CVE-2021-41848

CVSS V2 High 7.2 CVSS V3 High 7.8

Description

An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It mishandles software updates such that local third-party apps can provide a spoofed software update file that contains an arbitrary shell script and arbitrary ARM binary, where both will be executed as the root user with an SELinux domain named osi. To exploit this vulnerability, a local third-party app needs to have write access to external storage to write the spoofed update at the expected path. The vulnerable system binary (i.e., /system/bin/osi_bin) does not perform any authentication of the update file beyond ensuring that it is encrypted with an AES key (that is hard-coded in the vulnerable system binary). Processes executing with the osi SELinux domain can programmatically perform the following actions: install apps, grant runtime permissions to apps (including permissions with protection levels of dangerous and development), access extensive Personally Identifiable Information (PII) using the programmatically grant permissions, uninstall apps, set the default launcher app to a malicious launcher app that spoofs other apps, set a network proxy to intercept network traffic, unload kernel modules, set the default keyboard to a keyboard that has keylogging functionality, examine notification contents, send text messages, and more. The spoofed update can optionally contain an arbitrary ARM binary that will be locally stored in internal storage and executed at system startup to achieve persistent code execution as the root user with the osi SELinux domain. This ARM binary will continue to execute at startup even if the app that provided the spoofed update is uninstalled.

Overview

CVE ID
CVE-2021-41848

Assigner
cve@mitre.org

Vulnerability Status
Analyzed

Published Version
2022-03-11T23:15:08

Last Modified Date
2022-07-12T17:42:04

Weakness Enumerations

CWE	URL
CWE-798	http://cwe.mitre.org/data/definitions/798.html

CPE Configuration (Product)

CPE	Vulnerable	Operator
		AND
cpe:2.3:o:bluproducts:g90_firmware:-:::::::*	1	OR
cpe:2.3:h:bluproducts:g90:-:::::::*	0	OR
		AND
cpe:2.3:o:bluproducts:g9_firmware:-:::::::*	1	OR
cpe:2.3:h:bluproducts:g9:-:::::::*	0	OR
		AND
cpe:2.3:o:wikomobile:tommy_3_firmware:-:::::::*	1	OR
cpe:2.3:h:wikomobile:tommy_3:-:::::::*	0	OR
		AND
cpe:2.3:o:wikomobile:tommy_3_plus_firmware:-:::::::*	1	OR
cpe:2.3:h:wikomobile:tommy_3_plus:-:::::::*	0	OR
		AND
cpe:2.3:o:luna:simo_firmware:-:::::::*	1	OR
cpe:2.3:h:luna:simo:-:::::::*	0	OR

CVSS Version 2

Version
2.0

Vector String
AV:L/AC:L/Au:N/C:C/I:C/A:C

Access Vector
LOCAL

Access Compatibility
LOW

Authentication
NONE

Confidentiality Impact
COMPLETE

Integrity Impact
COMPLETE

Availability Impact
COMPLETE

Base Score
7.2

Severity
HIGH

Exploitability Score
3.9

Impact Score
10

CVSS Version 3

Version
3.1

Vector String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
LOCAL

Attack Compatibility
LOW

Privileges Required
LOW

User Interaction
NONE

Scope
UNCHANGED

Confidentiality Impact
HIGH

Availability Impact
HIGH

Base Score
7.8

Base Severity
HIGH

Exploitability Score
1.8

Impact Score
5.9

References

Reference URL	Reference Tags
https://athack.com/session-details/401	Third Party Advisory
https://www.kryptowire.com/android-firmware-2022/	Broken Link
https://simowireless.com/	Vendor Advisory
https://www.kryptowire.com/blog/vsim-vulnerability-within-simo-android-phones-exposed/	Exploit Third Party Advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2021-41848
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41848

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 15:44:47				Added to TrackCVE
2022-12-06 12:09:25	2022-03-11T23:15Z	2022-03-11T23:15:08	CVE Published Date	updated
2022-12-06 12:09:25		2022-07-12T17:42:04	CVE Modified Date	updated
2022-12-06 12:09:25		Analyzed	Vulnerability Status	updated