CVE-2022-23835: Persistent Access to Visual Voice Mail in Android through the READ_SMS Permission (Disputed)

A recently discovered vulnerability, CVE-2022-23835, has raised concerns regarding the security of the Visual Voice Mail (VVM) application for Android phones. The vulnerability claims that attackers can gain persistent access to the VVM application by temporarily controlling another application with the READ_SMS permission. However, it's worth mentioning upfront that some vendors dispute this as a "concrete and exploitable risk."

Vulnerability Details

According to the report, this security issue affects the VVM application on Android devices running up to version 2022-02-24. The vulnerability hinges on the fact that the Android IMAP credentialing message is not displayed to the user within the AOSP SMS/MMS messaging application.

The implications of this vulnerability are significant if it is indeed exploitable, as it could allow unauthorized access to voice mail messages. The attacker would be able to listen to voice mail messages sent before the vulnerability was exploited and new ones.

Attacker gains temporary control over another application with READ_SMS permission on the device.

2. Attacker reads the IMAP credentialing message (which is not displayed to the user by design) from the VVM application.

3. Attacker uses these IMAP credentials to gain persistent access to voice mails, which they would not normally have access to.

Example of Code Snippet Exploiting READ_SMS permission

In this code snippet, an application requests the READ_SMS permission with a higher priority, which could potentially be used to exploit CVE-2022-23835 vulnerability.

<manifest ... >
  ...
  <uses-permission android:name="android.permission.READ_SMS" android:maxSdkVersion="22" />
  ...
  <application ...>
  ...
  </application>
</manifest>

Original References

1. The CVE-2022-23835 vulnerability was first reported through the NIST National Vulnerability Database (NVD) and can be found here.

2. The AOSP SMS/MMS application, which does not display the IMAP credentialing message by design, can be found in the Android Open Source Project repository here.

Disputed Claims

Some industry vendors have questioned the viability of this vulnerability, characterizing it as not a "concrete and exploitable risk." These assertions stem from the fact that the attacker would need temporary control over another application on the device, which is seen as a significant barrier to exploiting this particular vulnerability.

Conclusion

While the CVE-2022-23835 vulnerability may potentially affect Android's Visual Voice Mail application, its disputed status leaves room for debate over its actual impact. Until further assessment and research are conducted, users should remain vigilant and keep their devices updated with the latest security patches and updates. Developers should also be cautious when integrating external libraries or permissions like READ_SMS, as they could lead to unintended security vulnerabilities.

Timeline

Published on: 02/25/2022 04:15:00 UTC
Last modified on: 03/10/2022 16:38:00 UTC