cnvd - cnvd-2016-10515

cnvd-2016-10515

Vulnerability from cnvd

Title: Samsung Galaxy S4至S7设备未授权修改漏洞

Description:

Samsung Galaxy S4等都是韩国三星（Samsung）公司发布的智能移动设备。

Samsung Galaxy S4至S7设备存在未授权修改漏洞。该漏洞源于程序忽略嵌入在OMACP信息中的安全信息。远程攻击者可利用该漏洞接收，解析，处理来路不明的WAP Push SMS信息，导致未授权修改配置信息。

Severity: 高

Patch Name: Samsung Galaxy S4至S7设备存在未授权修改漏洞的补丁

Patch Description:

Samsung Galaxy S4等都是韩国三星（Samsung）公司发布的智能移动设备。

Samsung Galaxy S4至S7设备存在未授权修改漏洞。该漏洞源于程序忽略嵌入在OMACP信息中的安全信息。远程攻击者可利用该漏洞接收，解析，处理来路不明的WAP Push SMS信息，导致未授权修改配置信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016

Reference: http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016

Impacted products

Name
Samsung Galaxy >=s4，<=s7

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-7991"
    }
  },
  "description": "Samsung Galaxy S4\u7b49\u90fd\u662f\u97e9\u56fd\u4e09\u661f\uff08Samsung\uff09\u516c\u53f8\u53d1\u5e03\u7684\u667a\u80fd\u79fb\u52a8\u8bbe\u5907\u3002\r\n\r\nSamsung Galaxy S4\u81f3S7\u8bbe\u5907\u5b58\u5728\u672a\u6388\u6743\u4fee\u6539\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5ffd\u7565\u5d4c\u5165\u5728OMACP\u4fe1\u606f\u4e2d\u7684\u5b89\u5168\u4fe1\u606f\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63a5\u6536\uff0c\u89e3\u6790\uff0c\u5904\u7406\u6765\u8def\u4e0d\u660e\u7684WAP Push SMS\u4fe1\u606f\uff0c\u5bfc\u81f4\u672a\u6388\u6743\u4fee\u6539\u914d\u7f6e\u4fe1\u606f\u3002",
  "discovererName": "unknown",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-10515",
  "openTime": "2016-11-02",
  "patchDescription": "Samsung Galaxy S4\u7b49\u90fd\u662f\u97e9\u56fd\u4e09\u661f\uff08Samsung\uff09\u516c\u53f8\u53d1\u5e03\u7684\u667a\u80fd\u79fb\u52a8\u8bbe\u5907\u3002\r\n\r\nSamsung Galaxy S4\u81f3S7\u8bbe\u5907\u5b58\u5728\u672a\u6388\u6743\u4fee\u6539\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5ffd\u7565\u5d4c\u5165\u5728OMACP\u4fe1\u606f\u4e2d\u7684\u5b89\u5168\u4fe1\u606f\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63a5\u6536\uff0c\u89e3\u6790\uff0c\u5904\u7406\u6765\u8def\u4e0d\u660e\u7684WAP Push SMS\u4fe1\u606f\uff0c\u5bfc\u81f4\u672a\u6388\u6743\u4fee\u6539\u914d\u7f6e\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Samsung Galaxy S4\u81f3S7\u8bbe\u5907\u5b58\u5728\u672a\u6388\u6743\u4fee\u6539\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Samsung Galaxy \u003e=s4\uff0c\u003c=s7"
  },
  "referenceLink": "http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016",
  "serverity": "\u9ad8",
  "submitTime": "2016-11-01",
  "title": "Samsung Galaxy S4\u81f3S7\u8bbe\u5907\u672a\u6388\u6743\u4fee\u6539\u6f0f\u6d1e"
}

CVE-2016-7991 (GCVE-0-2016-7991)

Vulnerability from cvelistv5

Published

2016-10-31 10:00

Modified

2024-08-06 02:13

Severity ?

CWE

Summary

On Samsung Galaxy S4 through S7 devices, the "omacp" app ignores security information embedded in the OMACP messages resulting in remote unsolicited WAP Push SMS messages being accepted, parsed, and handled by the device, leading to unauthorized configuration changes, a subset of SVE-2016-6542.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/94088	vdb-entry, x_refsource_BID
	http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:13:21.791Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "94088",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94088"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-10-31T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "On Samsung Galaxy S4 through S7 devices, the \"omacp\" app ignores security information embedded in the OMACP messages resulting in remote unsolicited WAP Push SMS messages being accepted, parsed, and handled by the device, leading to unauthorized configuration changes, a subset of SVE-2016-6542."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-11-25T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "94088",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94088"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-7991",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "On Samsung Galaxy S4 through S7 devices, the \"omacp\" app ignores security information embedded in the OMACP messages resulting in remote unsolicited WAP Push SMS messages being accepted, parsed, and handled by the device, leading to unauthorized configuration changes, a subset of SVE-2016-6542."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "94088",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/94088"
            },
            {
              "name": "http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016",
              "refsource": "CONFIRM",
              "url": "http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-7991",
    "datePublished": "2016-10-31T10:00:00",
    "dateReserved": "2016-09-09T00:00:00",
    "dateUpdated": "2024-08-06T02:13:21.791Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted