Improper D-Bus Security in Tizen Affects Samsung Gear Series
CVE-2018-16263

8.8HIGH

Key Information:

Vendor
Linux
Status
Tizen
Vendor
CVE Published:
22 January 2020

Summary

The PulseAudio system service on Tizen devices is subject to a vulnerability that allows unprivileged processes to gain control over the A2DP MediaEndpoint. This issue stems from inadequate D-Bus security policy configurations, which could potentially lead to unauthorized access and control over audio streaming functionalities. This vulnerability impacts various versions of Tizen, specifically those prior to 5.0 M1, and affects the Samsung Galaxy Gear series devices that were released before build RE2.

References

https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20...
x_refsource_MISC
https://review.tizen.org/git/?p=platform/upstream/pulseau...
x_refsource_MISC
https://www.youtube.com/watch?v=3IdgBwbOT-g&feature=youtu.be
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.