[Japanese]

JVNDB-2012-000064

Yome Collection for Android issue in management of IMEI

Overview

Yome Collection for Android contains an issue which stores the International Mobile Equipment Identity (IMEI) on a SD card.

Applications without the READ_PHONE_STATE permission may obtain the IMEI from the SD card.

Kazuhiko Kusano of Graduate School of Information Sciences, Tohoku University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


NEC BIGLOBE, Ltd.
  • Yome Collection for Android version 1.8.3 and earlier

Impact

If a user of the affected product uses a malicious Android application, the IMEI may be disclosed.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.
The IMEI on the SD card will be deleted when launching Yome Collection after the update.
Vendor Information

NEC BIGLOBE, Ltd.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-2640
References

  1. JVN : JVN#05102851
  2. National Vulnerability Database (NVD) : CVE-2012-2640
Revision History

  • [2012/07/03]
      Web page was published