CVE-2016-3888

internal/telephony/SMSDispatcher.java in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism, and send premium SMS messages during the Setup Wizard provisioning stage, via unspecified vectors, aka internal bug 29420123.

CVSS v3.0 2.1 LOW
CVSS v2.0 2.1 LOW

2.1^/10

CVSS v3.0 : LOW

V3 Legend

Vector : AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability : 0.7 / Impact : 1.4

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://source.android.com/security/bulletin/2016-09-01.html	Vendor Advisory
https://android.googlesource.com/platform/frameworks/opt/telephony/+/b8d1aee993dcc565e6576b2f2439a8f5a507cff6	Issue Tracking Patch
http://www.securityfocus.com/bid/92857
http://www.securitytracker.com/id/1036763

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:google:android:4.0.3:::::::*
	cpe:2.3:o:google:android:4.0.4:::::::*
	cpe:2.3:o:google:android:4.4:::::::*
	cpe:2.3:o:google:android:4.4.1:::::::*
	cpe:2.3:o:google:android:6.0.1:::::::*
	cpe:2.3:o:google:android:5.1.0:::::::*
	cpe:2.3:o:google:android:7.0:::::::*
	cpe:2.3:o:google:android:4.0:::::::*
	cpe:2.3:o:google:android:4.2.1:::::::*
	cpe:2.3:o:google:android:4.2.2:::::::*
	cpe:2.3:o:google:android:5.0:::::::*
	cpe:2.3:o:google:android:4.2:::::::*
	cpe:2.3:o:google:android:4.1:::::::*
	cpe:2.3:o:google:android:6.0:::::::*
	cpe:2.3:o:google:android:4.0.2:::::::*
	cpe:2.3:o:google:android:4.4.3:::::::*
	cpe:2.3:o:google:android:4.3:::::::*
	cpe:2.3:o:google:android:4.0.1:::::::*
	cpe:2.3:o:google:android:5.0.1:::::::*
	cpe:2.3:o:google:android:4.3.1:::::::*
	cpe:2.3:o:google:android:4.4.2:::::::*
	cpe:2.3:o:google:android:5.1:::::::*
	cpe:2.3:o:google:android:4.1.2:::::::*

Information

Published : 2016-09-11 14:59

Updated : 2017-08-12 18:29

NVD link : CVE-2016-3888

Mitre link : CVE-2016-3888

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Products Affected

google

android

2.1 /10

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

2.1 /10

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2016-3888

2.1^/10

2.1^/10

Attach tags to `CVE-2016-3888`