CVE-2023-48404 – This vulnerability allows remote attackers to r... (How to Fix)

Q: What is the severity of CVE-2023-48404?

CVE-2023-48404 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to read memory outside intended bounds in Android's ProtocolMiscCarrierConfigSimInfoIndAdapter component, potentially disclosing sensitive information without user interaction. It affects Android devices, particularly Google Pixel phones, and requires no special privileges for exploitation.

📋 TL;DR

This vulnerability allows remote attackers to read memory outside intended bounds in Android's ProtocolMiscCarrierConfigSimInfoIndAdapter component, potentially disclosing sensitive information without user interaction. It affects Android devices, particularly Google Pixel phones, and requires no special privileges for exploitation.

💻 Affected Systems

Products:

Google Pixel phones
Android devices with affected protocol stack

Versions: Android versions prior to December 2023 security patch

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects ProtocolMiscCarrierConfigSimInfoIndAdapter in protocolmiscadapter.cpp

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote information disclosure could leak sensitive device data, SIM information, or memory contents to attackers without any user interaction.

🟠

Likely Case

Information disclosure of carrier configuration data or adjacent memory contents, potentially exposing device identifiers or configuration details.

🟢

If Mitigated

Limited impact with proper network segmentation and device isolation, though information disclosure still possible.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

No authentication required, but exploitation requires sending specially crafted protocol messages to the vulnerable component

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: December 2023 Android security patch level

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2023-12-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > System update. 2. Install December 2023 Android security patch. 3. Reboot device after installation.

🔧 Temporary Workarounds

Network segmentation

all

Isolate affected devices from untrusted networks to prevent remote exploitation

Disable vulnerable services

android

Restrict carrier configuration services if not required

🧯 If You Can't Patch

Isolate affected devices in separate network segments with strict firewall rules
Monitor network traffic for unusual protocol activity targeting carrier configuration services

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version > Security patch level

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows December 2023 or later

📡 Detection & Monitoring

Log Indicators:

Unusual protocol errors in system logs
Carrier configuration service crashes

Network Indicators:

Unusual protocol traffic to carrier configuration services
Suspicious SIM-related protocol messages

SIEM Query:

source="android_system" AND ("ProtocolMiscCarrierConfig" OR "protocolmiscadapter") AND (error OR crash OR exception)

📊 Metadata

CVE ID: CVE-2023-48404

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-125

Published: December 8, 2023

Last Updated: November 21, 2024

🔗 References

https://source.android.com/security/bulletin/pixel/2023-12-01 Vendor Advisory
https://source.android.com/security/bulletin/pixel/2023-12-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48404, you might also want to check these: