CVE-2023-35671 in Android
Summary
by MITRE • 09/12/2023
In onHostEmulationData of HostEmulationManager.java, there is a possible way for a general purpose NFC reader to read the full card number and expiry details when the device is in locked screen mode due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/26/2024
The vulnerability identified as CVE-2023-35671 represents a critical information disclosure flaw within NFC host emulation functionality on Android devices. This issue resides in the HostEmulationManager.java file specifically within the onHostEmulationData method, where a fundamental logic error creates an unintended pathway for unauthorized data access. The flaw manifests when NFC host emulation is active and the device screen remains locked, allowing any general purpose NFC reader to potentially extract sensitive card information including full card numbers and expiration details without requiring any user interaction or additional privileges beyond NFC access.
The technical implementation of this vulnerability stems from improper access control mechanisms within the NFC host emulation framework. When a device operates in locked screen mode, the system should normally enforce strict security boundaries to prevent unauthorized data extraction. However, the logic error in the onHostEmulationData method fails to properly validate or restrict access to sensitive card data during host emulation sessions. This creates a scenario where NFC readers can establish communication with the device and receive full card information through the host emulation interface, bypassing normal security protocols that should prevent such disclosure.
From an operational perspective, this vulnerability poses significant security risks as it enables passive data extraction without requiring any user interaction or elevated privileges. The attack vector is particularly concerning because it can be exploited by any NFC reader within proximity range, making it accessible to adversaries in physical proximity to the target device. The lack of user interaction requirements means that information disclosure can occur automatically when the device is in locked state, potentially exposing sensitive payment card information that could be used for fraudulent transactions or identity theft.
The impact of this vulnerability aligns with CWE-200, which addresses "Information Exposure," and demonstrates characteristics consistent with ATT&CK technique T1550.001 for "Use Alternate Authentication Material." The flaw essentially provides unauthorized access to sensitive data through an alternative authentication pathway that bypasses normal security controls. Organizations and users should be particularly concerned about this vulnerability in environments where mobile devices containing payment information are frequently used in public spaces where NFC readers might be present.
Mitigation strategies should focus on immediate code-level fixes that properly enforce access controls within the host emulation framework. Security patches should implement proper validation of NFC session contexts and ensure that sensitive card data is only accessible through authenticated and authorized channels. Device manufacturers should also consider implementing additional runtime protections that monitor for unauthorized NFC data access patterns and provide alerts when suspicious host emulation activities occur. Users should be advised to disable NFC functionality when not actively using it and to maintain awareness of their physical environment to prevent exploitation of this vulnerability through passive NFC scanning.