CVE-2018-6599

Name of the Vulnerable Software and Affected Versions Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys

Description An issue allows attackers to obtain sensitive information, such as text-message content, by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps, but certain apps can leak data to the Android log due to insecure programming practices. Pre-installed system apps and apps signed with the framework key can read from the system-wide Android log. A pre-installed app on the Orbic Wonder can write the Android log to the SD card via com.ckt.mmitest.MmiMainActivity. Any app with the READ EXTERNAL STORAGE permission can read from the SD card and obtain the data contained within the Android log. The default messaging app (com.android.mms) writes sensitive information, including text messages and phone numbers, to the Android log.

Recommendations For Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys, consider disabling the com.ckt.mmitest.MmiMainActivity component to prevent the Android log from being written to the SD card. Restrict access to the READ EXTERNAL STORAGE permission to minimize the risk of exploitation. Avoid using the default messaging app (com.android.mms) until the issue is resolved.