CVE-2020-24721 - OpenCVE

An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework.

Attack Vector Physical

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apple	Exposure Notifications
Google	Exposure Notifications

Configuration 1 [-]

OR	cpe:2.3:a:apple:exposure_notifications::::::iphone_os::*
	cpe:2.3:a:google:exposure_notifications::::::android::*

References

Link	Resource
http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html	Third Party Advisory VDB Entry
https://blog.google/inside-google/company-announcements/update-exposure-notifications	Vendor Advisory
https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt	Third Party Advisory
https://seclists.org/fulldisclosure/2020/Sep/53	Mailing List Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-09-30T17:43:01

Updated: 2020-10-07T14:21:42

Reserved: 2020-08-27T00:00:00

Link: CVE-2020-24721

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-09-30T18:15:25.193

Modified: 2020-10-22T16:16:12.733

Link: CVE-2020-24721

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-07T14:21:42", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.google/inside-google/company-announcements/update-exposure-notifications"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt"}, {"name": "FULLDISC: 20200929 CVE-2020-24721: Corona Exposure Notifications API: risk of coercion/data leakage [vs]", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "https://seclists.org/fulldisclosure/2020/Sep/53"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-24721", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.google/inside-google/company-announcements/update-exposure-notifications", "refsource": "MISC", "url": "https://blog.google/inside-google/company-announcements/update-exposure-notifications"}, {"name": "https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt", "refsource": "MISC", "url": "https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt"}, {"name": "FULLDISC: 20200929 CVE-2020-24721: Corona Exposure Notifications API: risk of coercion/data leakage [vs]", "refsource": "FULLDISC", "url": "https://seclists.org/fulldisclosure/2020/Sep/53"}, {"name": "http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-24721", "datePublished": "2020-09-30T17:43:01", "dateReserved": "2020-08-27T00:00:00", "dateUpdated": "2020-10-07T14:21:42", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:exposure_notifications:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "CA22CE37-087B-4D32-AC82-13B37111FEE6", "versionEndIncluding": "1.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:google:exposure_notifications:*:*:*:*:*:android:*:*", "matchCriteriaId": "A166EFE6-E9AC-43DA-8762-1E31654FD6DF", "versionEndIncluding": "1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-09-29, as used in COVID-19 applications on Android and iOS. It allows a user to be put in a position where he or she can be coerced into proving or disproving an exposure notification, because of the persistent state of a private framework."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en el protocolo GAEN (alias Google/Apple Exposure Notifications) hasta el 29 de septiembre de 2020, tal como se utiliza en las aplicaciones COVID-19 en Android e iOS. Permite poner a un usuario en una posici\u00f3n en la que puede ser coaccionado para probar o refutar una notificaci\u00f3n de exposici\u00f3n, debido al estado persistente de un marco privado"}], "id": "CVE-2020-24721", "lastModified": "2020-10-22T16:16:12.733", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-30T18:15:25.193", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/159419/Corona-Exposure-Notifications-API-Data-Leakage.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://blog.google/inside-google/company-announcements/update-exposure-notifications"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/minvws/nl-covid19-notification-app-coordination/blob/master/CVEs/CVE-2020-24721.txt"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2020/Sep/53"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}