CVE-2019-15381

Vulnerability

The BQ 5515L Android device (build fingerprint BQru/BQru-5515L/BQru-5515L:8.1.0/O11019/20180409.195525:user/release-keys) includes a pre-installed application with the package name com.mediatek.wfo.impl (versionCode=27, versionName=8.1.0). This app exposes an exported interface that allows any app co-located on the device to modify a system property without proper authorization [1]. The vulnerability exists in the factory firmware configuration and is not a user-installable component.

Exploitation

An attacker requires only that a malicious app be installed on the device, with no additional permissions or user interaction beyond installation. The malicious app can call the exported interface of the com.mediatek.wfo.impl app to modify arbitrary system properties, as there is no authorization check on the interface [1]. No special network position or authentication is needed; the attack is performed locally from within the device.

Impact

Successful exploitation allows the attacker to change system properties on the device. This can lead to various security impacts, including potentially altering device behavior, disabling security features, or enabling other attacks. The exact impact depends on the modified property, but it represents a compromise of system integrity and potentially availability or confidentiality [1].

Mitigation

As of the publication date (2019-11-14), no official patch or updated firmware has been disclosed in the available references [1]. Users should monitor the vendor for security updates. The device may be end-of-life; consider replacing it if no update is provided. Disabling or uninstalling the vulnerable app may not be possible on unmodified devices. No known KEV listing exists.