Vulnerability CVE-2016-6723

Vulnerability Name:

CVE-2016-6723 (CCN-118708)

Assigned:

2016-11-07

Published:

2016-11-07

Updated:

2019-03-07

Summary:

A denial of service vulnerability in Proxy Auto Config in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-11-01, and 7.0 before 2016-11-01 could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as Moderate because it requires an uncommon device configuration. Android ID: A-30100884.

CVSS v3 Severity:

4.7 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H)
4.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.4 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-284

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2016-6723

Source: CCN
Type: Full-Disclosure Mailing List, Mon, 7 Nov 2016 16:06:29 -0500
Crashing Android devices with large Proxy Auto Config (PAC) Files [CVE-2016-6723]

Source: BID
Type: Third Party Advisory, VDB Entry
94185

Source: CCN
Type: BID-94185
Google Android Proxy Auto Config CVE-2016-6723 Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
google-android-cve20166723-dos(118708)

Source: CCN
Type: Packet Storm Security [11-08-2016]
Android Proxy Auto Config (PAC) Crash

Source: CCN
Type: Android Security Bulletin
Android Security BulletinNovember 2016

Source: CONFIRM
Type: Vendor Advisory
https://source.android.com/security/bulletin/2016-11-01.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-6723

Source: MISC
Type: Third Party Advisory
https://wwws.nightwatchcybersecurity.com/2016/11/07/crashing-android-devices-with-large-pac-files-cve-2016-6723/

Vulnerable Configuration:

Configuration 1:

cpe:/o:google:android:*:*:*:*:*:*:*:* (Version >= 4.0 and < 4.4.4)

OR cpe:/o:google:android:*:*:*:*:*:*:*:* (Version >= 5.0 and < 5.0.2)

OR cpe:/o:google:android:*:*:*:*:*:*:*:* (Version >= 5.1 and < 5.1.1)

OR cpe:/o:google:android:*:*:*:*:*:*:*:* (Version >= 6.0 and <= 6.0.1)

OR cpe:/o:google:android:7.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:google:android:-:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.trusty:def:20166723000	V	CVE-2016-6723 on Ubuntu 14.04 LTS (trusty) - negligible.	2016-11-25
oval:com.ubuntu.xenial:def:20166723000	V	CVE-2016-6723 on Ubuntu 16.04 LTS (xenial) - negligible.	2016-11-25
oval:com.ubuntu.xenial:def:201667230000000	V	CVE-2016-6723 on Ubuntu 16.04 LTS (xenial) - negligible.	2016-11-25

BACK