NVD Vulnerability Detail

CVE-2018-15006

Summary	The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) that contains an exported broadcast receiver app component named com.android.zte.hiddenmenu.CommandReceiver that is accessible to any app co-located on the device. This app component, when it receives a broadcast intent with a certain action string, will write a non-standard (i.e., not defined in Android Open Source Project (AOSP) code) command to the /cache/recovery/command file to be executed in recovery mode. Once the device boots into recovery mode, it will crash, boot into recovery mode, and crash again. This crash loop will keep repeating, which makes the device unusable. There is no way to boot into an alternate mode once the crash loop starts.
Publication Date	Dec. 29, 2018, 6:29 a.m.
Registration Date	March 1, 2021, 6:58 p.m.
Last Update	Nov. 21, 2024, 12:50 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:zteusa:zte_zmax_champ_firmware:6.0.1:::::::*
execution environment
1	cpe:2.3:h:zteusa:zte_zmax_champ:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/106361	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/106361	Third Party Advisory VDB Entry
3	https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Third Party Advisory
4	https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Third Party Advisory
5	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Exploit Third Party Advisory
6	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Exploit Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

ZTE ZMAX Champ Android デバイスにおけるリソース管理に関する脆弱性

Title	ZTE ZMAX Champ Android デバイスにおけるリソース管理に関する脆弱性
Summary	ZTE ZMAX Champ Android デバイスには、リソース管理に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Dec. 28, 2018, midnight
Registration Date	March 26, 2019, 4:04 p.m.
Last Update	March 26, 2019, 4:04 p.m.

Affected System

ZTE

ZTE ZMAX Champ ファームウェア 6.0.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-15006	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15006
National Vulnerability Database (NVD)
2	CVE-2018-15006	https://nvd.nist.gov/vuln/detail/CVE-2018-15006

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-399	https://jvndb.jvn.jp/ja/cwe/CWE-399.html

ベンダー情報

No	Name	URL
ZTE
1	Top Page	https://www.zte.com.cn/global/

その他

No	Name	URL
関連文書
1	DEFCON 2018: Vulnerable Out of the Box - An Evaluation of Android Carrier Devices	https://www.kryptowire.com/android-firmware-defcon-2018/
2	Vulnerable Out of the Box:An Evaluation of Android Carrier Devices	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf
3	ZTE ZMAX Multiple Security Vulnerabilities	https://www.securityfocus.com/bid/106361

Change Log

No	Changed Details	Date of change
1	[2019年03月26日] 掲載	March 26, 2019, 4:04 p.m.