Full Report
Improper Verification of Intent by Broadcast Receiver vulnerability (CVE-2024-10576) allowing unauthorized factory reset has been found in Infinix Mobile preloaded application com.transsion.agingfunction.
Analysis Summary
# Vulnerability: Unauthorized Factory Reset via Unsecured Broadcast Receiver in Infinix Aging Function
## CVE Details
- CVE ID: CVE-2024-10576
- CVSS Score: N/A (Score not provided in the source, generally high for factory reset)
- CWE: CWE-925 (Improper Verification of Intent by Broadcast Receiver)
## Affected Systems
- Products: Infinix Mobile preloaded application `com.transsion.agingfunction`
- Versions: Version 13 (Specific to the report regarding this version)
- Configurations: All Infinix Mobile devices are suspected to be affected due to lack of vendor response.
## Vulnerability Description
The vulnerability exists within the preloaded `com.transsion.agingfunction` application on Infinix Mobile devices. This application exposes an unsecured broadcast receiver. An unauthenticated, unauthorized attacker can send specific intents to this receiver, triggering the execution of an action that forces the device to perform a **factory reset** without requiring any elevated Android system permissions.
## Exploitation
- Status: Details on active exploitation are not mentioned, assume Proof of Concept (PoC) is available internally if reported, but no public PoC status is confirmed.
- Complexity: Likely **Low**, as it involves communication via a broadcast receiver, suggesting that local or potentially adjacent network access might suffice to trigger the factory reset.
- Attack Vector: Likely **Local** or potentially **Adjacent** depending on how the broadcast is protected, but direct interaction with the receiver is required.
## Impact
- Confidentiality: **High** (Data loss occurs during reset)
- Integrity: **High** (System state is modified; all user data is destroyed)
- Availability: **High** (Complete loss of device availability until setup is performed; data is wiped)
## Remediation
### Patches
- No specific patch version or vendor advisory was provided as the vendor reportedly did not respond to coordination efforts following the report.
### Workarounds
- No specific workarounds were detailed in the provided context. Extreme caution should be advised regarding the running application. (A potential, unconfirmed general mitigation might be disabling/uninstalling the specific application if possible, though preloaded system apps are often hard to remove.)
## Detection
- Detection methods and tools mentioned focus on vendor interaction and the disclosure process itself, not runtime detection.
- Indicators of compromise would involve unexpected or unauthorized factory reset events originating from system/application broadcasts, especially if related to the `com.transsion.agingfunction` component.
## References
- Vendor advisories: None provided (Vendor unresponsive).
- Relevant links:
- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2024-10576)
- [CERT Polska CVD Policy](https://cert.pl/en/cvd/)