Description

An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It sends the following Personally Identifiable Information (PII) in plaintext using HTTP to servers located in China: user's list of installed apps and device International Mobile Equipment Identity (IMEI). This PII is transmitted to log.skyroam.com.cn using HTTP, independent of whether the user uses the Simo software.

Related CPE's

o

bluproducts

g90_firmware

-

Vulnerable

h

bluproducts

g90

-

o

bluproducts

g9_firmware

-

Vulnerable

h

bluproducts

g9

-

o

wikomobile

tommy_3_firmware

-

Vulnerable

h

wikomobile

tommy_3

-

o

wikomobile

tommy_3_plus_firmware

-

Vulnerable

h

wikomobile

tommy_3_plus

-

o

luna

simo_firmware

-

Vulnerable

h

luna

simo

-

References

https://athack.com/session-details/401

Third Party Advisory

https://simowireless.com/

Vendor Advisory

https://www.kryptowire.com/android-firmware-2022/

Broken Link

https://www.kryptowire.com/blog/vsim-vulnerability-within-simo-android-phones-exposed/

ExploitThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-200CWE-319

CVSS impact metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5.5 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2022-03-11T23:15:09.223

3 years ago

Last modified

2023-08-08T14:22:24.967

1 year ago