|Impact of Vulnerability||BlueStacks fails to restrict access permissions|
|CVSS v3 Base / Temporal Scores:||Base: 6.3|
|Recommendations||Install or update to latest BlueStacks App Player|
|Affected Versions||Windows: BlueStacks 3 and above
MacOS: BlueStacks 2 and above
|Location of Updated Software|
BlueStacks employs Android running in a virtual machine (VM) to enable Android apps to run on
Windows or MacOS.
When BlueStacks is installed and activated, BlueStacks adb connection debug port 5555/TCP
waits for a connection request.
If the terminal which installed/activated BlueStacks is internet reachable, an attacker can install
malicious application by using package manager because adb connect does not require
authentication and lets a shell access the BlueStacks' VM environment
● CVE-2018-0701: BlueStacks fails to restrict access permissions.
Download the product from http://www.bluestacks.com/download.html.
Install the updated Bluestacks Player using the usual update path.
Please see attached the link of the mechanism of how to block the affected port.
● Do not connect BlueStacks installed machine to the internet directly.
● Block access from outside to 5555/TCP.
Masaki Kubo and Yoshiki Mori of Cybersecurity Laboratory,
National Institute of Information and Communications Technology
|Attack Vector (AV)||Advanced (A)|
|Attack Complexity (AC)||Low (L)|
|Privileges Required (PR||None (N)|
|User Interaction (UI)||None (N)|
|Scope (S)||Unchanged (U)|
|Confidentiality (C)||Low (L)|
|Integrity (I)||Low (L)|
|Availability (A)||Low (L)|