Skip to main content

CVE-2022-38697: CWE-862 Missing Authorization in Unisoc (Shanghai) Technologies Co., Ltd. SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000

Medium
VulnerabilityCVE-2022-38697cvecve-2022-38697cwe-862
Published: Fri Oct 14 2022 (10/14/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC9863A/SC9832E/SC7731E/T610/T310/T606/T760/T610/T618/T606/T612/T616/T760/T770/T820/S8000

Description

In messaging service, there is a missing permission check. This could lead to access unexpected provider in contacts service with no additional execution privileges needed.

AI-Powered Analysis

AILast updated: 07/06/2025, 10:58:32 UTC

Technical Analysis

CVE-2022-38697 is a medium-severity vulnerability identified in multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC9863A, SC9832E, SC7731E, and various T-series models (T610, T310, T606, T760, T618, T612, T616, T770, T820, S8000). These chipsets are integrated into devices running Android 10, 11, and 12. The vulnerability is categorized under CWE-862, which refers to missing authorization checks. Specifically, the flaw exists in the messaging service component where a permission check is missing. This omission allows unauthorized access to a provider within the contacts service without requiring additional execution privileges or user interaction. The vulnerability has a CVSS 3.1 base score of 5.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reveals that the attack requires local access (AV:L) with low attack complexity (AC:L) and low privileges (PR:L), but no user interaction (UI:N). The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. No known exploits are reported in the wild, and no official patches have been linked yet. The vulnerability could allow a local attacker or malicious app with limited privileges to access sensitive contact information by bypassing authorization controls in the messaging service, potentially leading to privacy breaches or data leakage.

Potential Impact

For European organizations, this vulnerability poses a significant privacy risk, especially for sectors handling sensitive personal data such as healthcare, finance, and government. The unauthorized access to contact information could lead to exposure of personally identifiable information (PII), facilitating targeted phishing, social engineering attacks, or identity theft. Since the vulnerability affects devices running Android 10 to 12 on Unisoc chipsets, organizations with employees or customers using such devices may face increased risk of data leakage. The local attack vector means that malicious apps or insiders with device access could exploit this flaw without needing elevated privileges or user interaction. This could undermine trust in mobile device security and complicate compliance with GDPR regulations concerning data protection and breach notification. Additionally, the lack of patches increases the window of exposure, making timely mitigation critical.

Mitigation Recommendations

European organizations should implement a multi-layered mitigation strategy beyond generic advice: 1) Device Inventory and Management: Identify and catalog all mobile devices using Unisoc chipsets running Android 10-12 within the organization. 2) Application Control: Restrict installation of untrusted or unnecessary apps through Mobile Device Management (MDM) solutions to reduce the risk of local exploitation. 3) Least Privilege Enforcement: Ensure apps requesting access to contacts or messaging services have appropriate permissions and monitor for anomalous access patterns. 4) Network Segmentation: Limit sensitive data access on mobile devices by enforcing VPN usage and segregating critical network resources. 5) User Awareness: Educate users about risks of installing unknown apps and encourage reporting of suspicious device behavior. 6) Vendor Engagement: Actively monitor Unisoc and device manufacturers for patch releases and apply updates promptly once available. 7) Incident Response Preparedness: Develop procedures to detect and respond to potential exploitation attempts, including monitoring for unusual access to contacts data. 8) Alternative Device Usage: For high-risk roles, consider provisioning devices with chipsets not affected by this vulnerability or running updated OS versions beyond Android 12 if possible.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Unisoc
Date Reserved
2022-08-22T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fb1484d88663aec65c

Added to database: 5/20/2025, 6:59:07 PM

Last enriched: 7/6/2025, 10:58:32 AM

Last updated: 8/15/2025, 11:54:09 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats