CVE-2019-15405

Vulnerability

The ASUS ASUS_X00K_1 Android device running build fingerprint asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keys includes a pre-installed app with package name com.asus.loguploaderproxy (versionCode=1570000015, versionName=7.0.0.3_161222). This app contains an accessible component that allows other pre-installed apps to perform command execution. The vulnerability is exploitable by any pre-installed app that can obtain signatureOrSystem permissions, which are required by other pre-installed apps that export their capabilities to other pre-installed apps [1].

Exploitation

An attacker with the ability to execute a pre-installed app on the device (that has obtained signatureOrSystem permissions) can leverage the accessible component of the com.asus.loguploaderproxy app. The exact sequence involves invoking the exposed component, which accepts commands and executes them with system-level privileges. No additional user interaction or network access is required beyond having a malicious pre-installed app on the device [1].

Impact

Successful exploitation allows a malicious pre-installed app to execute arbitrary commands with system-level privileges. This can lead to full compromise of the device, including unauthorized access to sensitive data, installation of additional malicious software, or modification of system settings. The scope of compromise is at the system level, impacting confidentiality, integrity, and availability [1].

Mitigation

No official fix or patch has been disclosed in the available references. Users are advised to be cautious about installing third-party apps and to keep the device updated if any security updates become available. The device may be end-of-life (EOL) or no longer receiving updates, making mitigation difficult without replacing the device [1].