CVE-2018-14979

Name of the Vulnerable Software and Affected Versions ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US Phone/ASUS X008 1:7.0/NRD90M/US Phone-14.14.1711.92-20171208:user/release-keys com.asus.loguploader version 7.0.0.55 170515

Description The pre-installed app com.asus.loguploader contains an exported service app component named com.asus.loguploader.LogUploaderService. When accessed with a particular action string, it writes sensitive data, including bug reports, Wi-Fi passwords, and system data, to external storage. Any app with the READ EXTERNAL STORAGE permission can read this data from the sdcard. This allows unauthorized access to sensitive information, as third-party apps are not supposed to directly create bug reports or access stored wireless network credentials.

Recommendations For ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US Phone/ASUS X008 1:7.0/NRD90M/US Phone-14.14.1711.92-20171208:user/release-keys, consider disabling the com.asus.loguploader.LogUploaderService to prevent sensitive data from being written to external storage. For com.asus.loguploader version 7.0.0.55 170515, restrict access to the external storage to minimize the risk of exploitation.