Published:2016/07/22  Last Updated:2016/07/25

JVN#06212291
Android OS Contacts app fails to restrict access permissions

Overview

The Contacts app within the Android OS contains a vulnerability where it fails to restrict access permissions.

Products Affected

  • Android OS versions prior to 4.1.2_r1

Description

The Contacts app within the Android OS receives requests for outgoing calls through Intents and calls the Dialer app. The Contacts app contains a vulnerability where it fails to restrict access permissions, since it receives and processes Intents from apps without CALL_PHONE permissions.

Impact

When a user uses a malicious Android app, it may make an unintended outgoing call.

Solution

Apply an Update
Apply the update according to the information provided by the developer or distributor.

Vendor Status

Vendor Status Last Update Vendor Notes
Cybozu, Inc. Not Vulnerable 2016/07/22
Disney Mobile on SoftBank Vulnerable, investigating 2016/07/22
KDDI CORPORATION Vulnerable, investigating 2016/07/25
NTT-CERT Not Vulnerable 2016/07/22
Sharp Corporation Not Vulnerable 2016/07/22
SoftBank Vulnerable, investigating 2016/07/22
Y!mobile Vulnerable, investigating 2016/07/22

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score: 2.5
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:P/I:N/A:N
Base Score: 2.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Shifeng, Zhang of Symantec reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2016-000128

Update History

2016/07/22
KDDI CORPORATION update status
2016/07/25
KDDI CORPORATION update status