Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv3

CVE-2018-9489

Published: 06/11/2018 Updated: 13/12/2018
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

When wifi is switched, function sendNetworkStateChangeBroadcast of WifiStateMachine.java broadcasts an intent including detailed wifi network information. This could lead to information disclosure with no execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-77286245.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

google android 7.1.1

google android 7.1.2

google android 9.0

google android 8.0

google android 8.1

google android 7.0

Exploits

Exploit DB: Android OS WiFi Broadcast Sensitive Data Exposure
System broadcasts by Android OS expose information about the user's device to all applications running on the device This includes the WiFi network name, BSSID, local IP addresses, DNS server information and the MAC address Some of this information (MAC address) is no longer available via APIs on Android 6 and higher, and extra permissions are no ...
Exploit DB: Android 5.0 Battery Information Broadcast Information Disclosure
Android OS version 50 suffers from a sensitive data exposure vulnerability in its battery information broadcasts ...
Exploit DB: Android RSSI Broadcast Information Disclosure
Android OS suffers from a sensitive data exposure vulnerability in its RSSI broadcasts ...

Mailing Lists

Full Disclosure: Sensitive Data Exposure via WiFi Broadcasts in Android OS [CVE-2018-9489]
[Blog post here: wwwsnightwatchcybersecuritycom/2018/08/29/sensitive-data-exposure-via-wifi-broadcasts-in-android-os-cve-2018-9489/] TITLE Sensitive Data Exposure via WiFi Broadcasts in Android OS [CVE-2018-9489] SUMMARY System broadcasts by Android OS expose information about the user’s device to all applications running on the dev ...
Full Disclosure: Sensitive Data Exposure via RSSI Broadcasts in Android OS [CVE-2018-9581]
[Blog post here: wwwsnightwatchcybersecuritycom/2018/11/11/cve-2018-9581/] [NOTE: This bug is part of a series of three related Android bugs with the same root cause: CVE-2018-9489, CVE-2018-9581 and CVE-2018-15835 A presentation covering all three bugs was given at BSides DE in the fall of 2018] SUMMARY System broadcasts by the Andr ...
Full Disclosure: Sensitive Data Exposure via Battery Information Broadcasts in Android OS [CVE-2018-15835]
[NOTE: This bug is part of a series of three related Android bugs with the same root cause: CVE-2018-9489, CVE-2018-9581 and CVE-2018-15835 A presentation covering all three bugs was given at BSides DE in the fall of 2018] SUMMARY System broadcasts by the Android operating system expose detailed information about the battery Prior research has ...

Recent Articles

Security bods: Android system broadcasts enable user tracking
The Register • Richard Chirgwin • 31 Aug 2018

Bypassing permission protection on network info Android data slurping measured and monitored

Security researchers have found a way to sniff Android system broadcasts to expose Wi-Fi connection information to attackers. Tracked as CVE-2018-9489, the issue was discovered by Nightwatch Cybersecurity and published yesterday. If you can, upgrade to Android 9 (Pie), because there's no plan to fix older versions. What they found was that the system broadcasts spaff “Wi-Fi network name, BSSID, local IP addresses, DNS server information and the MAC address” to any application running on the ...

Read more...

References

CWE-200https://wwws.nightwatchcybersecurity.com/2018/08/29/sensitive-data-exposure-via-wifi-broadcasts-in-android-os-cve-2018-9489/http://www.securitytracker.com/id/1041590https://nvd.nist.govhttps://www.theregister.co.uk/2018/08/31/android_user_tracking/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-33572CVE-2024-24919CVE-2024-0230CVE-2024-32714HTML injectionlocal file inclusionCVE-2024-31098CVE-2024-31244privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook