Published:2014/12/02  Last Updated:2014/12/02

JVN#06302787
OS command injection vulnerability in multiple FUJITSU Android devices

Overview

Multiple FUJITSU Android devices contain an OS command injection vulnerability.

Products Affected

Multiple products are affected.
For more information, refer to the information provided by the provider.

Description

Multiple FUJITSU Android devices contain an OS command injection vulnerability.

Impact

An attacker with local access may obtain root privileges and execute arbitrary OS commands.

Solution

Apply an Update
Apply the appropriate update according to the information provided by the provider.

Vendor Status

Vendor Status Last Update Vendor Notes
NTT DOCOMO, INC. Vulnerable 2014/12/02

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2014.12.02 (CVSS Base Metrics)

What is CVSS?

Measures Severity Description
Access Vector(AV) Local (L) Adjacent Network (A) Network (N) A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account.
Access Complexity(AC) High (H) Medium (M) Low (L) Specialized access conditions exist.
Authentication(Au) Multiple (M) Single (S) None (N) Authentication is not required to exploit the vulnerability.
Confidentiality Impact(C) None (N) Partial (P) Complete (C) There is total information disclosure, resulting in all system files being revealed.
Integrity Impact(I) None (N) Partial (P) Complete (C) There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.
Availability Impact(A) None (N) Partial (P) Complete (C) There is a total shutdown of the affected resource.

Base Score:6.2

Comment

This analysis was performed under the assumption that physical access to the device is necessary.

Credit

Masaaki Chida of GREE, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2014-7253
JVN iPedia JVNDB-2014-000138