BlueStacks fails to restrict access permissions for ADB

  Impact of Vulnerability BlueStacks fails to restrict access permissions
  CVE Numbers  CVE-2018-0701
  Severity Rating High
  CVSS v3 Base / Temporal Scores: Base: 6.3
  Recommendations Install or update to latest BlueStacks App Player
  Affected Versions Windows: BlueStacks 3 and above
MacOS: BlueStacks 2 and above
  Location of Updated Software

http://www.bluestacks.com/download.html

Summary

BlueStacks employs Android running in a virtual machine (VM) to enable Android apps to run on
Windows or MacOS.
When BlueStacks is installed and activated, BlueStacks adb connection debug port 5555/TCP
waits for a connection request.
If the terminal which installed/activated BlueStacks is internet reachable, an attacker can install
malicious application by using package manager because adb connect does not require
authentication and lets a shell access the BlueStacks' VM environment


● CVE-2018-0701: BlueStacks fails to restrict access permissions.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0701

 

Remediation

For Windows

Download the product from http://www.bluestacks.com/download.html.
Install the updated Bluestacks Player using the usual update path.

For Mac

Please see attached the link of the mechanism of how to block the affected port.
https://support.bluestacks.com/hc/articles/360016496752

 

Workaround


● Do not connect BlueStacks installed machine to the internet directly.
● Block access from outside to 5555/TCP.


Acknowledgments


Masaki Kubo and Yoshiki Mori of Cybersecurity Laboratory,
National Institute of Information and Communications Technology


CVSS Scoring

Base Score 6.3
Attack Vector (AV) Advanced (A)
Attack Complexity (AC) Low (L)
Privileges Required (PR None (N)
User Interaction (UI) None (N)
Scope (S) Unchanged (U)
Confidentiality (C) Low (L)
Integrity (I) Low (L)
Availability (A) Low (L)

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Was this article helpful?
10 out of 16 found this helpful