Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-16401

Samsung Galaxy S8 plus (Android version: 8.0.0, Build Number: R16NW.G955USQU5CRG3, Baseband Vendor: Qualcomm Snapdragon 835, Baseband: G955USQU5CRG3), Samsung Galaxy S3 (Android version: 4.3, Build Number: JSS15J.I9300XXUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: I9300XXUGNA8), and Samsung Galaxy Note 2 (Android version: 4.3, Build Number: JSS15J.I9300XUGND5, Baseband Vendor: Samsung Exynos 4412, Baseband: N7100DDUFND1) devices allow injection of AT+CIMI and AT+CGSN over Bluetooth, leaking sensitive information such as IMSI, IMEI, call status, call setup stage, internet service status, signal strength, current roaming status, battery level, and call held status.

Published

2019-11-06T23:15:10.463

Last Modified

2024-11-21T04:30:38.557

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:A/AC:L/Au:N/C:P/I:N/A:N

Access Vector: ADJACENT_NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

6.5

Impact Score

2.9

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	samsung	galaxy_s8_plus_firmware	-	Yes
Hardware	samsung	galaxy_s8_plus	-	No
Operating System	samsung	galaxy_s3_firmware	-	Yes
Hardware	samsung	galaxy_s3	-	No
Operating System	samsung	galaxy_note_2_firmware	-	Yes
Hardware	samsung	galaxy_note_2	-	No

References

https://www.openconf.org/acsac2019/modules/request.php?module=oc_program&action=summary.php&id=210 Third Party Advisory ([email protected])
https://www.openconf.org/acsac2019/modules/request.php?module=oc_program&action=summary.php&id=210 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)