CVE-2019-15414

Vulnerability

The Asus ZenFone AR (build fingerprint asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keys) contains a pre-installed app with package name com.asus.splendidcommandagent (versionCode=1510200105, versionName=1.2.0.21_180605). This app exposes an accessible component that allows command execution. The vulnerability is reachable by any other pre-installed app on the device that can obtain signatureOrSystem permissions, which are required by other pre-installed apps that export their capabilities [1].

Exploitation

An attacker would need to have a pre-installed app on the device that can acquire signatureOrSystem permissions. No additional user interaction is required because the malicious pre-installed app can directly access the exposed component of com.asus.splendidcommandagent to execute arbitrary commands on the device. The exact sequence involves invoking the accessible component within the target app to perform command execution with system privileges [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the device with the privileges of the com.asus.splendidcommandagent app, which likely runs with system-level permissions. This leads to full compromise of the device's integrity and confidentiality, including potential data theft, installation of additional payloads, or modification of system settings [1].

Mitigation

As of the publication date (2019-11-14), the available reference does not disclose a specific fix or patched version. Users are advised to remove or disable the pre-installed app if possible, or to obtain an updated firmware from Asus that addresses this issue. No CISA KEV listing was identified [1].