Remote MITM via Bluetooth in QuickShare: Forced WiFi Connection Fixed 1.0.1724.0
CVE-2024-38271 Published on June 26, 2024
Denial of Service in Quick Share
There exists a vulnerability in Quick Share/Nearby, where an attacker can force a victim to stay connected to a temporary hotspot created for the sharing. As part of the sequence of packets in a Quick Share connection over Bluetooth, the attacker forces the victim to connect to the attackers WiFi network and then sends an OfflineFrame that crashes Quick Share.
This makes the Wifi connection to the attackers network last, instead of returning to the old network when the Quick Share session completes, allowing the attacker to be a MiTM. We recommend upgrading to version 1.0.1724.0 of Quick Share or above
Weakness Type
Improper Resource Shutdown or Release
The program does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Products Associated with CVE-2024-38271
Want to know whenever a new CVE is published for Google Nearby? stack.watch will email you.
Affected Versions
Google Nearby:- Before 1.0.1724.0 is affected.
- Before 1.0.1724.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.