NVD Vulnerability Detail

CVE-2018-14993

Summary	The ASUS Zenfone V Live Android device with a build fingerprint of asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1802.78-20180313:user/release-keys and the Asus ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys both contain a pre-installed platform app with a package name of com.asus.splendidcommandagent (versionCode=1510200090, versionName=1.2.0.18_160928) that contains an exported service named com.asus.splendidcommandagent.SplendidCommandAgentService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user's text messages, and more.
Publication Date	April 26, 2019, 5:29 a.m.
Registration Date	March 1, 2021, 6:58 p.m.
Last Update	Nov. 21, 2024, 12:50 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:asus:zenfone_v_live_firmware:-:::::::*
execution environment
1	cpe:2.3:h:asus:zenfone_v_live:-:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:asus:zenfone_3_max_firmware:-:::::::*
execution environment
1	cpe:2.3:h:asus:zenfone_3_max:-:::::::*

Related information, measures and tools

No	URL	タグ
1	https://www.kryptowire.com	Third Party Advisory
2	https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Third Party Advisory
3	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Technical Description Third Party Advisory
4	https://www.kryptowire.com	Third Party Advisory
5	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Technical Description Third Party Advisory
6	https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

ASUS Zenfone V Live Android デバイスにおけるコマンドインジェクションの脆弱性

Title	ASUS Zenfone V Live Android デバイスにおけるコマンドインジェクションの脆弱性
Summary	ASUS Zenfone V Live Android デバイスには、コマンドインジェクションの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Aug. 5, 2018, midnight
Registration Date	May 29, 2019, noon
Last Update	May 29, 2019, noon

Affected System

ASUSTeK Computer Inc.

ZenFone 3 Max ファームウェア

Zenfone V Live ファームウェア

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-14993	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14993
National Vulnerability Database (NVD)
2	CVE-2018-14993	https://nvd.nist.gov/vuln/detail/CVE-2018-14993

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-77	https://cwe.mitre.org/data/definitions/77.html

ベンダー情報

No	Name	URL
ASUS
1	Top Page	https://www.asustor.com/

その他

No	Name	URL
関連文書
1	DEFCON 2018: Vulnerable Out of the Box - An Evaluation of Android Carrier Devices	https://www.kryptowire.com/android-firmware-defcon-2018/

Change Log

No	Changed Details	Date of change
1	[2019年05月29日] 掲載	May 29, 2019, noon