CVE-2023-38296

Name of the Vulnerable Software and Affected Versions TCL 30Z versions TCL/4188R/Jetta ATT:12/SP1A.210812.016/LV8E:user/release-keys through TCL/T602DL/Jetta TF:12/SP1A.210812.016/vU6X:user/release-keys TCL A3X versions TCL/A600DL/Delhi TF:11/RKQ1.201202.002/vAAZ:user/release-keys through TCL/A600DL/Delhi TF:11/RKQ1.201202.002/vABS:user/release-keys

Description The issue concerns various software builds for TCL 30Z and TCL A3X devices, where the ICCID is leaked to a system property that can be accessed by any local app without permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances, they are leaked by a high-privilege process and can be obtained indirectly. A malicious app can read from the "persist.sys.tctPowerIccid" system property to indirectly obtain the ICCID.

Recommendations For TCL 30Z versions TCL/4188R/Jetta ATT:12/SP1A.210812.016/LV8E:user/release-keys through TCL/T602DL/Jetta TF:12/SP1A.210812.016/vU6X:user/release-keys, consider restricting access to the persist.sys.tctPowerIccid system property until a patch is available. For TCL A3X versions TCL/A600DL/Delhi TF:11/RKQ1.201202.002/vAAZ:user/release-keys through TCL/A600DL/Delhi TF:11/RKQ1.201202.002/vABS:user/release-keys, consider restricting access to the persist.sys.tctPowerIccid system property until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.