CVE-2023-38300
April 22, 2024, 7:24 p.m.
Tags
Product(s) Impacted
Orbic Maui device
- Orbic/RC545L/RC545L:10/ORB545L_V1.4.2_BVZPP/230106
Orbic Maui device
- ORB545L_V1.4.2_BVZPP
Description
A certain software build for the Orbic Maui device (Orbic/RC545L/RC545L:10/ORB545L_V1.4.2_BVZPP/230106:user/release-keys) leaks the IMEI and the ICCID to system properties that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in this instance they are leaked by a high-privilege process and can be obtained indirectly. This malicious app reads from the "persist.sys.verizon_test_plan_imei" system property to indirectly obtain the IMEI and reads the "persist.sys.verizon_test_plan_iccid" system property to obtain the ICCID.
Weaknesses
Date
Published: April 22, 2024, 3:15 p.m.
Last Modified: April 22, 2024, 7:24 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
cve@mitre.org