Samsung & Android Security Fixes

Lookout Coverage and Recommendation for Admins

Lookout provides multilayered protection for devices that are exploitable through multiple vectors and could be compromised. To ensure your devices aren’t exposed to the vulnerabilities listed above, please ensure that these devices have their security patch levels updated. Samsung fixes were in 2021 security fixes and the rest of the exploited vulnerability list is fixed in Android’s July security patch level. Lookout highly recommends keeping security patch level updates on auto update. The other manufacturer’s are following up on releasing their security fixes and those should be applied to devices as soon as they are available.

Lookout admins should set default Out of Date SPL policy to have a minimum security patch level of July 2023. They can then choose whether to advise or alert the user that the device is out of compliance or block access to enterprise resources until security patch level is updated.

They can also utilise the escalation feature to auto update the severity, if not updated.

CISA is requiring all government organizations to update to the patched versions of Samsung devices by July 20th, 2023. The Android update must be applied by July 28th, 2023.

Overview

CISA announced 7 actively exploited vulnerabilities recently which were fixed by the vendors over the time. The first set refers to the software vulnerabilities affecting Samsung devices while the second set belongs to all Android devices.

Samsung specific vulnerabilities (also part of CISA guidelines to fix by July 20th, 2023):

1. CVE-2021-25487: High severity, Out-of-bounds read vulnerability, leads to arbitrary code execution, fixed in Oct’21.
2. CVE-2021-25489: Low severity, format string bug in modem interface driver, fixed in October 2021
3. CVE-2021-25394 and CVE-2021-25395: Medium severity, use after free bugs in MFC charger driver, fixed in May’21
4. CVE-2021-25371: Medium severity, allows attacker to load arbitrary ELF files inside DSP driver, fixed in Mar’21
5. CVE-2021-25372: Medium severity, out-of-bounds access vulnerability in DSP driver, fixed in Mar’21

Android released two new security patch releases in July covering 3 actively exploited vulnerabilities amongst 46 new software security fixes. The three actively exploited ones are:

1. CVE-2023-26083: memory leak bug with known instances of exploit in Samsung devices (part of CISA guidelines to fix by July 28th, 2023)
2. CVE-2021-29256: use after free vulnerability allowing attacker to gain root privileges and gather sensitive data
3. CVE-2023-2136: A critical severity Google Skia bug which was also addressed in Google Chrome April release

‍

Lookout Analysis

All the vulnerabilities listed above are something which have been found to be actively exploited. While the Samsung fixes were available to the devices in March to October 2021 releases, the two android security patches were released in July 2023 fixing 46 software vulnerabilities of varying severity. Aside from the 3 listed above, the fixes also include a few other notable ones like CVE- 2023-21250, affecting the Android System component, which can cause remote code execution without user interaction or additional execution privileges, making it particularly precarious.