Login Sign Up

CVE-2023-35665

7.8 HIGH

📋 TL;DR

This vulnerability allows unauthorized import of contacts from other users on Android devices due to a missing permission check in Telephony services. It enables local privilege escalation without requiring user interaction or additional execution privileges. Affects Android devices running vulnerable versions of the Telephony package.

💻 Affected Systems

Products:
  • Android Telephony services
Versions: Android versions prior to September 2023 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Android devices with Telephony services package. The vulnerability is in the contact import functionality.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access could import sensitive contact data from other users, potentially accessing private information, phone numbers, and contact details without authorization.

🟠

Likely Case

Malicious apps could silently harvest contact information from other users on the same device, violating privacy and potentially enabling further attacks.

🟢

If Mitigated

With proper patching, the permission check is enforced, preventing unauthorized contact imports and maintaining proper user isolation.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device.
🏢 Internal Only: MEDIUM - On shared or multi-user Android devices, this could allow unauthorized access to contact data between users.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to the device but no user interaction. The missing permission check makes exploitation straightforward for attackers with local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: September 2023 Android Security Patch

Vendor Advisory: https://source.android.com/security/bulletin/2023-09-01

Restart Required: Yes

Instructions:

1. Apply September 2023 Android Security Patch. 2. Update affected Android devices through system updates. 3. Restart device after update installation.

🔧 Temporary Workarounds

Disable contact sharing permissions

android

Restrict contact access permissions for apps to limit potential data exposure

Use single-user mode

android

Avoid using multi-user profiles on affected devices to prevent cross-user contact access

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement strict app permission controls and monitor for unusual contact access patterns

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version. If patch level is before September 2023, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level shows September 2023 or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

  • Unusual contact import activities in Telephony service logs
  • Permission denial errors related to contact access

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

Search for Telephony service errors or contact import activities outside normal user patterns

📊 Metadata

CVE ID: CVE-2023-35665
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: September 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35665, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)