CVE-2020-8860 - OpenCVE

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. The specific flaw exists within the Call Control Setup messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the baseband processor. Was ZDI-CAN-9658.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Samsung	Galaxy S10
Google	Android

Configuration 1 [-]

AND

OR	cpe:2.3:o:google:android:8.0:::::::*
	cpe:2.3:o:google:android:8.1:::::::*
	cpe:2.3:o:google:android:9.0:::::::*
	cpe:2.3:o:google:android:10.0:::::::*

cpe:2.3:h:samsung:galaxy_s10:*:*:*:*:*:*:*:*

References

Link	Resource
https://security.samsungmobile.com/securityUpdate.smsb	Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-20-255/	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: zdi

Published: 2020-02-22T00:00:24

Updated: 2020-02-22T00:00:24

Reserved: 2020-02-11T00:00:00

Link: CVE-2020-8860

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-02-22T00:15:10.747

Modified: 2020-03-05T18:49:44.873

Link: CVE-2020-8860

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Galaxy S10", "vendor": "Samsung", "versions": [{"status": "affected", "version": "Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets"}]}], "credits": [{"lang": "en", "value": "@fluoroacetate"}], "descriptions": [{"lang": "en", "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. The specific flaw exists within the Call Control Setup messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the baseband processor. Was ZDI-CAN-9658."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-02-22T00:00:24", "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.samsungmobile.com/securityUpdate.smsb"}, {"tags": ["x_refsource_MISC"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-255/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "zdi-disclosures@trendmicro.com", "ID": "CVE-2020-8860", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Galaxy S10", "version": {"version_data": [{"version_value": "Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets"}]}}]}, "vendor_name": "Samsung"}]}}, "credit": "@fluoroacetate", "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. The specific flaw exists within the Call Control Setup messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the baseband processor. Was ZDI-CAN-9658."}]}, "impact": {"cvss": {"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-121: Stack-based Buffer Overflow"}]}]}, "references": {"reference_data": [{"name": "https://security.samsungmobile.com/securityUpdate.smsb", "refsource": "MISC", "url": "https://security.samsungmobile.com/securityUpdate.smsb"}, {"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-255/", "refsource": "MISC", "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-255/"}]}}}}, "cveMetadata": {"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "assignerShortName": "zdi", "cveId": "CVE-2020-8860", "datePublished": "2020-02-22T00:00:24", "dateReserved": "2020-02-11T00:00:00", "dateUpdated": "2020-02-22T00:00:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "B578E383-0D77-4AC7-9C81-3F0B8C18E033", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "B06BE74B-83F4-41A3-8AD3-2E6248F7B0B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "8DFAAD08-36DA-4C95-8200-C29FE5B6B854", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D558D965-FA70-4822-A770-419E73BA9ED3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:samsung:galaxy_s10:*:*:*:*:*:*:*:*", "matchCriteriaId": "94BA540D-E6CA-424D-A352-FF91D1305F92", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. The specific flaw exists within the Call Control Setup messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the baseband processor. Was ZDI-CAN-9658."}, {"lang": "es", "value": "Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en las instalaciones afectadas de los dispositivos Samsung Galaxy S10 G973FXXS3ASJA, versiones de firmware O(8.x), P(9.0), Q(10.0) con chipsets Exynos. Es requerida una interacci\u00f3n del usuario para explotar esta vulnerabilidad, ya que el objetivo debe responder a una llamada telef\u00f3nica. El fallo espec\u00edfico se presenta dentro de los mensajes Call Control Setup. El problema resulta de la falta de comprobaci\u00f3n apropiada de la longitud de los datos suministrados por el usuario antes de copiarlos en un b\u00fafer de longitud fija en la regi\u00f3n stack de la memoria. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del procesador de banda base. Fue ZDI-CAN-9658."}], "id": "CVE-2020-8860", "lastModified": "2020-03-05T18:49:44.873", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-22T00:15:10.747", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Vendor Advisory"], "url": "https://security.samsungmobile.com/securityUpdate.smsb"}, {"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-255/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-121"}], "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}