CVE-2023-38298
April 22, 2024, 7:24 p.m.
Tags
Product(s) Impacted
TCL A3X
- TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAAZ:user/release-keys
- TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB3:user/release-keys
- TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB7:user/release-keys
- TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABA:user/release-keys
- TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABM:user/release-keys
- TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABP:user/release-keys
- TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABS:user/release-keys
TCL 10L
- TCL/T770B/T1_LITE:10/QKQ1.200329.002/3CJ0:user/release-keys
- TCL/T770B/T1_LITE:11/RKQ1.210107.001/8BIC:user/release-keys
TCL 30Z
- TCL/4188R/Jetta_ATT:12/SP1A.210812.016/LV8E:user/release-keys
- TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU5P:user/release-keys
- TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU61:user/release-keys
- TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU66:user/release-keys
- TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU68:user/release-keys
- TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6P:user/release-keys
- TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6X:user/release-keys
TCL 20XE
- TCL/5087Z_BO/Doha_TMO:11/RP1A.200720.011/PB7I-0:user/release-keys
- TCL/5087Z_BO/Doha_TMO:11/RP1A.200720.011/PB83-0:user/release-keys
Description
Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as follows: TCL 30Z (TCL/4188R/Jetta_ATT:12/SP1A.210812.016/LV8E:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU5P:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU61:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU66:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU68:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6P:user/release-keys, and TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6X:user/release-keys); TCL A3X (TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAAZ:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB3:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB7:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABA:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABM:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABP:user/release-keys, and TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABS:user/release-keys); TCL 20XE (TCL/5087Z_BO/Doha_TMO:11/RP1A.200720.011/PB7I-0:user/release-keys and TCL/5087Z_BO/Doha_TMO:11/RP1A.200720.011/PB83-0:user/release-keys); and TCL 10L (TCL/T770B/T1_LITE:10/QKQ1.200329.002/3CJ0:user/release-keys and TCL/T770B/T1_LITE:11/RKQ1.210107.001/8BIC:user/release-keys). This malicious app reads from the "gsm.device.imei0" system property to indirectly obtain the device IMEI.
Weaknesses
Date
Published: April 22, 2024, 3:15 p.m.
Last Modified: April 22, 2024, 7:24 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
cve@mitre.org