CVE-2023-38295

Name of the Vulnerable Software and Affected Versions TCL 30Z versions v5.2120.02.12008.1.T through v5.2120.02.12008.2.T TCL 10L version v3.2014.12.1012.B

Description The issue concerns certain software builds for TCL Android devices that contain a vulnerable pre-installed app. This app relies on a missing permission, which provides no protection at runtime and is required by components in various pre-installed apps. When a third-party app declares and requests this missing permission, it can interact with service components in the vulnerable apps to perform arbitrary file reads and writes. The missing permission is named com.tct.smart.switchphone.permission.SWITCH DATA, and it is used to interact with the com.tct.smart.switchdata.DataService service component. No user interaction is required beyond installing and running a third-party app to exploit this issue.

Recommendations For TCL 30Z versions v5.2120.02.12008.1.T through v5.2120.02.12008.2.T, consider disabling the com.tcl.screenrecorder app until a patch is available. For TCL 10L version v3.2014.12.1012.B, consider disabling the com.tcl.sos app until a patch is available. As a temporary workaround, restrict access to the com.tct.smart.switchdata.DataService service component to minimize the risk of exploitation. Avoid using the com.tct.smart.switchphone.permission.SWITCH DATA permission in third-party apps until the issue is resolved.