CVE-2018-14991

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Coolpad Defiant device with a build fingerprint of Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys, the ZTE ZMAX Pro with a build fingerprint of ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, and the T-Mobile Revvl Plus with a build fingerprint of Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys all contain a vulnerable, pre-installed Rich Communication Services (RCS) app. These devices contain an that app has a package name of com.suntek.mway.rcs.app.service (versionCode=1, versionName=RCS_sdk_M_native_20161008_01; versionCode=1, versionName=RCS_sdk_M_native_20170406_01) with an exported content provider named com.suntek.mway.rcs.app.service.provider.message.MessageProvider and a refactored version of the app with a package name of com.rcs.gsma.na.sdk (versionCode=1, versionName=RCS_SDK_20170804_01) with a content provider named com.rcs.gsma.na.provider.message.MessageProvider allow any app co-located on the device to read, write, insert, and modify the user's text messages. This is enabled by an exported content provider app component that serves as a wrapper to the official content provider that contains the user's text messages. This app cannot be disabled by the user and the attack can be performed by a zero-permission app.

El dispositivo Coolpad Defiant con una huella digital de compilación de Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys, el ZTE ZMAX Pro con una huella digital de compilación de ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys, y T-Mobile Revvl Plus con una huella digital de compilación de Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys, todos contienen una vulnerabilidad , aplicación preinstalada Rich Communication Services (RCS). Estos dispositivos contienen una aplicación que tiene un nombre de paquete com.suntek.mway.rcs.app.service (versionCode=1, versionName=RCS_sdk_M_native_20161008_01; versionCode=1, versionName=RCS_sdk_M_native_20170406_01) con un proveedor de contenido exportado con el nombre com.sorkka .rcs.app.service.provider.message.MessageProvider y una versión refactorizada de la aplicación con un nombre de paquete com.rcs.gsma.na.sdk (versionCode=1, versionName=RCS_SDK_20170804_01) con un proveedor de contenido llamado com.rcs .gsma.na.provider.message.MessageProvider, permite que cualquier aplicación dentro del dispositivo lea, escriba, inserte y modifique los mensajes de texto del usuario. Esto está habilitado por un componente de la aplicación del proveedor de contenido exportado que sirve como cubierta para el proveedor de contenido oficial que contiene los mensajes de texto del usuario. Esta aplicación no puede ser desactivada por el usuario y el ataque puede ser realizado por una aplicación de cero permisos.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-08-05 CVE Reserved
2019-04-25 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-09-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation

CAPEC

References (3)

URL	Tag	Source
https://www.kryptowire.com	Third Party Advisory
https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Third Party Advisory

URL	Date	SRC
https://www.kryptowire.com/portal/android-firmware-defcon-2018	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Coolpad Search vendor "Coolpad"	Defiant Firmware Search vendor "Coolpad" for product "Defiant Firmware"	-	-	Affected	in	Coolpad Search vendor "Coolpad"	Defiant Search vendor "Coolpad" for product "Defiant"	-	-	Safe
T-mobile Search vendor "T-mobile"	Revvl Plus Firmware Search vendor "T-mobile" for product "Revvl Plus Firmware"	-	-	Affected	in	T-mobile Search vendor "T-mobile"	Revvl Plus Search vendor "T-mobile" for product "Revvl Plus"	-	-	Safe
T-mobile Search vendor "T-mobile"	Zte Zmax Pro Firmware Search vendor "T-mobile" for product "Zte Zmax Pro Firmware"	-	-	Affected	in	T-mobile Search vendor "T-mobile"	Zte Zmax Pro Search vendor "T-mobile" for product "Zte Zmax Pro"	-	-	Safe