CVE-2018-15006

low-risk

Published 2018-12-28

The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) that contains an exported broadcast receiver app component named com.android.zte.hiddenmenu.CommandReceiver that is accessible to any app co-located on the device. This app component, when it receives a broadcast intent with a certain action string, will write a non-standard (i.e., not defined in Android Open Source Project (AOSP) code) command to the /cache/recovery/command file to be executed in recovery mode. Once the device boots into recovery mode, it will crash, boot into recovery mode, and crash again. This crash loop will keep repeating, which makes the device unusable. There is no way to boot into an alternate mode once the crash loop starts.

Do I need to act?

0.07% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Zte Zmax Champ Firmware

Affected Vendors

Zteusa

References (6)

Third Party Advisory http://www.securityfocus.com/bid/106361

Third Party Advisory https://www.kryptowire.com/portal/android-firmware-defcon-2018/

Exploit https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-a...

Third Party Advisory http://www.securityfocus.com/bid/106361

Third Party Advisory https://www.kryptowire.com/portal/android-firmware-defcon-2018/

Exploit https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-a...

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal