write a bugreport (kernel log, logcat log, and the state of system services including the text of active notifications), Wi-Fi Passwords, and other system data to external storage (sdcard). Any app with the READ_EXTERNAL_STORAGE permission on this device can read this data from the sdcard after it has been dumped there by the com.asus.loguploader. Third-party apps are not allowed to directly create a bugreport or access the user's stored wireless network credentials.

CVSS Score

4.7

MEDIUM

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Asus	Zenfone 3 Max Firmware	7.0.0.55
Asus	Zenfone 3 Max	-

Related Weaknesses (CWE)

CWE-200

References

https://www.kryptowire.com/portal/android-firmware-defcon-2018/ExploitThird Party Advisory
https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-aExploitThird Party Advisory
https://www.kryptowire.com/portal/android-firmware-defcon-2018/ExploitThird Party Advisory
https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-aExploitThird Party Advisory

FAQ

What is CVE-2018-14979?

CVE-2018-14979 is a vulnerability with a CVSS score of 4.7 (MEDIUM). The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package nam...

How severe is CVE-2018-14979?

CVE-2018-14979 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-14979?

Check the references section above for vendor advisories and patch information. Affected products include: Asus Zenfone 3 Max Firmware, Asus Zenfone 3 Max.