Multiple vulnerabilities in Unisoc chipsets



Risk Low
Patch available YES
Number of vulnerabilities 11
CVE-ID CVE-2022-47335
CVE-2022-47336
CVE-2022-47337
CVE-2022-47338
CVE-2022-47362
CVE-2022-47463
CVE-2022-47464
CVE-2022-47465
CVE-2022-47466
CVE-2022-47467
CVE-2022-47468
CWE-ID CWE-120
CWE-787
CWE-200
CWE-476
Exploitation vector Local
Public exploit N/A
Vulnerable software
SC9863A
Mobile applications / Mobile firmware & hardware

SC9832E
Mobile applications / Mobile firmware & hardware

SC7731E
Mobile applications / Mobile firmware & hardware

T610
Mobile applications / Mobile firmware & hardware

T310
Mobile applications / Mobile firmware & hardware

T606
Mobile applications / Mobile firmware & hardware

T760
Mobile applications / Mobile firmware & hardware

T618
Mobile applications / Mobile firmware & hardware

T612
Mobile applications / Mobile firmware & hardware

T616
Mobile applications / Mobile firmware & hardware

T770
Mobile applications / Mobile firmware & hardware

T820
Mobile applications / Mobile firmware & hardware

S8000
Mobile applications / Mobile firmware & hardware

Vendor UNISOC

Security Bulletin

This security bulletin contains information about 11 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU74998

Risk: Low

CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47335

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing permission check within the Telecom service in Android. A local privileged application can execute arbitrary code.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

SC9863A: All versions

SC9832E: All versions

SC7731E: All versions

T610: All versions

T310: All versions

T606: All versions

T760: All versions

T618: All versions

T612: All versions

T616: All versions

T770: All versions

T820: All versions

S8000: All versions

CPE2.3 External links

http://www.unisoc.com/en_us/secy/announcementDetail/1645429273135218690


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU74999

Risk: Low

CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47336

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing permission check within the Telecom service in Android. A local privileged application can execute arbitrary code.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

SC9863A: All versions

SC9832E: All versions

SC7731E: All versions

T610: All versions

T310: All versions

T606: All versions

T760: All versions

T618: All versions

T612: All versions

T616: All versions

T770: All versions

T820: All versions

S8000: All versions

CPE2.3 External links

http://www.unisoc.com/en_us/secy/announcementDetail/1645429273135218690


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Out-of-bounds write

EUVDB-ID: #VU75000

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47337

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local application to read and manipulate data.

The vulnerability exists due to a missing permission check within the Media service in Android. A local application can read and manipulate data.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

SC9863A: All versions

SC9832E: All versions

SC7731E: All versions

T610: All versions

T310: All versions

T606: All versions

T760: All versions

T618: All versions

T612: All versions

T616: All versions

T770: All versions

T820: All versions

S8000: All versions

CPE2.3 External links

http://www.unisoc.com/en_us/secy/announcementDetail/1645429273135218690


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Information exposure

EUVDB-ID: #VU75001

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47338

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local application to read and manipulate data.

The vulnerability exists due to a missing permission check within the email service in Android. A local application can read and manipulate data.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

SC9863A: All versions

SC9832E: All versions

SC7731E: All versions

T610: All versions

T310: All versions

T606: All versions

T760: All versions

T618: All versions

T612: All versions

T616: All versions

T770: All versions

T820: All versions

S8000: All versions

CPE2.3 External links

http://www.unisoc.com/en_us/secy/announcementDetail/1645429273135218690


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Buffer overflow

EUVDB-ID: #VU75002

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47362

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local privileged application to read and manipulate data.

The vulnerability exists due to a missing permission check within the Telecom service in Android. A local privileged application can read and manipulate data.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

SC9863A: All versions

SC9832E: All versions

SC7731E: All versions

T610: All versions

T310: All versions

T606: All versions

T760: All versions

T618: All versions

T612: All versions

T616: All versions

T770: All versions

T820: All versions

S8000: All versions

CPE2.3 External links

http://www.unisoc.com/en_us/secy/announcementDetail/1645429273135218690


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Buffer overflow

EUVDB-ID: #VU75003

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47463

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to manipulate or delete data.

The vulnerability exists due to a missing permission check within the Vdsp service in Android. A local application can manipulate or delete data.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

SC9863A: All versions

SC9832E: All versions

SC7731E: All versions

T610: All versions

T310: All versions

T606: All versions

T760: All versions

T618: All versions

T612: All versions

T616: All versions

T770: All versions

T820: All versions

S8000: All versions

CPE2.3 External links

http://www.unisoc.com/en_us/secy/announcementDetail/1645429273135218690


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Buffer overflow

EUVDB-ID: #VU75004

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47464

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local application to manipulate or delete data.

The vulnerability exists due to a missing permission check within the Vdsp service in Android. A local application can manipulate or delete data.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

SC9863A: All versions

SC9832E: All versions

SC7731E: All versions

T610: All versions

T310: All versions

T606: All versions

T760: All versions

T618: All versions

T612: All versions

T616: All versions

T770: All versions

T820: All versions

S8000: All versions

CPE2.3 External links

http://www.unisoc.com/en_us/secy/announcementDetail/1645429273135218690


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) NULL Pointer Dereference

EUVDB-ID: #VU75005

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47465

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local application to manipulate or delete data.

The vulnerability exists due to a missing permission check within the Vdsp service in Android. A local application can manipulate or delete data.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

SC9863A: All versions

SC9832E: All versions

SC7731E: All versions

T610: All versions

T310: All versions

T606: All versions

T760: All versions

T618: All versions

T612: All versions

T616: All versions

T770: All versions

T820: All versions

S8000: All versions

CPE2.3 External links

http://www.unisoc.com/en_us/secy/announcementDetail/1645429273135218690


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) NULL Pointer Dereference

EUVDB-ID: #VU75006

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47466

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local application to manipulate or delete data.

The vulnerability exists due to a missing permission check within the Telecom service in Android. A local application can manipulate or delete data.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

SC9863A: All versions

SC9832E: All versions

SC7731E: All versions

T610: All versions

T310: All versions

T606: All versions

T760: All versions

T618: All versions

T612: All versions

T616: All versions

T770: All versions

T820: All versions

S8000: All versions

CPE2.3 External links

http://www.unisoc.com/en_us/secy/announcementDetail/1645429273135218690


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) NULL Pointer Dereference

EUVDB-ID: #VU75007

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47467

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local application to manipulate or delete data.

The vulnerability exists due to a missing permission check within the Telecom service in Android. A local application can manipulate or delete data.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

SC9863A: All versions

SC9832E: All versions

SC7731E: All versions

T610: All versions

T310: All versions

T606: All versions

T760: All versions

T618: All versions

T612: All versions

T616: All versions

T770: All versions

T820: All versions

S8000: All versions

CPE2.3 External links

http://www.unisoc.com/en_us/secy/announcementDetail/1645429273135218690


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) NULL Pointer Dereference

EUVDB-ID: #VU75008

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-47468

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local application to manipulate or delete data.

The vulnerability exists due to a missing permission check within the Telecom service in Android. A local application can manipulate or delete data.

Mitigation

Install security update from vendor's website.

Vulnerable software versions

SC9863A: All versions

SC9832E: All versions

SC7731E: All versions

T610: All versions

T310: All versions

T606: All versions

T760: All versions

T618: All versions

T612: All versions

T616: All versions

T770: All versions

T820: All versions

S8000: All versions

CPE2.3 External links

http://www.unisoc.com/en_us/secy/announcementDetail/1645429273135218690


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###