CVE-2023-38298

Name of the Vulnerable Software and Affected Versions TCL 30Z versions 12/SP1A.210812.016/LV8E through 12/SP1A.210812.016/vU6X TCL A3X versions 11/RKQ1.201202.002/vAAZ through 11/RKQ1.201202.002/vABS TCL 20XE versions 11/RP1A.200720.011/PB7I-0 through 11/RP1A.200720.011/PB83-0 TCL 10L versions 10/QKQ1.200329.002/3CJ0 through 11/RKQ1.210107.001/8BIC

Description The issue concerns various software builds for TCL devices that leak the device IMEI to a system property, allowing any local app to access it without permissions. This occurs due to a high-privilege process leaking the identifier, which can then be obtained indirectly. The malicious app reads from the gsm.device.imei0 system property to obtain the device IMEI. Google restricted direct access to non-resettable device identifiers in Android 10 and higher, but this leak bypasses that restriction.

Recommendations For TCL 30Z versions 12/SP1A.210812.016/LV8E through 12/SP1A.210812.016/vU6X, restrict access to the gsm.device.imei0 system property to prevent indirect obtainment of the device IMEI. For TCL A3X versions 11/RKQ1.201202.002/vAAZ through 11/RKQ1.201202.002/vABS, avoid using the gsm.device.imei0 system property in local apps until the issue is resolved. For TCL 20XE versions 11/RP1A.200720.011/PB7I-0 through 11/RP1A.200720.011/PB83-0, consider disabling access to the gsm.device.imei0 system property as a temporary workaround. For TCL 10L versions 10/QKQ1.200329.002/3CJ0 through 11/RKQ1.210107.001/8BIC, limit the use of the gsm.device.imei0 system property to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.