CVE-2023-42716 – CVE-2023-42716 is a missing permission check vu... (How to Fix)

Q: What is the severity of CVE-2023-42716?

CVE-2023-42716 has a CVSS score of 7.5 (HIGH). CVE-2023-42716 is a missing permission check vulnerability in telephony services that could allow remote attackers to access sensitive information without requiring additional execution privileges. This affects devices using vulnerable telephony implementations, potentially exposing call logs, contact information, or other telephony-related data.

📋 TL;DR

CVE-2023-42716 is a missing permission check vulnerability in telephony services that could allow remote attackers to access sensitive information without requiring additional execution privileges. This affects devices using vulnerable telephony implementations, potentially exposing call logs, contact information, or other telephony-related data.

💻 Affected Systems

Products:

Unisoc telephony implementations
Devices using Unisoc chipsets

Versions: Specific versions not detailed in references; likely affects multiple versions prior to patch

Operating Systems: Android-based systems with Unisoc telephony services

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with Unisoc telephony implementations; exact device models not specified in provided references

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains unauthorized access to sensitive telephony data including call records, contact information, and potentially location data without user interaction.

🟠

Likely Case

Information disclosure of telephony metadata and potentially sensitive user data to malicious apps or network attackers.

🟢

If Mitigated

Limited impact with proper permission controls and network segmentation in place.

🌐 Internet-Facing: MEDIUM - While remote exploitation is possible, it typically requires network access to the vulnerable service.

🏢 Internal Only: HIGH - Internal attackers or malicious apps could easily exploit this vulnerability to access sensitive telephony data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No authentication required for exploitation; complexity is low due to missing permission check

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in references; check vendor advisory for specific patched versions

Vendor Advisory: https://www.unisoc.com/en_us/secy/announcementDetail/1731138365803266049

Restart Required: Yes

Instructions:

1. Check with device manufacturer for available security updates 2. Apply the latest security patch from vendor 3. Reboot device after patch installation

🔧 Temporary Workarounds

Network segmentation

all

Restrict network access to telephony services

App permission review

android

Review and restrict app permissions related to telephony services

🧯 If You Can't Patch

Implement network segmentation to isolate telephony services
Monitor for suspicious access attempts to telephony APIs

🔍 How to Verify

Check if Vulnerable:

Check device manufacturer security bulletins and compare with current software version

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level includes CVE-2023-42716 fix and test telephony permission enforcement

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to telephony APIs
Permission denial logs for telephony services

Network Indicators:

Unexpected network traffic to telephony service ports
Anomalous API calls to telephony endpoints

SIEM Query:

telephony_api_access AND (permission_denied OR unauthorized_access)

📊 Metadata

CVE ID: CVE-2023-42716

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-668

Published: December 4, 2023

Last Updated: May 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42716, you might also want to check these: