CVE-2014-2388

Description

The Storage and Access service in BlackBerry OS 10.x before 10.2.1.1925 on Q5, Q10, Z10, and Z30 devices does not enforce the password requirement for SMB filesystem access, which allows context-dependent attackers to read arbitrary files via (1) a session over a Wi-Fi network or (2) a session over a USB connection in Development Mode.

Related CPE's

oblackberryblackberry_os********

hblackberryq10-*******

hblackberryq5-*******

hblackberryz10-*******

hblackberryz30-*******

References

http://www.modzero.ch/advisories/MZ-13-04-Blackberry_Z10-File-Exchange-Authentication-By-Pass.txt

Exploit

http://packetstormsecurity.com/files/127850

Exploit

http://www.blackberry.com/btsc/KB36174

Vendor Advisory

69217

60156

http://packetstormsecurity.com/files/127850/BlackBerry-Z10-Authentication-Bypass.html

blackberry-cve20141470-sec-bypass(95263)

blackberry-z10-cve20142388-sec-bypass(95262)

20140812 BlackBerry Z 10 - Storage and Access File-Exchange Authentication By-Pass [MZ-13-04]

CvssV3 impact

Could not find any metrics

CvssV2 impact

Version

2.0

VectorString

AV:A/AC:L/Au:N/C:C/I:N/A:N

AccessVector

ADJACENT_NETWORK

AccessComplexity

LOW

Authentication

NONE

ConfidentialityImpact

COMPLETE

IntegrityImpact

NONE

AvailabilityImpact

NONE

BaseScore

6.099999904632568

Created by Yello
About Severity.io