CVE-2018-14990

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Coolpad Defiant device with a build fingerprint of Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys, the ZTE ZMAX Pro with a build fingerprint of ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, and the T-Mobile Revvl Plus with a build fingerprint of Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys all contain a vulnerable, pre-installed Rich Communication Services (RCS) app. These devices contain an that app has a package name of com.suntek.mway.rcs.app.service (versionCode=1, versionName=RCS_sdk_M_native_20161008_01; versionCode=1, versionName=RCS_sdk_M_native_20170406_01) with a broadcast receiver app component named com.suntek.mway.rcs.app.test.TestReceiver and a refactored version of the app with a package name of com.rcs.gsma.na.sdk (versionCode=1, versionName=RCS_SDK_20170804_01) with a broadcast receiver app component named com.rcs.gsma.na.test.TestReceiver allow any app co-located on the device to programmatically send text messages where the number and body of the text message is controlled by the attacker due to an exported broadcast receiver app component. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. A separate vulnerability in the app allows a zero-permission app to programmatically delete text messages, so the sent text messages can be removed to not alert the user.

El dispositivo Coolpad Defiant con una huella digital de compilación de Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys, el ZTE ZMAX Pro con una huella digital de compilación ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, y T-Mobile Revvl Plus con una huella digital de compilación de Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys, todos contienen una vulnerabilidad , una aplicación preinstalada de Rich Communication Services (RCS). Estos dispositivos contienen una aplicación que tiene un nombre de paquete de com.suntek.mway.rcs.app.service (versionCode=1, versionName=RCS_sdk_M_native_20161008_01; versionCode=1,versionName=RCS_sdk_M_native_20170406_01) con un componente de aplicación de receptor de difución llamado com.suntek.mway.rcs.app.test.TestReceiver y una versión refactorizada de la aplicación con un nombre de paquete com.rcs.gsma.na.sdk (versionCode=1, versionName=RCS_SDK_20170804_01) con componente de la aplicación del receptor de difusión denominado com.rcs. gsma.na.test.TestReceiver permite que cualquier aplicación dentro del dispositivo envíe mensajes de texto programadamente donde el atacante controla el número y el cuerpo del mensaje de texto debido a un componente exportado de la aplicación del receptor de difusión. Esta aplicación no puede ser desactivada por el usuario y el ataque puede ser realizado por una aplicación de cero permisos. Una vulnerabilidad separada en la aplicación permite que una aplicación con cero permisos elimine programadamente los mensajes de texto, por lo que los mensajes de texto enviados pueden suprimirse para no alertar al usuario.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-08-05 CVE Reserved
2019-04-25 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-09-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation

CAPEC

References (3)

URL	Tag	Source
https://www.kryptowire.com	Third Party Advisory
https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Third Party Advisory

URL	Date	SRC
https://www.kryptowire.com/portal/android-firmware-defcon-2018	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Coolpad Search vendor "Coolpad"	Defiant Firmware Search vendor "Coolpad" for product "Defiant Firmware"	-	-	Affected	in	Coolpad Search vendor "Coolpad"	Defiant Search vendor "Coolpad" for product "Defiant"	-	-	Safe
T-mobile Search vendor "T-mobile"	Revvl Plus Firmware Search vendor "T-mobile" for product "Revvl Plus Firmware"	-	-	Affected	in	T-mobile Search vendor "T-mobile"	Revvl Plus Search vendor "T-mobile" for product "Revvl Plus"	-	-	Safe
T-mobile Search vendor "T-mobile"	Zte Zmax Pro Firmware Search vendor "T-mobile" for product "Zte Zmax Pro Firmware"	-	-	Affected	in	T-mobile Search vendor "T-mobile"	Zte Zmax Pro Search vendor "T-mobile" for product "Zte Zmax Pro"	-	-	Safe