SB2023050924 - Multiple vulnerabilities in Unisoc chipsets
Published: May 9, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 66 secuirty vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2022-48383)
The vulnerability allows a local privileged application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing permission check within the srtd service in Android. A local privileged application can perform a denial of service (DoS) attack.
2) Information exposure (CVE-ID: CVE-2022-48370)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a possible missing permission check within the dialer service in Android. A local application can gain access to sensitive information.
3) Information exposure (CVE-ID: CVE-2022-48371)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a possible missing permission check within the dialer service in Android. A local application can gain access to sensitive information.
4) Integer overflow (CVE-ID: CVE-2022-48372)
The vulnerability allows a local privileged application to damange or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the bootcp service in Android. A local privileged application can damange or delete data.
5) Integer overflow (CVE-ID: CVE-2022-48373)
The vulnerability allows a local privileged application to read and manipulate data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the tee service in Android. A local privileged application can read and manipulate data.
6) Integer overflow (CVE-ID: CVE-2022-48374)
The vulnerability allows a local privileged application to read and manipulate data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the tee service in Android. A local privileged application can read and manipulate data.
7) Missing Authorization (CVE-ID: CVE-2022-48375)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to a possible missing permission check within the Contacts service in Android. A remote attacker can trick the victim to open a specially crafted file and read and manipulate data.
8) Missing Authorization (CVE-ID: CVE-2022-48376)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a possible missing permission check within the dialer in Android. A local application can read and manipulate data.
9) Missing Authorization (CVE-ID: CVE-2022-48377)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a possible missing permission check within the dialer in Android. A local application can read and manipulate data.
10) Missing Authorization (CVE-ID: CVE-2022-48378)
The vulnerability allows a local application to manipulate data.
The vulnerability exists due to a possible missing permission check within the Engineermode service in Android. A local application can manipulate data.
11) NULL Pointer Dereference (CVE-ID: CVE-2022-48379)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to a possible missing permission check within the dialer in Android. A local application can perform service disruption.
12) Stack-based buffer overflow (CVE-ID: CVE-2022-47340)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the video decoder firmware in Android. A remote attacker can perform a denial of service (DoS) attack.
13) Resource exhaustion (CVE-ID: CVE-2022-48380)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the modem control device in Kernel. A local application can read and manipulate data.
14) Resource exhaustion (CVE-ID: CVE-2022-48381)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the modem control device in Kernel. A local application can read and manipulate data.
15) Buffer overflow (CVE-ID: CVE-2022-48382)
The vulnerability allows a local privileged application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the log service has buffer overflow issue in Android. A local privileged application can perform a denial of service (DoS) attack.
16) Missing Authorization (CVE-ID: CVE-2022-48384)
The vulnerability allows a local privileged application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing permission check within the srtd service in Android. A local privileged application can perform a denial of service (DoS) attack.
17) Missing Authorization (CVE-ID: CVE-2022-48368)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to a possible missing permission check within the audio service in Audio. A local application can perform service disruption.
18) Double Free (CVE-ID: CVE-2022-48386)
The vulnerability allows a local privileged application to read and manipulate data.
The vulnerability exists due to a possible use after free due to a logic error within the apipe driver in Android. A local privileged application can read and manipulate data.
19) Out-of-bounds write (CVE-ID: CVE-2022-48387)
The vulnerability allows a local privileged application to read and manipulate data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the apipe driver in Android. A local privileged application can read and manipulate data.
20) Resource exhaustion (CVE-ID: CVE-2022-38685)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing permission check within the bluetooth service in Android. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.
21) Buffer overflow (CVE-ID: CVE-2022-39089)
The vulnerability allows a local privileged application to read and manipulate data.
The vulnerability exists due to a possible out of bounds read due to a missing bounds check within the mlog service in Android. A local privileged application can read and manipulate data.
22) Missing Authorization (CVE-ID: CVE-2022-48388)
The vulnerability allows a local privileged application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing permission check within the Android. A local privileged application can perform a denial of service (DoS) attack.
23) Missing Authorization (CVE-ID: CVE-2022-44433)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to a possible missing permission check within the Android. A remote attacker can trick the victim to open a specially crafted file and read and manipulate data.
24) Stack-based buffer overflow (CVE-ID: CVE-2022-48389)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the modem control device in Kernel. A local application can read and manipulate data.
25) Out-of-bounds read (CVE-ID: CVE-2022-47334)
The vulnerability allows a local privileged application to read and manipulate data.
The vulnerability exists due to a possible out of bounds read due to a missing bounds check within the phasecheck server in Android. A local privileged application can read and manipulate data.
26) Stack-based buffer overflow (CVE-ID: CVE-2022-47485)
The vulnerability allows a local privileged application to read and manipulate data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the phasecheck server in Android. A local privileged application can read and manipulate data.
27) Out-of-bounds write (CVE-ID: CVE-2022-47469)
The vulnerability allows a local privileged application to compromise the affected device.
The vulnerability exists due to a possible out of bounds read due to a missing bounds check within the ext4fsfilter driver in Kernel. A local privileged application can compromise the affected device.
28) Stack-based buffer overflow (CVE-ID: CVE-2022-47470)
The vulnerability allows a local privileged application to compromise the affected device.
The vulnerability exists due to a possible out of bounds read due to a missing bounds check within the ext4fsfilter driver in Kernel. A local privileged application can compromise the affected device.
29) Stack-based buffer overflow (CVE-ID: CVE-2022-47486)
The vulnerability allows a local privileged application to compromise the affected device.
The vulnerability exists due to a possible out of bounds read due to a missing bounds check within the ext4fsfilter driver in Kernel. A local privileged application can compromise the affected device.
30) Buffer overflow (CVE-ID: CVE-2022-47487)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the thermal service in Android. A remote attacker can trick the victim to open a specially crafted file and read and manipulate data.
31) Memory corruption (CVE-ID: CVE-2022-47488)
The vulnerability allows a local application to damange or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the spipe drive in Kernel. A local application can damange or delete data.
32) Missing Authorization (CVE-ID: CVE-2022-48369)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to a possible missing permission check within the audio service in Audio. A local application can perform service disruption.
33) Missing Authorization (CVE-ID: CVE-2022-48250)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to a possible missing permission check within the audio service in Audio. A local application can perform service disruption.
34) Out-of-bounds write (CVE-ID: CVE-2022-48385)
The vulnerability allows a remote attacker to perform service disruption.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the the cp_dump driver in Kernel. A remote attacker can trick the victim to open a specially crafted file and perform service disruption.
35) Buffer overflow (CVE-ID: CVE-2022-47497)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the Soter service in Android. A local application can manipulate or delete data.
36) Resource exhaustion (CVE-ID: CVE-2022-44420)
The vulnerability allows a remote attacker to perform service disruption.
The vulnerability exists due to a possible missing verification of HashMME value in Security Mode Command within the Security Mode Command in Modem. A remote attacker can perform service disruption.
37) Resource exhaustion (CVE-ID: CVE-2022-44419)
The vulnerability allows a remote attacker to perform service disruption.
The vulnerability exists due to a possible missing verification of NAS Security Mode Command Replay Attacks in LTE within the LTE in Modem. A remote attacker can perform service disruption.
38) Stack-based buffer overflow (CVE-ID: CVE-2022-48232)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a possible missing params check within the FM service in Android. A local privileged application can gain access to sensitive information.
39) Stack-based buffer overflow (CVE-ID: CVE-2022-48233)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a possible missing params check within the FM service in Android. A local privileged application can gain access to sensitive information.
40) Stack-based buffer overflow (CVE-ID: CVE-2022-48234)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a possible missing params check within the FM service in Android. A local privileged application can gain access to sensitive information.
41) Missing Authorization (CVE-ID: CVE-2022-47490)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible missing permission check within the Soter service in Android. A local application can manipulate or delete data.
42) Missing Authorization (CVE-ID: CVE-2022-47492)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible missing permission check within the Soter service in Android. A local application can manipulate or delete data.
43) Missing Authorization (CVE-ID: CVE-2022-47493)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible missing permission check within the Soter service in Android. A local application can manipulate or delete data.
44) NULL Pointer Dereference (CVE-ID: CVE-2022-48231)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible missing permission check within the Soter service in Android. A local application can manipulate or delete data.
45) Integer overflow (CVE-ID: CVE-2022-47489)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the Soter service in Android. A local application can manipulate or delete data.
46) Buffer overflow (CVE-ID: CVE-2022-47491)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the Soter service in Android. A local application can manipulate or delete data.
47) Buffer overflow (CVE-ID: CVE-2022-47494)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the Soter service in Android. A local application can manipulate or delete data.
48) Buffer overflow (CVE-ID: CVE-2022-47495)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the Soter service in Android. A local application can manipulate or delete data.
49) Buffer overflow (CVE-ID: CVE-2022-47496)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the Soter service in Android. A local application can manipulate or delete data.
50) Buffer overflow (CVE-ID: CVE-2022-47498)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the Soter service in Android. A local application can manipulate or delete data.
51) Missing Authorization (CVE-ID: CVE-2022-48249)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to a possible missing permission check within the audio service in Audio. A local application can perform service disruption.
52) Information exposure (CVE-ID: CVE-2022-48242)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a possible missing permission check within the telephony service in Android. A local application can gain access to sensitive information.
53) Missing Authorization (CVE-ID: CVE-2022-48248)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing permission check within the audio service in Audio. A local application can perform a denial of service (DoS) attack.
54) Missing Authorization (CVE-ID: CVE-2022-48247)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing permission check within the audio service in Audio. A local application can perform a denial of service (DoS) attack.
55) Missing Authorization (CVE-ID: CVE-2022-48246)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing permission check within the audio service in Audio. A local application can perform a denial of service (DoS) attack.
56) Missing Authorization (CVE-ID: CVE-2022-48245)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing permission check within the audio service in Audio. A local application can perform a denial of service (DoS) attack.
57) Missing Authorization (CVE-ID: CVE-2022-48244)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing permission check within the audio service in Audio. A local application can perform a denial of service (DoS) attack.
58) Missing Authorization (CVE-ID: CVE-2022-48243)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible missing permission check within the audio service in Audio. A local application can perform a denial of service (DoS) attack.
59) NULL Pointer Dereference (CVE-ID: CVE-2022-48241)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a possible missing permission check within the telephony service in Android. A local application can gain access to sensitive information.
60) Buffer overflow (CVE-ID: CVE-2022-47499)
The vulnerability allows a local application to manipulate or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the Soter service in Android. A local application can manipulate or delete data.
61) Out-of-bounds write (CVE-ID: CVE-2022-48240)
The vulnerability allows a local privileged application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the camera driver in Kernel. A local privileged application can perform a denial of service (DoS) attack.
62) Out-of-bounds write (CVE-ID: CVE-2022-48239)
The vulnerability allows a local privileged application to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the camera driver in Kernel. A local privileged application can perform a denial of service (DoS) attack.
63) Out-of-bounds read (CVE-ID: CVE-2022-48238)
The vulnerability allows a remote attacker to manipulate or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the Image Filter in Kernel. A remote attacker can trick the victim to open a specially crafted file and manipulate or delete data.
64) Buffer overflow (CVE-ID: CVE-2022-48237)
The vulnerability allows a remote attacker to manipulate or delete data.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the Image Filter in Kernel. A remote attacker can trick the victim to open a specially crafted file and manipulate or delete data.
65) Out-of-bounds read (CVE-ID: CVE-2022-48236)
The vulnerability allows a remote attacker to read memory contents or crash the system.
The vulnerability exists due to a possible out of bounds read due to a missing bounds check within the MP3 encoder in Android. A remote attacker can trick the victim to open a specially crafted file and read memory contents or crash the system.
66) Out-of-bounds read (CVE-ID: CVE-2022-48235)
The vulnerability allows a remote attacker to read memory contents or crash the system.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the MP3 encoder in Android. A remote attacker can trick the victim to open a specially crafted file and read memory contents or crash the system.
Remediation
Install update from vendor's website.