FKIE_CVE-2018-20135

Vulnerability from fkie_nvd - Published: 2019-06-07 16:29 - Updated: 2024-11-21 04:00
Severity ?
8.1 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Samsung Galaxy Apps before 4.4.01.7 allows modification of the hostname used for load balancing on installations of applications through a man-in-the-middle attack. An attacker may trick Galaxy Apps into using an arbitrary hostname for which the attacker can provide a valid SSL certificate, and emulate the API of the app store to modify existing apps at installation time. The specific flaw involves an HTTP method to obtain the load-balanced hostname that enforces SSL only after obtaining a hostname from the load balancer, and a missing app signature validation in the application XML. An attacker can exploit this vulnerability to achieve Remote Code Execution on the device. The Samsung ID is SVE-2018-12071.
References
cve@mitre.orghttps://security.samsungmobile.com/securityUpdate.smsbVendor Advisory
cve@mitre.orghttps://www.adyta.pt/en/2019/01/29/writeup-samsung-app-store-rce-via-mitm-2/Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.samsungmobile.com/securityUpdate.smsbVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.adyta.pt/en/2019/01/29/writeup-samsung-app-store-rce-via-mitm-2/Exploit, Third Party Advisory
Impacted products
Vendor Product Version
samsung galaxy_apps *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:samsung:galaxy_apps:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5F35474-E0BA-4D63-9E50-A8FF3D29472C",
              "versionEndExcluding": "4.4.01.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Samsung Galaxy Apps before 4.4.01.7 allows modification of the hostname used for load balancing on installations of applications through a man-in-the-middle attack. An attacker may trick Galaxy Apps into using an arbitrary hostname for which the attacker can provide a valid SSL certificate, and emulate the API of the app store to modify existing apps at installation time. The specific flaw involves an HTTP method to obtain the load-balanced hostname that enforces SSL only after obtaining a hostname from the load balancer, and a missing app signature validation in the application XML. An attacker can exploit this vulnerability to achieve Remote Code Execution on the device. The Samsung ID is SVE-2018-12071."
    },
    {
      "lang": "es",
      "value": "Samsung Galaxy Apps anterior a la versi\u00f3n 4.4.01.7 permite la modificaci\u00f3n del nombre de host usado para el balanceo de carga en instalaciones de aplicaciones mediante un ataque de tipo man-in-the-middle. Un atacante puede enga\u00f1ar a Galaxy apps para que use un nombre de host arbitrario para el que el atacante pueda proporcionar un certificado SSL v\u00e1lido y emular la API de la tienda de aplicaciones para modificar las apps existentes en el momento de la instalaci\u00f3n. El fallo espec\u00edfico implica un m\u00e9todo HTTP para conseguir el nombre de host con equilibrio de carga que aplica SSL solo despu\u00e9s de conseguir un nombre de host del equilibrador de carga y una falta comprobaci\u00f3n de firma de aplicaci\u00f3n  en el XML de la aplicaci\u00f3n. Un atacante puede explotar esta vulnerabilidad para lograr la ejecuci\u00f3n de c\u00f3digo remota en el dispositivo. El ID de Samsung es SVE-2018-12071."
    }
  ],
  "id": "CVE-2018-20135",
  "lastModified": "2024-11-21T04:00:55.430",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-06-07T16:29:00.393",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.samsungmobile.com/securityUpdate.smsb"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.adyta.pt/en/2019/01/29/writeup-samsung-app-store-rce-via-mitm-2/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.samsungmobile.com/securityUpdate.smsb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.adyta.pt/en/2019/01/29/writeup-samsung-app-store-rce-via-mitm-2/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.