Skip to main content

CVE-2023-42698: Vulnerability in Unisoc (Shanghai) Technologies Co., Ltd. SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

Medium
VulnerabilityCVE-2023-42698cvecve-2023-42698
Published: Mon Dec 04 2023 (12/04/2023, 00:54:09 UTC)
Source: CVE Database V5
Vendor/Project: Unisoc (Shanghai) Technologies Co., Ltd.
Product: SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T760/T770/T820/S8000

Description

In omacp service, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed

AI-Powered Analysis

AILast updated: 07/08/2025, 02:25:21 UTC

Technical Analysis

CVE-2023-42698 is a medium-severity vulnerability identified in multiple Unisoc (Shanghai) Technologies Co., Ltd. chipsets, including SC7731E, SC9832E, SC9863A, and several others used in Android devices running versions 11, 12, and 13. The flaw exists within the omacp service, which is responsible for handling OMA Client Provisioning messages, a mechanism used for device configuration and management. The vulnerability arises due to a missing permission check that allows an application with limited privileges (requiring only low-level privileges, no user interaction) to write permission usage records of other apps locally. This improper access control (CWE-862) leads to local information disclosure, as the attacker can access sensitive permission usage data without needing elevated execution privileges or user interaction. The CVSS v3.1 base score is 5.5, reflecting a medium severity with a local attack vector, low attack complexity, and low privileges required, but no impact on integrity or availability, only confidentiality. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects a broad range of Unisoc chipsets commonly integrated into budget and mid-range Android smartphones, which are prevalent in various markets worldwide. The flaw could be leveraged by malicious apps already installed on a device to glean sensitive information about other apps’ permission usage, potentially aiding further targeted attacks or privacy violations.

Potential Impact

For European organizations, the impact of CVE-2023-42698 is primarily related to privacy and confidentiality risks on mobile devices using affected Unisoc chipsets. Organizations relying on Android devices with these chipsets may face unauthorized local disclosure of sensitive permission usage data, which could reveal user behavior patterns, app usage, or security configurations. This information leakage could facilitate more sophisticated attacks, social engineering, or targeted exploitation of other vulnerabilities. While the vulnerability does not allow remote exploitation or direct compromise of device integrity or availability, it poses a risk to data confidentiality, especially in environments where mobile devices handle sensitive corporate information or are used for secure communications. The risk is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data exposure—even local and indirect—can lead to compliance issues and reputational damage. However, the requirement for local access and low privileges limits the attack surface primarily to scenarios where malicious apps are installed or insider threats exist.

Mitigation Recommendations

To mitigate CVE-2023-42698, European organizations should: 1) Ensure mobile device management (MDM) solutions enforce strict app installation policies, restricting installation to trusted sources and blocking potentially malicious applications that could exploit this vulnerability. 2) Monitor and audit installed applications regularly for suspicious behavior or unauthorized permission requests. 3) Encourage users to update their devices promptly once Unisoc or device manufacturers release security patches addressing this vulnerability. 4) Where possible, prefer devices with chipsets from vendors with a strong security update track record or consider alternative hardware for high-security environments. 5) Implement endpoint security solutions capable of detecting anomalous local access patterns or unauthorized attempts to read permission usage data. 6) Educate users about the risks of installing untrusted apps and the importance of device hygiene, especially in corporate contexts. Since no patches are currently linked, organizations should maintain close communication with device vendors and Unisoc for timely updates.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Unisoc
Date Reserved
2023-09-13T07:40:40.028Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68386f5b182aa0cae2811a79

Added to database: 5/29/2025, 2:29:47 PM

Last enriched: 7/8/2025, 2:25:21 AM

Last updated: 8/15/2025, 7:27:19 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats