NVD Vulnerability Detail

CVE-2018-14979

Summary	The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). This app contains an exported service app component named com.asus.loguploader.LogUploaderService that, when accessed with a particular action string, will write a bugreport (kernel log, logcat log, and the state of system services including the text of active notifications), Wi-Fi Passwords, and other system data to external storage (sdcard). Any app with the READ_EXTERNAL_STORAGE permission on this device can read this data from the sdcard after it has been dumped there by the com.asus.loguploader. Third-party apps are not allowed to directly create a bugreport or access the user's stored wireless network credentials.
Publication Date	Dec. 29, 2018, 6:29 a.m.
Registration Date	March 1, 2021, 6:58 p.m.
Last Update	Nov. 21, 2024, 12:50 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:asus:zenfone_3_max_firmware:7.0.0.55:::::::*
execution environment
1	cpe:2.3:h:asus:zenfone_3_max:-:::::::*

Related information, measures and tools

No	URL	タグ
1	https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Exploit Third Party Advisory
2	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Exploit Third Party Advisory
3	https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Exploit Third Party Advisory
4	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Exploit Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-200	情報漏えい	https://cwe.mitre.org/data/definitions/200.html

JVN Vulnerability Information

ASUS ZenFone 3 Max Android デバイスにおける情報漏えいに関する脆弱性

Title	ASUS ZenFone 3 Max Android デバイスにおける情報漏えいに関する脆弱性
Summary	ASUS ZenFone 3 Max Android デバイスには、情報漏えいに関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Dec. 28, 2018, midnight
Registration Date	March 19, 2019, 5:47 p.m.
Last Update	March 19, 2019, 5:47 p.m.

Affected System

ASUSTeK Computer Inc.

ZenFone 3 Max ファームウェア 7.0.0.55_170515

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-14979	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14979
2	CVE-2018-14979	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14979
National Vulnerability Database (NVD)
3	CVE-2018-14979	https://nvd.nist.gov/vuln/detail/CVE-2018-14979
4	CVE-2018-14979	https://nvd.nist.gov/vuln/detail/CVE-2018-14979

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html
2	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

その他

No	Name	URL
関連文書
1	DEFCON 2018: Vulnerable Out of the Box - An Evaluation of Android Carrier Devices	https://www.kryptowire.com/portal/android-firmware-defcon-2018/
2	DEFCON 2018: Vulnerable Out of the Box - An Evaluation of Android Carrier Devices	https://www.kryptowire.com/portal/android-firmware-defcon-2018/
3	Vulnerable Out of the Box:An Evaluation of Android Carrier Devices	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf
4	Vulnerable Out of the Box:An Evaluation of Android Carrier Devices	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf

Change Log

No	Changed Details	Date of change
1	[2019年03月19日] 掲載	March 19, 2019, 5:47 p.m.
1	[2019年03月19日] 掲載	March 19, 2019, 5:47 p.m.