Impact of Vulnerability | BlueStacks fails to restrict access permissions |
CVE Numbers | CVE-2018-0701 |
Severity Rating | High |
CVSS v3 Base / Temporal Scores: | Base: 6.3 |
Recommendations | Install or update to latest BlueStacks App Player |
Affected Versions | Windows: BlueStacks 3 and above MacOS: BlueStacks 2 and above |
Location of Updated Software |
Summary
BlueStacks employs Android running in a virtual machine (VM) to enable Android apps to run on
Windows or MacOS.
When BlueStacks is installed and activated, BlueStacks adb connection debug port 5555/TCP
waits for a connection request.
If the terminal which installed/activated BlueStacks is internet reachable, an attacker can install
malicious application by using package manager because adb connect does not require
authentication and lets a shell access the BlueStacks' VM environment
● CVE-2018-0701: BlueStacks fails to restrict access permissions.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0701
Remediation
For Windows
Download the product from http://www.bluestacks.com/download.html.
Install the updated Bluestacks Player using the usual update path.
For Mac
Please see attached the link of the mechanism of how to block the affected port.
https://support.bluestacks.com/hc/articles/360016496752
Workaround
● Do not connect BlueStacks installed machine to the internet directly.
● Block access from outside to 5555/TCP.
Acknowledgments
Masaki Kubo and Yoshiki Mori of Cybersecurity Laboratory,
National Institute of Information and Communications Technology
CVSS Scoring
Base Score | 6.3 |
Attack Vector (AV) | Advanced (A) |
Attack Complexity (AC) | Low (L) |
Privileges Required (PR | None (N) |
User Interaction (UI) | None (N) |
Scope (S) | Unchanged (U) |
Confidentiality (C) | Low (L) |
Integrity (I) | Low (L) |
Availability (A) | Low (L) |
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L