JVN#43845108
Multiple FCNT Android devices vulnerable to authentication bypass
Overview
Multiple FCNT Android devices contain an authentication bypass vulnerability.
Products Affected
For NTT DOCOMO, INC.
- arrows N F-51C versions prior to build number V51R057C
- arrows We F-51B versions prior to build number V70RD50A
- arrows We FCG01 versions prior to build number V68RK50A
- arrows We versions prior to build number V71RS50A
Description
Multiple FCNT Android devices provide security features such as "privacy mode" where arbitrary applications can be set not to be displayed, etc.
The devices contain an authentication bypass vulnerability (CWE-306), where, under certain conditions, the setting pages may be accessed without authentication.
Impact
When an attacker can directly operate the device which its screen is unlocked by a user, the provided security features' setting pages may be exposed and/or the settings may be altered, without authentication.
For example, specific applications in the device configured to be hidden may be displayed and/or activated.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| FCNT LLC | Vulnerable | 2024/11/29 | FCNT LLC website |
| KDDI CORPORATION | Vulnerable | 2024/11/29 | KDDI CORPORATION website |
| NTT DOCOMO, INC. | Vulnerable | 2024/11/29 | |
| SoftBank Corp. | Vulnerable | 2024/11/29 | SoftBank Corp. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-53701 |
| JVN iPedia |
JVNDB-2024-000123 |