| Summary | On some Samsung phones and tablets running Android through 7.1.1, it is possible for an attacker-controlled Bluetooth Low Energy (BLE) device to pair silently with a vulnerable target device, without any user interaction, when the target device's Bluetooth is on, and it is running an app that offers a connectable BLE advertisement. An example of such an app could be a Bluetooth-based contact tracing app, such as Australia's COVIDSafe app, Singapore's TraceTogether app, or France's TousAntiCovid (formerly StopCovid). As part of the pairing process, two pieces (among others) of personally identifiable information are exchanged: the Identity Address of the Bluetooth adapter of the target device, and its associated Identity Resolving Key (IRK). Either one of these identifiers can be used to perform re-identification of the target device for long term tracking. The list of affected devices includes (but is not limited to): Galaxy Note 5, Galaxy S6 Edge, Galaxy A3, Tab A (2017), J2 Pro (2018), Galaxy Note 4, and Galaxy S5. |
|---|---|
| Publication Date | Dec. 25, 2020, 3:15 a.m. |
| Registration Date | Jan. 26, 2021, 11:58 a.m. |
| Last Update | Nov. 21, 2024, 2:27 p.m. |
| CVSS3.1 : HIGH | |
| スコア | 8.8 |
|---|---|
| Vector | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 攻撃元区分(AV) | 隣接 |
| 攻撃条件の複雑さ(AC) | 低 |
| 攻撃に必要な特権レベル(PR) | 不要 |
| 利用者の関与(UI) | 不要 |
| 影響の想定範囲(S) | 変更なし |
| 機密性への影響(C) | 高 |
| 完全性への影響(I) | 高 |
| 可用性への影響(A) | 高 |
| CVSS2.0 : MEDIUM | |
| Score | 5.4 |
|---|---|
| Vector | AV:A/AC:M/Au:N/C:P/I:P/A:P |
| 攻撃元区分(AV) | 隣接 |
| 攻撃条件の複雑さ(AC) | 中 |
| 攻撃前の認証要否(Au) | 不要 |
| 機密性への影響(C) | 低 |
| 完全性への影響(I) | 低 |
| 可用性への影響(A) | 低 |
| Get all privileges. | いいえ |
| Get user privileges | いいえ |
| Get other privileges | いいえ |
| User operation required | いいえ |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:o:google:android:*:*:*:*:*:*:*:* | 7.1.1 | ||||
| execution environment | |||||
| 1 | cpe:2.3:h:samsung:galaxy_a3:-:*:*:*:*:*:*:* | ||||
| 2 | cpe:2.3:h:samsung:galaxy_note_4:-:*:*:*:*:*:*:* | ||||
| 3 | cpe:2.3:h:samsung:galaxy_note_5:-:*:*:*:*:*:*:* | ||||
| 4 | cpe:2.3:h:samsung:galaxy_s5:-:*:*:*:*:*:*:* | ||||
| 5 | cpe:2.3:h:samsung:galaxy_s6_edge:-:*:*:*:*:*:*:* | ||||
| 6 | cpe:2.3:h:samsung:j2_pro_\(2018\):-:*:*:*:*:*:*:* | ||||
| 7 | cpe:2.3:h:samsung:tab_a_\(2017\):-:*:*:*:*:*:*:* | ||||
| Title | Google の Android における脆弱性 |
|---|---|
| Summary | Google の Android には、不特定の脆弱性が存在します。 |
| Possible impacts | 情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。 |
| Solution | 参考情報を参照して適切な対策を実施してください。 |
| Publication Date | Dec. 24, 2020, midnight |
| Registration Date | July 18, 2024, 10:20 a.m. |
| Last Update | July 18, 2024, 10:20 a.m. |
| Android 7.1.1 およびそれ以前 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2024年07月18日] 掲載 |
July 18, 2024, 10:20 a.m. |