Full Report
CERT Polska has received a report about 3 vulnerabilities (from CVE-2025-5344 to CVE-2025-5346) found in applications preloaded on Bluebird smartphones.
Analysis Summary
This summary consolidates the reported vulnerabilities affecting preloaded applications on Bluebird smartphones. Note that CVSS scores and exploitation details were not explicitly provided in the source text, thus they are marked as N/A or inferred based on the technical description.
# Vulnerability: Multiple Vulnerabilities in Bluebird Preloaded Applications (CVE-2025-5344 to CVE-2025-5346)
## CVE Details
The provided article details three separate vulnerabilities. CVSS scores were **Not Available** in the source text.
- **CVE ID**: CVE-2025-5344
- **CVSS Score**: N/A
- **CWE**: CWE-926 (Improper Export of Android Application Components)
- **CVE ID**: CVE-2025-5345
- **CVSS Score**: N/A
- **CWE**: CWE-926 (Improper Export of Android Application Components)
- **CVE ID**: CVE-2025-5346
- **CVSS Score**: N/A
- **CWE**: CWE-926 (Improper Export of Android Application Components)
## Affected Systems
- **Products**:
- `com.bluebird.kiosk.launcher` (Kiosk application)
- `com.bluebird.filemanagers` (File Manager application)
- `kr.co.bluebird.android.bbsettings` (Barcode Scanner/BB Settings application)
- **Versions**:
- **CVE-2025-5344**: All before 1.1.2
- **CVE-2025-5345**: 1.4.4 (Vendor reverted to 1.3.6)
- **CVE-2025-5346**: All before 1.3.3
- **Configurations**: Bluebird smartphones with the specified preloaded applications installed.
## Vulnerability Description
All three vulnerabilities stem from the improper export of Android application components (CWE-926), allowing unintended access by local attackers.
1. **CVE-2025-5344 (Kiosk Launcher):** Exposes an unsecured service provider (`com.bluebird.kiosk.launcher.IpartnerKioskRemoteService`). A local attacker can bind to this service to modify the device's global settings and wallpaper image.
2. **CVE-2025-5345 (File Manager):** Exposes an unsecured service provider (`com.bluebird.system.koreanpost.IsdcardRemoteService`). A local attacker can bind to this service to achieve system-level permissions to copy and delete arbitrary files from device storage.
3. **CVE-2025-5346 (Barcode Scanner):** Exposes an unsecured broadcast receiver (`kr.co.bluebird.android.bbsettings.BootReceiver`). A local attacker can invoke this receiver to overwrite files containing `.json` in the filename with a default barcode configuration file. The vulnerability also features path traversal in the filename argument, allowing overwriting files in arbitrary locations.
## Exploitation
- **Status**: Not explicitly stated, but due to local access requirements and vulnerability types (unsecured services/receivers), exploitation is likely possible by a local user or an application with local privileges. (PoC availability: Not explicitly mentioned).
- **Complexity**: Likely **Low to Medium** given the direct service binding possibilities.
- **Attack Vector**: **Local** (Requires access to the device itself, not remote network access).
## Impact
- **Confidentiality**: High (Potential for arbitrary file reading/access via File Manager component).
- **Integrity**: High (Potential to modify global settings, wallpaper, and overwrite arbitrary files via components).
- **Availability**: Medium (Potential for denial of service via file deletion/misconfiguration, but primarily manipulation).
## Remediation
### Patches
The vendor, Bluebird, has released specific patched versions or recommended downgrades:
- **CVE-2025-5344**: Upgrade to version **1.1.2** or later for `com.bluebird.kiosk.launcher`.
- **CVE-2025-5345**: Upgrade to version **1.3.6** or later for `com.bluebird.filemanagers`. (Note: Vendor reverted from 1.4.4 to 1.3.6).
- **CVE-2025-5346**: Upgrade to version **1.3.3** or later for `kr.co.bluebird.android.bbsettings`.
### Workarounds
No specific workarounds were provided in the source material, however, general mitigations include:
* Restricting application installation to only trusted sources.
* Limiting the privileges granted to preloaded or third-party applications.
## Detection
- **Indicators of Compromise**: Unusual changes to system wallpapers or global settings without user interaction; unexpected changes or deletion of files on device storage; system instability shortly after an application update or security event that might trigger the broadcast receiver.
- **Detection methods and tools**: Utilize mobile security scanning tools capable of analyzing Android component exposure (e.g., Service/Broadcast Receiver exposure checks). Monitor device logs for unexpected IPC communication targeting the exposed component names.
## References
- Vendor advisories: **None explicitly linked or named in the summary text.**
- Relevant links:
- CVE-2025-5344 record: hxxps://www.cve.org/CVERecord?id=CVE-2025-5344
- CVE-2025-5345 record: hxxps://www.cve.org/CVERecord?id=CVE-2025-5345
- CVE-2025-5346 record: hxxps://www.cve.org/CVERecord?id=CVE-2025-5346
- Coordinated Vulnerability Disclosure Policy: hxxps://cert.pl/en/cvd/