Skip to main content

CVE-2022-38670: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000

High
VulnerabilityCVE-2022-38670cvecve-2022-38670cwe-862
Published: Fri Oct 14 2022 (10/14/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000

Description

In soundrecorder service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed.

AI-Powered Analysis

AILast updated: 07/06/2025, 08:42:24 UTC

Technical Analysis

CVE-2022-38670 is a high-severity vulnerability identified in multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, and various T-series models (T610, T310, T606, T760, T618, T612, T616, T770, T820, S8000). These chipsets are integrated into devices running Android 10, 11, and 12. The vulnerability stems from a missing authorization check within the soundrecorder service, which is responsible for handling audio recording functionalities. Due to this missing permission validation, an attacker with limited privileges (local access with low privileges) can exploit this flaw to elevate their privileges specifically within the contacts service. This elevation of privilege allows the attacker to gain high confidentiality, integrity, and availability impact on the contacts data, potentially enabling unauthorized access, modification, or deletion of sensitive contact information. The CVSS 3.1 score of 7.8 reflects the high impact and relatively low complexity of exploitation, requiring no user interaction but limited to local access with some privileges. Although no known exploits are currently reported in the wild, the vulnerability represents a significant risk due to the sensitive nature of contact data and the widespread use of affected chipsets in various Android devices. The flaw is categorized under CWE-862 (Missing Authorization), indicating a failure to properly enforce access controls, which is a critical security oversight in system services that manage sensitive user data.

Potential Impact

For European organizations, the impact of CVE-2022-38670 can be substantial, especially for enterprises and government entities relying on mobile devices powered by Unisoc chipsets. The contacts service often contains sensitive personal and professional information, including client contacts, internal communication channels, and confidential business relationships. Unauthorized access or modification of this data can lead to privacy violations, data breaches, and potential regulatory non-compliance under GDPR. Additionally, the elevation of privilege could be leveraged as a stepping stone for further attacks on the device or network, potentially compromising organizational security. The vulnerability's presence in Android versions 10 through 12 means a broad range of devices remain at risk, including those used by employees for work-related communications. This could affect sectors such as finance, healthcare, and public administration, where contact data integrity and confidentiality are paramount. Moreover, the lack of user interaction required for exploitation increases the risk of automated or stealthy attacks within corporate environments.

Mitigation Recommendations

To mitigate CVE-2022-38670 effectively, European organizations should: 1) Identify and inventory all mobile devices using Unisoc chipsets running Android 10, 11, or 12 within their environment. 2) Work with device manufacturers and Unisoc to obtain and apply any available security patches or firmware updates addressing this vulnerability. 3) If patches are unavailable, consider restricting the use of affected devices for sensitive communications or deploying mobile device management (MDM) solutions to enforce strict application permissions and monitor unusual behavior in the soundrecorder and contacts services. 4) Implement strict access controls and privilege management on mobile devices to limit local user privileges, reducing the attack surface for privilege escalation. 5) Educate users about the risks of installing untrusted applications or granting excessive permissions that could exploit this vulnerability. 6) Monitor device logs and network traffic for anomalies indicative of exploitation attempts targeting the contacts or soundrecorder services. 7) Consider isolating or segmenting mobile devices in the corporate network to limit lateral movement if compromise occurs.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Unisoc
Date Reserved
2022-08-22T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fa1484d88663aec417

Added to database: 5/20/2025, 6:59:06 PM

Last enriched: 7/6/2025, 8:42:24 AM

Last updated: 7/31/2025, 6:53:35 PM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats