CVE-2017-15997

In the "NQ Contacts Backup & Restore" application 1.1 for Android, RC4 encryption is used to secure the user password locally stored in shared preferences. Because there is a static RC4 key, an attacker can gain access to user credentials more easily by leveraging access to the preferences XML file.

CVSS v3 7.8 HIGH
CVSS v2.0 2.1 LOW

7.8^/10

CVSS v3 : HIGH

Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://1337sec.blogspot.de/2017/10/auditing-nq-contacts-backup-restore-11.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nq:contacts_backup_\&_restore:1.1:*:*:*:*:android:*:*

History

No history.

Information

Published : 2017-10-29 17:29

Updated : 2023-12-10 12:15

NVD link : CVE-2017-15997

Mitre link : CVE-2017-15997

CVE.ORG link : CVE-2017-15997

JSON object : View

Products Affected

nq

contacts_backup_\&_restore

CWE

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

{"id": "CVE-2017-15997", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2017-10-29T17:29:00.250", "references": [{"url": "https://1337sec.blogspot.de/2017/10/auditing-nq-contacts-backup-restore-11.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-327"}]}], "descriptions": [{"lang": "en", "value": "In the \"NQ Contacts Backup & Restore\" application 1.1 for Android, RC4 encryption is used to secure the user password locally stored in shared preferences. Because there is a static RC4 key, an attacker can gain access to user credentials more easily by leveraging access to the preferences XML file."}, {"lang": "es", "value": "En la aplicaci\u00f3n NQ Contacts Backup & Restore 1.1 para Android, el cifrado RC4 se emplea para proteger la contrase\u00f1a de usuario almacenada localmente en las preferencias compartidas. Ya que hay una clave RC4 est\u00e1tica, un atacante puede obtener acceso a las credenciales de usuario accediendo al archivo de preferencias XML."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nq:contacts_backup_\\&_restore:1.1:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "A459EF7F-A85D-4ADC-A69D-CD5582703075"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}