Details of VAR-201507-0368

ID

VAR-201507-0368

CVE

CVE-2015-4034

TITLE

Samsung Galaxy S5 Remote Code Execution Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2015-04197 // CNNVD: CNNVD-201506-638

DESCRIPTION

The createFromParcel method in the com.absolute.android.persistence.MethodSpec class in Samsung Galaxy S5s allows remote attackers to execute arbitrary files via a crafted Parcelable object in a serialized MethodSpec object. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. Authentication is not required to exploit this vulnerability.The specific flaw exists within the com.absolute.android.persistence.MethodSpec Class. The createFromParcel() method performs dynamic class loading but does not restrict the source of the classes to be loaded. The Samsung Galaxy S5 is a smartphone released by South Korea's Samsung. Failed exploit attempts will cause a denial-of-service condition

Trust: 3.06

sources: NVD: CVE-2015-4034 // JVNDB: JVNDB-2015-003489 // ZDI: ZDI-15-256 // CNVD: CNVD-2015-04197 // BID: 75403

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-04197

AFFECTED PRODUCTS

vendor:	samsung	model:	galaxy s5	scope:	-	version:	-	Trust: 2.1
vendor:	samsung	model:	galaxy s5	scope:	eq	version:	-	Trust: 1.6
vendor:	samsung	model:	galaxy s5	scope:	eq	version:	0	Trust: 0.3

sources: ZDI: ZDI-15-256 // CNVD: CNVD-2015-04197 // BID: 75403 // JVNDB: JVNDB-2015-003489 // CNNVD: CNNVD-201506-638 // NVD: CVE-2015-4034

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-4034
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-4034
value:	HIGH
Trust: 0.8
ZDI:	CVE-2015-4034
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2015-04197
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201506-638
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2015-4034
severity:	HIGH
baseScore:	7.9
vectorString:	AV:A/AC:M/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	5.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.5
CNVD:	CNVD-2015-04197
severity:	HIGH
baseScore:	7.9
vectorString:	AV:A/AC:M/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	5.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: ZDI: ZDI-15-256 // CNVD: CNVD-2015-04197 // JVNDB: JVNDB-2015-003489 // CNNVD: CNNVD-201506-638 // NVD: CVE-2015-4034

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2015-003489 // NVD: CVE-2015-4034

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201506-638

TYPE

Unknown

Trust: 0.3

sources: BID: 75403

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-003489

PATCH

title:

Samsung Galaxy S5

url:

http://www.samsung.com/jp/microsite/galaxys5/specs.html

Trust: 0.8

sources: JVNDB: JVNDB-2015-003489

EXTERNAL IDS

db:	NVD	id:	CVE-2015-4034	Trust: 4.0
db:	ZDI	id:	ZDI-15-256	Trust: 4.0
db:	BID	id:	75403	Trust: 1.3
db:	JVNDB	id:	JVNDB-2015-003489	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2613	Trust: 0.7
db:	CNVD	id:	CNVD-2015-04197	Trust: 0.6
db:	CNNVD	id:	CNNVD-201506-638	Trust: 0.6

sources: ZDI: ZDI-15-256 // CNVD: CNVD-2015-04197 // BID: 75403 // JVNDB: JVNDB-2015-003489 // CNNVD: CNNVD-201506-638 // NVD: CVE-2015-4034

REFERENCES

url:	http://www.zerodayinitiative.com/advisories/zdi-15-256/	Trust: 2.7
url:	http://www.securityfocus.com/bid/75403	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4034	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4034	Trust: 0.8
url:	http://www.zerodayinitiative.com/advisories/zdi-15-256	Trust: 0.6
url:	http://www.samsung.com/global/microsite/galaxys5/	Trust: 0.3

sources: CNVD: CNVD-2015-04197 // BID: 75403 // JVNDB: JVNDB-2015-003489 // CNNVD: CNNVD-201506-638 // NVD: CVE-2015-4034

CREDITS

Team MBSD

Trust: 1.6

sources: ZDI: ZDI-15-256 // BID: 75403 // CNNVD: CNNVD-201506-638

SOURCES

db:	ZDI	id:	ZDI-15-256
db:	CNVD	id:	CNVD-2015-04197
db:	BID	id:	75403
db:	JVNDB	id:	JVNDB-2015-003489
db:	CNNVD	id:	CNNVD-201506-638
db:	NVD	id:	CVE-2015-4034

LAST UPDATE DATE

2024-11-23T23:02:40.653000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-15-256	date:	2015-06-24T00:00:00
db:	CNVD	id:	CNVD-2015-04197	date:	2015-07-03T00:00:00
db:	BID	id:	75403	date:	2015-06-24T00:00:00
db:	JVNDB	id:	JVNDB-2015-003489	date:	2015-07-13T00:00:00
db:	CNNVD	id:	CNNVD-201506-638	date:	2015-07-01T00:00:00
db:	NVD	id:	CVE-2015-4034	date:	2024-11-21T02:30:19.057

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-15-256	date:	2015-06-24T00:00:00
db:	CNVD	id:	CNVD-2015-04197	date:	2015-07-03T00:00:00
db:	BID	id:	75403	date:	2015-06-24T00:00:00
db:	JVNDB	id:	JVNDB-2015-003489	date:	2015-07-13T00:00:00
db:	CNNVD	id:	CNNVD-201506-638	date:	2015-07-01T00:00:00
db:	NVD	id:	CVE-2015-4034	date:	2015-07-06T14:59:02.407