MitreVULNRICHMENT:CVE-2023-38301CVE-2023-38301
AI Score
Confidence
Low
EPSS
Percentile
9.0%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
An issue was discovered in a third-party component related to vendor.gsm.serial, shipped on devices from multiple device manufacturers. Various software builds for the BLU View 2, Boost Mobile Celero 5G, Sharp Rouvo V, Motorola Moto G Pure, Motorola Moto G Power, T-Mobile Revvl 6 Pro 5G, and T-Mobile Revvl V+ 5G devices leak the device serial number to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as follows: BLU View 2 (BLU/B131DL/B130DL:11/RP1A.200720.011/1672046950:user/release-keys); Boost Mobile Celero 5G (Celero5G/Jupiter/Jupiter:11/RP1A.200720.011/SW_S98119AA1_V067:user/release-keys); Sharp Rouvo V (SHARP/VZW_STTM21VAPP/STTM21VAPP:12/SP1A.210812.016/1KN0_0_530:user/release-keys); Motorola Moto G Pure (motorola/ellis_trac/ellis:11/RRHS31.Q3-46-110-2/74844:user/release-keys, motorola/ellis_trac/ellis:11/RRHS31.Q3-46-110-7/5cde8:user/release-keys, motorola/ellis_trac/ellis:11/RRHS31.Q3-46-110-10/d67faa:user/release-keys, motorola/ellis_trac/ellis:11/RRHS31.Q3-46-110-13/b4a29:user/release-keys, motorola/ellis_trac/ellis:12/S3RH32.20-42-10/1c2540:user/release-keys, motorola/ellis_trac/ellis:12/S3RHS32.20-42-13-2-1/6368dd:user/release-keys, motorola/ellis_a/ellis:11/RRH31.Q3-46-50-2/20fec:user/release-keys, motorola/ellis_vzw/ellis:11/RRH31.Q3-46-138/103bd:user/release-keys, motorola/ellis_vzw/ellis:11/RRHS31.Q3-46-138-2/e5502:user/release-keys, and motorola/ellis_vzw/ellis:12/S3RHS32.20-42-10-14-2/5e0b0:user/release-keys); Motorola Moto G Power (motorola/tonga_g/tonga:11/RRQ31.Q3-68-16-2/e5877:user/release-keys and motorola/tonga_g/tonga:12/S3RQS32.20-42-10-6/f876d3:user/release-keys); T-Mobile Revvl 6 Pro 5G (T-Mobile/Augusta/Augusta:12/SP1A.210812.016/SW_S98121AA1_V070:user/release-keys); and T-Mobile Revvl V+ 5G (T-Mobile/Sprout/Sprout:11/RP1A.200720.011/SW_S98115AA1_V077:user/release-keys). This malicious app reads from the “vendor.gsm.serial” system property to indirectly obtain the device serial number.
ADP Affected
[
{
"cpes": [
"cpe:2.3:h:verizon:sharp_rouvo_v:-:*:*:*:*:*:*:*"
],
"vendor": "verizon",
"product": "sharp_rouvo_v",
"versions": [
{
"status": "unknown",
"version": "-"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:h:tracfone:blu_view_2:-:*:*:*:*:*:*:*"
],
"vendor": "tracfone",
"product": "blu_view_2",
"versions": [
{
"status": "unknown",
"version": "-"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:h:boost_mobile:celero_5g:-:*:*:*:*:*:*:*"
],
"vendor": "boost_mobile",
"product": "celero_5g",
"versions": [
{
"status": "unknown",
"version": "-"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:h:motorola:moto_g_pure:-:*:*:*:*:*:*:*"
],
"vendor": "motorola",
"product": "moto_g_pure",
"versions": [
{
"status": "unknown",
"version": "-"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:h:motorola:moto_g_power:-:*:*:*:*:*:*:*"
],
"vendor": "motorola",
"product": "moto_g_power",
"versions": [
{
"status": "unknown",
"version": "-"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:h:t-mobile:revvl_6_pro_5g:-:*:*:*:*:*:*:*"
],
"vendor": "t-mobile",
"product": "revvl_6_pro_5g",
"versions": [
{
"status": "unknown",
"version": "-"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:h:t-mobile:revvl_v\\+_5g:-:*:*:*:*:*:*:*"
],
"vendor": "t-mobile",
"product": "revvl_v\\+_5g",
"versions": [
{
"status": "unknown",
"version": "-"
}
],
"defaultStatus": "unknown"
}
]Related
AI Score
Confidence
Low
EPSS
Percentile
9.0%
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial