Summary: Google’s Threat Analysis Group (TAG) has identified a critical zero-day vulnerability in Samsung mobile processors, tracked as CVE-2024-44068, which can be exploited to escalate privileges on vulnerable Android devices. This vulnerability has been linked to commercial spyware targeting Samsung devices and has been addressed by Samsung through security updates released in October 2024.
Threat Actor: Commercial Spyware Vendors | Commercial Spyware Vendors
Victim: Samsung | Samsung
Key Point :
- The vulnerability is a use-after-free issue that allows attackers to escalate privileges on affected Android devices.
- It has been chained with other vulnerabilities to enable arbitrary code execution, particularly targeting Exynos processors.
- The exploit involves manipulating kernel memory through a series of firmware commands and page table manipulations.
- Samsung released security updates in October 2024 to address this critical vulnerability.
- Google TAG’s discovery indicates potential exploitation by commercial spyware vendors against Samsung devices.
Google’s Threat Analysis Group (TAG) warns of a Samsung zero-day vulnerability, tracked as CVE-2024-44068 (CVSS score of 8.1), which is exploited in the wild.
The vulnerability is a use-after-free issue, attackers could exploit the flaw to escalate privileges on a vulnerable Android device.
A vulnerability resides in Samsung mobile processors and according to the experts, it has been chained with other vulnerabilities to achieve arbitrary code execution on vulnerable devices.
Samsung addressed the vulnerability with the release of security updates in October 2024
“A Use-After-Free in the mobile processor leads to privilege escalation.” reads the advisory published by the Korean multinational conglomerate.
The company did not confirm that the vulnerability is actively exploited in the wild.
Affected versions include Exynos 9820, 9825, 980, 990, 850, W920.
The vulnerability was discovered by the researchers Xingyu Jin from Google Devices & Services Security Research and Clement Lecigene from Google Threat Analysis Group.
The fact that Google TAG discovered the flaw suggests that commercial spyware vendors may have used the exploit to target Samsung devices.
The advisory published by Google Project Zero warns of the availability of a zero-day exploit that is part of an Eòlevation of Privilege chain.
“This 0-day exploit is part of an EoP chain. The actor is able to execute arbitrary code in a privileged cameraserver process. The exploit also renamed the process name itself to “[email protected]”, probably for anti-forensic purposes.” states Google Project Zero.
Google researchers reported that the vulnerability explained that the issue resides in a driver that provides hardware acceleration for media functions like JPEG decoding and image scaling.
“By interacting with the IOCTL M2M1SHOT_IOC_PROCESS, the driver which provides hardware acceleration for media functions like JPEG decoding and image scaling may map the userspace pages to I/O pages, execute a firmware command and tear down mapped I/O pages.” continues Google Project Zero.
The exploit works by unmapping PFNMAP pages, causing a use-after-free vulnerability, where I/O virtual pages may map to freed physical memory. Then the exploit code uses a specific firmware command to copy data, potentially overwriting a page middle directory (PMD) entry in a page table. This can lead to a Kernel Space Mirroring Attack (KSMA) by spamming page tables, manipulating kernel memory, and exploiting the freed pages.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Samsung)
Source: https://securityaffairs.com/170119/security/samsung-zero-day-activey-exploited.html