Samsung began rolling out patches over the weekend to fix six critical bugs found in its flagship Android handsets as part of its May patch bulletin. Flaws range from a remote code execution bug to a buffer overflow vulnerability, plus a peek-and-poke command bug that leaves memory locations open on targeted devices.
All six of Samsung’s critical vulnerabilities patched this month were identified in Google’s April Android Security Bulletin. Google released its May Android Security Bulletin last week. In all, Samsung disclosed and patched 27 vulnerabilities, 21 identified as high severity.
Five of the critical bugs identified by Samsung are tied to Qualcomm and its Snapdragon processors used in Samsung handhelds, but also the chipmaker’s Snapdragon Wear and Automotive platforms. Impacted are Samsung handheld models ranging from its Galaxy family of S9, Note 8 and S8 phones.
One critical vulnerability is an RCE bug (CVE-2017-13292) identified by Google last month that could “enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.” The flaw, which has a CVSS score of 9.8, is tied to a third-party Broadcom wireless chipset driver (bcmdhd).
Another vulnerability (CVE-2017-18128), which is still undergoing analysis, also has a CVSS score of 9.8. That bug is described by the National Vulnerabilities Database as “improper access control while configuring MPU (Memory Protection Unit) protecting error correction registers may potentially lead to exposure of related secured data.”
An additional bug (CVE-2017-18146) affects Samsung handsets and the Elliptic Curve Digital Signature Algorithm (ECDSA) signature verification component. ECDSA is a variant of the Digital Signature Algorithm and often used by Android devices to verify the authenticity and maintain the integrity of SMS messages, according to an IEEE abstract.
“In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear… in some corner cases, ECDSA signature verification can fail,” according to the NVD description of the CVE.
The “peek and poke” portion of the CVE-2018-3591 vulnerability refers to a technique most often referenced in ancient (i.e., circa 1980s) computer systems where a user is able to “peek” into a memory address and “poke” it, meaning change the value.
The peek-and-poke vulnerability is described as impacting the Snapdragon Mobile platform where the “default build configuration of device programmer in BOOT.BF.3.0 enables the flag SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM which will open up the peek and poke commands to any memory location on the target.”
The CVEs outlined by Samsung also impact a number of other Android devices ranging from Google Pixel 2, HTC U11, LG V30 and Motorola Moto Z Force (second-gen), to name a few.