CVE-2019-15408

Vulnerability

The Asus ZenFone 5 Lite (build fingerprint asus/WW_Phone/ASUS_X017D_1:7.1.1/NMF26F/14.0400.1810.061-20181107:user/release-keys) contains a pre-installed app with package name com.asus.loguploaderproxy (version 7.0.0.4_170901, versionCode 1570000020) that exposes an accessible component. This component can be used by other pre-installed apps to perform command execution. The component is accessible to any app that can obtain signatureOrSystem permissions, which is typical for pre-installed apps [1].

Exploitation

An attacker would need to have a pre-installed app on the device that can obtain signatureOrSystem permissions. Such an app, once it has the necessary permissions, can invoke the exposed component of com.asus.loguploaderproxy to execute arbitrary commands. The attacker does not need root access or user interaction beyond the initial installation of the malicious app (which must be a pre-installed app or have system-level permissions). The specific steps involve crafting an intent to trigger the command execution component [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with system privileges. This can lead to full device compromise, including data exfiltration, installation of additional malware, and persistent control over the device. The impact is high as it affects the confidentiality, integrity, and availability of the device and its data [1].

Mitigation

As of the publication date, no patch was available. The vulnerability exists in the firmware version noted. Users should check for firmware updates from Asus and apply them if available. Since this affects a pre-installed system app, removal or disabling may not be possible without root. The device may be at risk until an update is provided. This CVE is not listed on the CISA KEV as of the report [1].