CVE-2023-38301 in Device
Summary
by MITRE • 04/22/2024
An issue was discovered in a third-party component related to vendor.gsm.serial, shipped on devices from multiple device manufacturers. Various software builds for the BLU View 2, Boost Mobile Celero 5G, Sharp Rouvo V, Motorola Moto G Pure, Motorola Moto G Power, T-Mobile Revvl 6 Pro 5G, and T-Mobile Revvl V+ 5G devices leak the device serial number to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as follows: BLU View 2 (BLU/B131DL/B130DL:11/RP1A.200720.011/1672046950:user/release-keys); Boost Mobile Celero 5G (Celero5G/Jupiter/Jupiter:11/RP1A.200720.011/SW_S98119AA1_V067:user/release-keys); Sharp Rouvo V (SHARP/VZW_STTM21VAPP/STTM21VAPP:12/SP1A.210812.016/1KN0_0_530:user/release-keys); Motorola Moto G Pure (motorola/ellis_trac/ellis:11/RRHS31.Q3-46-110-2/74844:user/release-keys, motorola/ellis_trac/ellis:11/RRHS31.Q3-46-110-7/5cde8:user/release-keys, motorola/ellis_trac/ellis:11/RRHS31.Q3-46-110-10/d67faa:user/release-keys, motorola/ellis_trac/ellis:11/RRHS31.Q3-46-110-13/b4a29:user/release-keys, motorola/ellis_trac/ellis:12/S3RH32.20-42-10/1c2540:user/release-keys, motorola/ellis_trac/ellis:12/S3RHS32.20-42-13-2-1/6368dd:user/release-keys, motorola/ellis_a/ellis:11/RRH31.Q3-46-50-2/20fec:user/release-keys, motorola/ellis_vzw/ellis:11/RRH31.Q3-46-138/103bd:user/release-keys, motorola/ellis_vzw/ellis:11/RRHS31.Q3-46-138-2/e5502:user/release-keys, and motorola/ellis_vzw/ellis:12/S3RHS32.20-42-10-14-2/5e0b0:user/release-keys); Motorola Moto G Power (motorola/tonga_g/tonga:11/RRQ31.Q3-68-16-2/e5877:user/release-keys and motorola/tonga_g/tonga:12/S3RQS32.20-42-10-6/f876d3:user/release-keys); T-Mobile Revvl 6 Pro 5G (T-Mobile/Augusta/Augusta:12/SP1A.210812.016/SW_S98121AA1_V070:user/release-keys); and T-Mobile Revvl V+ 5G (T-Mobile/Sprout/Sprout:11/RP1A.200720.011/SW_S98115AA1_V077:user/release-keys). This malicious app reads from the "vendor.gsm.serial" system property to indirectly obtain the device serial number.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/22/2024
This vulnerability represents a critical security flaw in Android device implementations where device serial numbers are inadvertently exposed through a third-party component related to vendor.gsm.serial. The issue affects multiple device manufacturers including BLU, Boost Mobile, Sharp, Motorola, and T-Mobile, with specific software build fingerprints confirming the vulnerability across various models. The flaw occurs when a high-privilege process leaks the device serial number into a system property that can be accessed by any local application without requiring special permissions or privileges, creating a significant bypass of Android's security model.
The technical implementation of this vulnerability stems from the improper handling of device identifiers within the Android system framework. While Google has implemented restrictions in Android 10 and higher to prevent third-party applications from directly accessing non-resettable device identifiers, this vulnerability demonstrates how system-level components can inadvertently circumvent these protections. The vendor.gsm.serial system property serves as an unintended information disclosure channel, allowing any application to read the device serial number through indirect means. This represents a violation of the principle of least privilege and demonstrates how system properties can become attack vectors when not properly secured.
From an operational impact perspective, this vulnerability creates substantial risks for device users and organizations relying on these devices. The device serial number serves as a unique identifier that can be used for tracking, fingerprinting, and potentially malicious activities such as device-specific attacks or user identification across different applications and services. Attackers can leverage this information to create persistent tracking mechanisms, conduct targeted attacks, or exploit device-specific vulnerabilities. The fact that this information is accessible to any local application without permissions makes it particularly dangerous as it can be exploited by malicious apps already present on the device or through social engineering techniques that trick users into installing compromised applications.
The vulnerability aligns with several cybersecurity standards and frameworks, particularly CWE-200 (Information Exposure) and CWE-359 (Exposure of Private Information) which directly address the improper exposure of sensitive device information. From an ATT&CK framework perspective, this vulnerability maps to T1082 (System Information Discovery) and T1069.001 (Security Software Discovery) as it enables adversaries to gather device-specific information that can be used for further exploitation. The vulnerability also relates to T1566 (Phishing) as malicious applications can exploit this information to create more convincing phishing attacks or social engineering campaigns.
Mitigation strategies for this vulnerability should focus on both immediate device-level protections and long-term system security improvements. Device manufacturers should implement proper access controls on system properties and ensure that sensitive device identifiers are not exposed through unintended channels. System-level patches should restrict access to vendor.gsm.serial and similar properties to only authorized system processes. Users should be advised to avoid installing untrusted applications and to keep their devices updated with the latest security patches. Additionally, security researchers and organizations should monitor for similar vulnerabilities in third-party components and implement comprehensive device security testing that includes system property access controls and information disclosure assessments. The vulnerability highlights the importance of secure coding practices and proper privilege management in system-level components that handle sensitive device information.