[Japanese]

JVNDB-2024-000123

Multiple FCNT Android devices vulnerable to authentication bypass

Overview

Multiple FCNT Android devices provide security features such as "privacy mode" where arbitrary applications can be set not to be displayed, etc.
The devices contain an authentication bypass vulnerability (CWE-306), where, under certain conditions, the setting pages may be accessed without authentication.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.1 (Low) [IPA Score]
  • Attack Vector: physics
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


KDDI
  • arrows We FCG01 versions prior to build number V68RK50A
SoftBank
  • arrows We versions prior to build number V71RS50A
NTT DOCOMO, INC.
  • arrows N F-51C versions prior to build number V51R057C
  • arrows We F-51B versions prior to build number V70RD50A

Impact

When an attacker can directly operate the device which its screen is unlocked by a user, the provided security features' setting pages may be exposed and/or the settings may be altered, without authentication.
For example, specific applications in the device configured to be hidden may be displayed and/or activated.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

FCNT LLC KDDI SoftBank NTT DOCOMO, INC.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-53701
References

  1. JVN : JVN#43845108
Revision History

  • [2024/11/29]
      Web page was published

Date Public2024/11/29
Date First Published2024/11/29
Date Last Updated2024/11/29