Pierluigi Paganini October 22, 2024

Google’s Threat Analysis Group (TAG) researchers warn of a Samsung zero-day vulnerability that is exploited in the wild.

Google’s Threat Analysis Group (TAG) warns of a Samsung zero-day vulnerability, tracked as CVE-2024-44068 (CVSS score of 8.1), which is exploited in the wild.

The vulnerability is a use-after-free issue, attackers could exploit the flaw to escalate privileges on a vulnerable Android device.

A vulnerability resides in Samsung mobile processors and according to the experts, it has been chained with other vulnerabilities to achieve arbitrary code execution on vulnerable devices.

Samsung addressed the vulnerability with the release of security updates in October 2024

“A Use-After-Free in the mobile processor leads to privilege escalation.” reads the advisory published by the Korean multinational conglomerate.

The company did not confirm that the vulnerability is actively exploited in the wild.

Affected versions include Exynos 9820, 9825, 980, 990, 850, W920.

The vulnerability was discovered by the researchers Xingyu Jin from Google Devices & Services Security Research and Clement Lecigene from Google Threat Analysis Group.

The fact that Google TAG discovered the flaw suggests that commercial spyware vendors may have used the exploit to target Samsung devices.

The advisory published by Google Project Zero warns of the availability of a zero-day exploit that is part of an Eòlevation of Privilege chain.

“This 0-day exploit is part of an EoP chain. The actor is able to execute arbitrary code in a privileged cameraserver process. The exploit also renamed the process name itself to “vendor.samsung.hardware.camera.provider@3.0-service”, probably for anti-forensic purposes.” states Google Project Zero.

Google researchers reported that the vulnerability explained that the issue resides in a driver that provides hardware acceleration for media functions like JPEG decoding and image scaling.

“By interacting with the IOCTL M2M1SHOT_IOC_PROCESS, the driver which provides hardware acceleration for media functions like JPEG decoding and image scaling may map the userspace pages to I/O pages, execute a firmware command and tear down mapped I/O pages.” continues Google Project Zero.

The exploit works by unmapping PFNMAP pages, causing a use-after-free vulnerability, where I/O virtual pages may map to freed physical memory. Then the exploit code uses a specific firmware command to copy data, potentially overwriting a page middle directory (PMD) entry in a page table. This can lead to a Kernel Space Mirroring Attack (KSMA) by spamming page tables, manipulating kernel memory, and exploiting the freed pages.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Samsung)