CVE-2023-38299

Name of the Vulnerable Software and Affected Versions AT&T Calypso version ATT/U318AA/U318AA:10/QP1A.190711.020/1632369780:user/release-keys Nokia C100 versions Nokia/DrakeLite 02US/DKT:12/SP1A.210812.016/02US 1 190:user/release-keys through Nokia/DrakeLite 02US/DKT:12/SP1A.210812.016/02US 1 270:user/release-keys Nokia C200 version Nokia/Drake 02US/DRK:12/SP1A.210812.016/02US 1 080:user/release-keys BLU View 3 versions BLU/B140DL/B140DL:11/RP1A.200720.011/1628014629:user/release-keys through BLU/B140DL/B140DL:11/RP1A.200720.011/1672371162:user/release-keys

Description The issue concerns various software builds for the AT&T Calypso, Nokia C100, Nokia C200, and BLU View 3 devices, which leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances, they are leaked by a high-privilege process and can be obtained indirectly. A malicious app can read from the persist.sys.imei1 system property to indirectly obtain the device IMEI.

Recommendations For AT&T Calypso version ATT/U318AA/U318AA:10/QP1A.190711.020/1632369780:user/release-keys, restrict access to the persist.sys.imei1 system property to prevent indirect obtainment of the device IMEI. For Nokia C100 versions Nokia/DrakeLite 02US/DKT:12/SP1A.210812.016/02US 1 190:user/release-keys through Nokia/DrakeLite 02US/DKT:12/SP1A.210812.016/02US 1 270:user/release-keys, restrict access to the persist.sys.imei1 system property to prevent indirect obtainment of the device IMEI. For Nokia C200 version Nokia/Drake 02US/DRK:12/SP1A.210812.016/02US 1 080:user/release-keys, restrict access to the persist.sys.imei1 system property to prevent indirect obtainment of the device IMEI. For BLU View 3 versions BLU/B140DL/B140DL:11/RP1A.200720.011/1628014629:user/release-keys through BLU/B140DL/B140DL:11/RP1A.200720.011/1672371162:user/release-keys, restrict access to the persist.sys.imei1 system property to prevent indirect obtainment of the device IMEI. At the moment, there is no information about a newer version that contains a fix for this vulnerability.