CVE-2018-15001

Name of the Vulnerable Software and Affected Versions Vivo V7 Android device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys

Description The issue allows any app co-located on the device to initiate the writing of the logcat log, bluetooth log, and kernel log to external storage through the com.vivo.bsptest.BSPTestActivity component. When logging is enabled, a notification appears in the status bar. Although the user can cancel the logging, it can be re-enabled since the app with the package name com.vivo.bsptest cannot be disabled. An app co-located on the device can initiate the writing of these logs, but it requires the READ EXTERNAL STORAGE permission to access the log files.

Recommendations For the Vivo V7 Android device with the specified build fingerprint, consider disabling the com.vivo.bsptest.BSPTestActivity component as a temporary workaround to prevent unauthorized log writing. Restrict access to the external storage to minimize the risk of log file exploitation. Avoid using the com.vivo.bsptest app until a fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.