Samsung smartphones affected by six exploited vulnerabilities
Six vulnerabilities affecting Samsung mobile devices have been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalogue. Samsung addressed all of the vulnerabilities in 2021, however they were most likely exploited by a commercial spyware vendor.
The vulnerabilities include; CVE-2021-25487, an out-of-bounds read in the modem interface driver that can lead to arbitrary code execution. CISA’s National Vulnerability Database (NVD) warning grades it as ‘high severity’ based on the CVSS score, but Samsung classed it as’moderate’ severity. CVE-2021-25489 is another vulnerability described, a low-severity format string flaw in the modem interface driver that can result in a Denial of Service (DoS) event.
Others include, CVE-2021-25394 and CVE-2021-25395, moderate-severity use-after-free bugs in the MFC charger driver. These were fixed by Samsung in May 2021. The remaining two vulnerabilities, CVE-2021-25371 and CVE-2021-25372, both moderate-severity issues, affect the DSP driver and involve loading arbitrary ELF files and out-of-bounds access, respectively. Samsung patched these vulnerabilities in March 2021.
There are no public reports of the vulnerabilities being exploited, but it is likely that a commercial spyware vendor has already taken advantage of them, with Google backing up this claim that has evidence that the vulnerabilities have been exploited by a commercial spyware vendor.
Google cited a tweet by Maddie Stone, a Google Project Zero researcher, who confirmed that all of the Samsung vulnerabilities were identified as part of the same study and were put to Google’s zero-day exploitation tracker for 2021. Google previously revealed information on three comparable Samsung phone vulnerabilities with 2021 CVEs that were exploited against Android devices by an unknown spyware vendor, even though they were still deemed zero-day vulnerabilities. These three flaws were addressed in March 2021.
This is not the first time that malware merchants have targeted Samsung cellphones. Google published the details of three related Samsung phone vulnerabilities with 2021 CVEs that have been exploited by an unknown spyware vendor in November 2022.
The sources for this piece include an article in SecurityWeek.