SB2023110655 - Multiple vulnerabilities in Unisoc chipsets

Description

This security bulletin contains information about 27 secuirty vulnerabilities.

1) Information exposure (CVE-ID: CVE-2023-42645)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible way to write permission usage records of an app due to a missing permission check within the sim service in Android. A local application can gain access to sensitive information.

2) Missing Authorization (CVE-ID: CVE-2023-42655)

The vulnerability allows a remote attacker to read and manipulate data.

The vulnerability exists due to a possible way to write permission usage records of an app due to a missing permission check within the sim service in Android. A remote attacker can trick the victim to open a specially crafted file and read and manipulate data.

3) Information exposure (CVE-ID: CVE-2023-42654)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the dm service in Android. A local application can gain access to sensitive information.

4) Missing Authorization (CVE-ID: CVE-2022-48460)

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to a possible undefined behavior due to incorrect error handling within the setting service in Android. A local application can perform service disruption.

5) Buffer overflow (CVE-ID: CVE-2023-42750)

The vulnerability allows a local application to read and manipulate data.

The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the gnss service in WCN. A local application can read and manipulate data.

6) Out-of-bounds write (CVE-ID: CVE-2023-42653)

The vulnerability allows a local privileged application to perform a denial of service (DoS) attack.

The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the faceid service in Android. A local privileged application can perform a denial of service (DoS) attack.

7) Missing Authorization (CVE-ID: CVE-2023-42652)

The vulnerability allows a local application to manipulate data.

The vulnerability exists due to a possible missing permission check within the engineermode in Android. A local application can manipulate data.

8) Information exposure (CVE-ID: CVE-2023-42651)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the engineermode in Android. A local application can gain access to sensitive information.

9) Information exposure (CVE-ID: CVE-2023-42650)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the engineermode in Android. A local application can gain access to sensitive information.

10) Information exposure (CVE-ID: CVE-2023-42649)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the engineermode in Android. A local application can gain access to sensitive information.

11) Information exposure (CVE-ID: CVE-2023-42648)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the engineermode in Android. A local application can gain access to sensitive information.

12) Information exposure (CVE-ID: CVE-2023-42647)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible way to write permission usage records of an app due to a missing permission check within the Ifaa service in Android. A local application can gain access to sensitive information.

13) Information exposure (CVE-ID: CVE-2023-42646)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the Ifaa service in Android. A local application can gain access to sensitive information.

14) Information exposure (CVE-ID: CVE-2023-42644)

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to a possible missing permission check within the dm service in Android. A local application can perform service disruption.

15) Information exposure (CVE-ID: CVE-2023-42631)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

16) Information exposure (CVE-ID: CVE-2023-42643)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

17) Information exposure (CVE-ID: CVE-2023-42642)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

18) Information exposure (CVE-ID: CVE-2023-42641)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

19) Information exposure (CVE-ID: CVE-2023-42640)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

20) Information exposure (CVE-ID: CVE-2023-42639)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

21) Information exposure (CVE-ID: CVE-2023-42638)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

22) Information exposure (CVE-ID: CVE-2023-42637)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

23) Information exposure (CVE-ID: CVE-2023-42636)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

24) Information exposure (CVE-ID: CVE-2023-42635)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

25) Information exposure (CVE-ID: CVE-2023-42634)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

26) Information exposure (CVE-ID: CVE-2023-42633)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

27) Information exposure (CVE-ID: CVE-2023-42632)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to a possible missing permission check within the validationtools in Android. A local application can gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://www.unisoc.com/en_us/secy/announcementDetail/1719615756246777857