CVE-2023-38302 : A certain software build for the Sharp Rouvo V device (SHARP/VZW

A certain software build for the Sharp Rouvo V device (SHARP/VZW_STTM21VAPP/STTM21VAPP:12/SP1A.210812.016/1KN0_0_530:user/release-keys) leaks the Wi-Fi MAC address and the Bluetooth MAC address to system properties that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in this instance they are leaked by a high-privilege process and can be obtained indirectly. This malicious app reads from the "ro.boot.wifi_mac" system property to indirectly obtain the Wi-Fi MAC address and reads the "ro.boot.bt_mac" system property to obtain the Bluetooth MAC address.

Published 2024-04-22 15:15:47

Updated 2024-04-22 19:24:07

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2023-38302

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2023-38302

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 17 %

Percentile, the proportion of vulnerabilities that are scored at or less

References for CVE-2023-38302

https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-38302

Products affected by CVE-2023-38302

Exploit prediction scoring system (EPSS) score for CVE-2023-38302

References for CVE-2023-38302