CVE-2018-14988

Name of the Vulnerable Software and Affected Versions MXQ TV Box version 4.4.2

Description The Android framework in the MXQ TV Box contains an exported broadcast receiver application component that can make the device inoperable when called. The vulnerable component, com.android.server.SystemRestoreReceiver, writes a specific value to the /cache/recovery/command file and boots into recovery mode, resulting in the system partition being formatted or modified and the device being unable to boot properly. This issue can be triggered by any app co-located on the device without requiring any permission. The device may be recoverable by flashing clean firmware images.

Recommendations For MXQ TV Box version 4.4.2, as a temporary workaround, consider disabling the com.android.server.SystemRestoreReceiver broadcast receiver component until a patch is available. To fully resolve the issue, the user can try flashing clean firmware images placed on an SD card.