CVE-2018-16271 — MEDIUM (6.5)

Q: How severe is CVE-2018-16271?

CVE-2018-16271 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-16271?

Check the references section above for vendor advisories and patch information. Affected products include: Samsung Galaxy Gear Firmware, Samsung Galaxy Gear, Samsung Gear 2 Firmware, Samsung Gear 2, Samsung Gear Live Firmware.

Vulnerability Description

The wemail_consumer_service (from the built-in application wemail) in Samsung Galaxy Gear series allows an unprivileged process to manipulate a user's mailbox, due to improper D-Bus security policy configurations. An arbitrary email can also be sent from the mailbox via the paired smartphone. This affects Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Samsung	Galaxy Gear Firmware	< re2
Samsung	Galaxy Gear	-
Samsung	Gear 2 Firmware	< re2
Samsung	Gear 2	-
Samsung	Gear Live Firmware	< re2
Samsung	Gear Live	-
Samsung	Gear S Firmware	< re2
Samsung	Gear S	-
Samsung	Gear S2 Firmware	< re2
Samsung	Gear S2	-
Samsung	Gear S3 Firmware	< re2
Samsung	Gear S3	-
Samsung	Gear Sport Firmware	< re2
Samsung	Gear Sport	-
Samsung	Gear Fit Firmware	< re2
Samsung	Gear Fit	-
Samsung	Gear Fit 2 Firmware	< re2
Samsung	Gear Fit 2	-
Samsung	Gear Fit 2 Pro Firmware	< re2
Samsung	Gear Fit 2 Pro	-

Related Weaknesses (CWE)

CWE-269

References

https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Dongsung%ExploitThird Party Advisory
https://www.youtube.com/watch?v=3IdgBwbOT-g&feature=youtu.beExploitThird Party Advisory
https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Dongsung%ExploitThird Party Advisory
https://www.youtube.com/watch?v=3IdgBwbOT-g&feature=youtu.beExploitThird Party Advisory

FAQ

What is CVE-2018-16271?

CVE-2018-16271 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The wemail_consumer_service (from the built-in application wemail) in Samsung Galaxy Gear series allows an unprivileged process to manipulate a user's mailbox, due to improper D-Bus security policy co...

How severe is CVE-2018-16271?

CVE-2018-16271 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-16271?

Check the references section above for vendor advisories and patch information. Affected products include: Samsung Galaxy Gear Firmware, Samsung Galaxy Gear, Samsung Gear 2 Firmware, Samsung Gear 2, Samsung Gear Live Firmware.