CVE-2023-42698: Vulnerability in Unisoc (Shanghai) Technologies Co., Ltd. SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000
In omacp service, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed
AI Analysis
Technical Summary
CVE-2023-42698 is a medium-severity vulnerability identified in multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC7731E, SC9832E, SC9863A, and several others used in Android devices running versions 11, 12, and 13. The flaw exists within the omacp service, which is responsible for handling OMA Client Provisioning messages, a mechanism used for device configuration and management. The vulnerability arises due to a missing permission check that allows an application with limited privileges (requiring only low-level privileges, no user interaction) to write permission usage records of other apps locally. This improper access control (CWE-862) leads to local information disclosure, as the attacker can access sensitive permission usage data without needing elevated execution privileges or user interaction. The CVSS v3.1 base score is 5.5, reflecting a medium severity with a local attack vector, low attack complexity, and low privileges required, but no impact on integrity or availability, only confidentiality. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects a broad range of Unisoc chipsets commonly integrated into budget and mid-range Android smartphones, which are prevalent in various markets worldwide. The flaw could be leveraged by malicious apps already installed on a device to glean sensitive information about other apps’ permission usage, potentially aiding further targeted attacks or privacy violations.
Potential Impact
For European organizations, the impact of CVE-2023-42698 is primarily related to privacy and confidentiality risks on mobile devices using affected Unisoc chipsets. Organizations relying on Android devices with these chipsets may face unauthorized local disclosure of sensitive permission usage data, which could reveal user behavior patterns, app usage, or security configurations. This information leakage could facilitate more sophisticated attacks, social engineering, or targeted exploitation of other vulnerabilities. While the vulnerability does not allow remote exploitation or direct compromise of device integrity or availability, it poses a risk to data confidentiality, especially in environments where mobile devices handle sensitive corporate information or are used for secure communications. The risk is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data exposure—even local and indirect—can lead to compliance issues and reputational damage. However, the requirement for local access and low privileges limits the attack surface primarily to scenarios where malicious apps are installed or insider threats exist.
Mitigation Recommendations
To mitigate CVE-2023-42698, European organizations should: 1) Ensure mobile device management (MDM) solutions enforce strict app installation policies, restricting installation to trusted sources and blocking potentially malicious applications that could exploit this vulnerability. 2) Monitor and audit installed applications regularly for suspicious behavior or unauthorized permission requests. 3) Encourage users to update their devices promptly once Unisoc or device manufacturers release security patches addressing this vulnerability. 4) Where possible, prefer devices with chipsets from vendors with a strong security update track record or consider alternative hardware for high-security environments. 5) Implement endpoint security solutions capable of detecting anomalous local access patterns or unauthorized attempts to read permission usage data. 6) Educate users about the risks of installing untrusted apps and the importance of device hygiene, especially in corporate contexts. Since no patches are currently linked, organizations should maintain close communication with device vendors and Unisoc for timely updates.
Affected Countries
Germany, France, Italy, Spain, Poland, Netherlands, Belgium, Sweden, Finland, Czech Republic
CVE-2023-42698: Vulnerability in Unisoc (Shanghai) Technologies Co., Ltd. SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000
Description
In omacp service, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed
AI-Powered Analysis
Technical Analysis
CVE-2023-42698 is a medium-severity vulnerability identified in multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC7731E, SC9832E, SC9863A, and several others used in Android devices running versions 11, 12, and 13. The flaw exists within the omacp service, which is responsible for handling OMA Client Provisioning messages, a mechanism used for device configuration and management. The vulnerability arises due to a missing permission check that allows an application with limited privileges (requiring only low-level privileges, no user interaction) to write permission usage records of other apps locally. This improper access control (CWE-862) leads to local information disclosure, as the attacker can access sensitive permission usage data without needing elevated execution privileges or user interaction. The CVSS v3.1 base score is 5.5, reflecting a medium severity with a local attack vector, low attack complexity, and low privileges required, but no impact on integrity or availability, only confidentiality. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects a broad range of Unisoc chipsets commonly integrated into budget and mid-range Android smartphones, which are prevalent in various markets worldwide. The flaw could be leveraged by malicious apps already installed on a device to glean sensitive information about other apps’ permission usage, potentially aiding further targeted attacks or privacy violations.
Potential Impact
For European organizations, the impact of CVE-2023-42698 is primarily related to privacy and confidentiality risks on mobile devices using affected Unisoc chipsets. Organizations relying on Android devices with these chipsets may face unauthorized local disclosure of sensitive permission usage data, which could reveal user behavior patterns, app usage, or security configurations. This information leakage could facilitate more sophisticated attacks, social engineering, or targeted exploitation of other vulnerabilities. While the vulnerability does not allow remote exploitation or direct compromise of device integrity or availability, it poses a risk to data confidentiality, especially in environments where mobile devices handle sensitive corporate information or are used for secure communications. The risk is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data exposure—even local and indirect—can lead to compliance issues and reputational damage. However, the requirement for local access and low privileges limits the attack surface primarily to scenarios where malicious apps are installed or insider threats exist.
Mitigation Recommendations
To mitigate CVE-2023-42698, European organizations should: 1) Ensure mobile device management (MDM) solutions enforce strict app installation policies, restricting installation to trusted sources and blocking potentially malicious applications that could exploit this vulnerability. 2) Monitor and audit installed applications regularly for suspicious behavior or unauthorized permission requests. 3) Encourage users to update their devices promptly once Unisoc or device manufacturers release security patches addressing this vulnerability. 4) Where possible, prefer devices with chipsets from vendors with a strong security update track record or consider alternative hardware for high-security environments. 5) Implement endpoint security solutions capable of detecting anomalous local access patterns or unauthorized attempts to read permission usage data. 6) Educate users about the risks of installing untrusted apps and the importance of device hygiene, especially in corporate contexts. Since no patches are currently linked, organizations should maintain close communication with device vendors and Unisoc for timely updates.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Unisoc
- Date Reserved
- 2023-09-13T07:40:40.028Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68386f5b182aa0cae2811a79
Added to database: 5/29/2025, 2:29:47 PM
Last enriched: 7/8/2025, 2:25:21 AM
Last updated: 7/28/2025, 10:33:57 PM
Views: 16
Related Threats
CVE-2025-9016: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighCVE-2025-8451: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Addons for Elementor – Popular Elementor Templates & Widgets
MediumCVE-2025-8013: CWE-918 Server-Side Request Forgery (SSRF) in quttera Quttera Web Malware Scanner
LowCVE-2025-6679: CWE-434 Unrestricted Upload of File with Dangerous Type in bitpressadmin Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder
CriticalCVE-2025-9013: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.