Cyber Security Threat Summary:
“CISA warned last Friday of a security vulnerability affecting Samsung devices which has been used in attacks to bypass Android address space layout randomization (ASLR) protection. ASLR is an Android security feature that randomizes the memory addresses where key app and OS components are loaded into the device's memory. This makes it more difficult for attackers to exploit memory-related vulnerabilities and successfully launch attacks like buffer overflow, return-oriented programming, or other memory-based exploits” (Bleeping Computer, 2023).

The flaw which is being tracked as CVE-2023-21492 impacts Samsung mobile devices running Android 11, 12, and 13, and is the result of sensitive information being inserted into log files. Using the exposed information could allow a local attacker with high privileges to conduct ASLR bypass, which could then enable the exploitation of memory-management.

In this month's security updates, Samsung has addressed this issue by ensuring that the kernel pointers are no longer printed in log files. "Samsung was notified that an exploit for this issue had existed in the wild," the company says in the May 2023 Security Maintenance Release (SMR) advisory.

Security Officer Comments:
Samsung did not provide specific examples of the exploitation reported in the wild, but they did note that the security issue was used as part of a complex exploit chain targeting the United Arab Emirates (UAE).

“As Google's Threat Analysis Group (TAG) and Amnesty International revealed in March, two recent series of attacks employing exploit chains of Android, iOS, and Chrome flaws were used to install commercial spyware, with one of them abusing the CVE-2023-21492 bug. The attackers deployed a C++ based Android spyware suite capable of decrypting and extracting data from multiple chat and browser apps” (Bleeping Computer, 2023).

According to Amnesty International’s Security Labs, this spyware campaign has been active since at least 2020, and targeted mobile devices and users of Google’s Android operating system. "The spyware and zero-day exploits were delivered from an extensive network of more than 1000 malicious domains, including domains spoofing media websites in multiple countries."

Suggested Correction(s):
U.S. Federal Civilian Executive Branch Agencies (FCEB) have been given a three-week deadline, until June 9, to secure their Samsung Android devices against attacks exploiting CVE-2023-21492 after CISA added the vulnerability on Friday to its catalog of Known Exploited Vulnerabilities. This is in line with a binding operational directive (BOD 22-01) issued in November 2021 requiring federal agencies to address all flaws added to CISA's KEV list before the deadline expires. While primarily aimed at U.S. federal agencies, it is strongly recommended that private companies also prioritize addressing vulnerabilities listed in the cybersecurity agency's list of bugs exploited in attacks.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said.

Link(s):
https://www.bleepingcomputer.com/