CVE-2023-38300

Name of the Vulnerable Software and Affected Versions Orbic Maui device version ORB545L V1.4.2 BVZPP

Description A certain software build for the Orbic Maui device leaks the IMEI and the ICCID to system properties that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in this instance they are leaked by a high-privilege process and can be obtained indirectly. This issue allows a malicious app to read from the persist.sys.verizon test plan imei system property to indirectly obtain the IMEI and reads the persist.sys.verizon test plan iccid system property to obtain the ICCID.

Recommendations As a temporary workaround, consider restricting access to the persist.sys.verizon test plan imei and persist.sys.verizon test plan iccid system properties to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.