CVE-2023-35689 – This vulnerability allows local attackers to ac... (How to Fix)

Q: What is the severity of CVE-2023-35689?

CVE-2023-35689 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers to access Android Debug Bridge (adb) before Setup Wizard completion due to an insecure default value in Wear OS devices. This could lead to local privilege escalation without requiring user interaction. Affects Wear OS devices before the August 2023 security patch.

📋 TL;DR

This vulnerability allows local attackers to access Android Debug Bridge (adb) before Setup Wizard completion due to an insecure default value in Wear OS devices. This could lead to local privilege escalation without requiring user interaction. Affects Wear OS devices before the August 2023 security patch.

💻 Affected Systems

Products:

Wear OS devices

Versions: Wear OS versions before August 2023 security patch

Operating Systems: Android/Wear OS

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the DeviceVersionFragment.java component in Wear OS devices during Setup Wizard phase.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full device control, installs malware, exfiltrates sensitive data, or bricks the device.

🟠

Likely Case

Local attacker gains elevated privileges to install unauthorized apps or access restricted device functions.

🟢

If Mitigated

Attack prevented through timely patching; minimal impact with proper device security controls.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring physical or local network access to the device.

🏢 Internal Only: MEDIUM - Could be exploited by malicious insiders or compromised devices within an organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the device but no user interaction. The vulnerability is in the default configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August 2023 security patch for Wear OS

Vendor Advisory: https://source.android.com/security/bulletin/wear/2023-08-01

Restart Required: Yes

Instructions:

1. Check for Wear OS updates in device Settings > System > System updates. 2. Install the August 2023 security patch. 3. Reboot the device after installation.

🔧 Temporary Workarounds

Disable USB debugging

all

Manually disable USB debugging in developer options to prevent adb access.

Settings > System > Developer options > USB debugging (toggle OFF)

🧯 If You Can't Patch

Restrict physical access to Wear OS devices
Disable developer options and USB debugging on all devices

🔍 How to Verify

Check if Vulnerable:

Check if device has August 2023 security patch: Settings > System > About > Android security patch level

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify patch level shows 'August 5, 2023' or later in Android security patch level

📡 Detection & Monitoring

Log Indicators:

Unexpected adb connections during device setup phase
Unauthorized package installations

Network Indicators:

Unexpected adb network connections from Wear OS devices

SIEM Query:

DeviceLogs WHERE EventType='adb_connection' AND DeviceOS='Wear OS' AND Timestamp BEFORE '2023-08-01'

📊 Metadata

CVE ID: CVE-2023-35689

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1188

Published: August 14, 2023

Last Updated: November 21, 2024

🔗 References

https://source.android.com/security/bulletin/wear/2023-08-01 Broken Link
https://source.android.com/security/bulletin/wear/2023-08-01 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35689, you might also want to check these: