Login Sign Up

CVE-2023-21388

7.8 HIGH

📋 TL;DR

This vulnerability allows local attackers to bypass permission checks in Android Settings, potentially gaining elevated privileges without user interaction. It affects Android devices running vulnerable versions, allowing attackers with physical or remote access to escalate privileges locally.

💻 Affected Systems

Products:
  • Android
Versions: Android versions before Android 14
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Android devices with vulnerable Settings components. The vulnerability is in the Android framework itself.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise with attacker gaining system-level privileges, potentially installing persistent malware, accessing all user data, and bypassing security controls.

🟠

Likely Case

Local privilege escalation allowing attackers to modify system settings, install unauthorized applications, or access restricted data without proper permissions.

🟢

If Mitigated

Limited impact if devices are fully patched, have strict app permissions, and use verified boot with integrity checks.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device.
🏢 Internal Only: HIGH - Malicious apps or users with physical access could exploit this to gain elevated privileges on affected devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but no user interaction. The missing permission check makes exploitation straightforward for attackers with local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android 14 (October 2023 security update)

Vendor Advisory: https://source.android.com/docs/security/bulletin/android-14

Restart Required: Yes

Instructions:

1. Update device to Android 14 or later. 2. Apply October 2023 security patch. 3. Reboot device after update. 4. Verify update through Settings > About phone > Android version.

🔧 Temporary Workarounds

Restrict app permissions

android

Limit app permissions to minimum required, especially for Settings-related permissions

Disable unknown sources

android

Prevent installation of apps from unknown sources to reduce attack surface

🧯 If You Can't Patch

  • Implement strict app vetting and only allow trusted applications
  • Use mobile device management (MDM) solutions to enforce security policies and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If version is below Android 14, device is vulnerable.

Check Version:

Settings > About phone > Android version

Verify Fix Applied:

Verify Android version is 14 or higher and security patch level is October 2023 or later in Settings > About phone.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Settings permission requests
  • Suspicious system modification attempts
  • Unexpected privilege escalation events

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Not applicable for typical Android deployments without centralized logging

📊 Metadata

CVE ID: CVE-2023-21388
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: October 30, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21388, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)