Active Exploitation of Samsung Zero-Day Vulnerability: An Alert from Google’s Threat Analysis Group

October 22, 2024

Google's Threat Analysis Group (TAG) has alerted the public to a zero-day vulnerability in Samsung mobile processors, tracked as CVE-2024-44068. This flaw, which has a CVSS score of 8.1, is currently being exploited. The vulnerability is a use-after-free issue, which could be leveraged by attackers to escalate privileges on an Android device that is vulnerable.

Experts note that the vulnerability has been chained with other vulnerabilities to carry out arbitrary code execution on vulnerable devices. Samsung has responded to the vulnerability by releasing security updates in October 2024. The advisory published by Samsung, a multinational conglomerate based in Korea, states, “A Use-After-Free in the mobile processor leads to privilege escalation.” However, Samsung did not confirm that the vulnerability is being actively exploited.

The vulnerability affects versions including Exynos 9820, 9825, 980, 990, 850, W920. Researchers Xingyu Jin from Google Devices & Services Security Research and Clement Lecigene from Google Threat Analysis Group discovered the vulnerability. The discovery by Google TAG suggests that commercial spyware vendors could have used the exploit to target Samsung devices.

Google Project Zero's advisory warns of an available zero-day exploit that is part of an Elevation of Privilege chain. “This 0-day exploit is part of an EoP chain. The actor is able to execute arbitrary code in a privileged cameraserver process. The exploit also renamed the process name itself to '[email protected]', probably for anti-forensic purposes,” Google Project Zero states.

The vulnerability is in a driver that provides hardware acceleration for media functions like JPEG decoding and image scaling. Google researchers explain, “By interacting with the IOCTL M2M1SHOT_IOC_PROCESS, the driver which provides hardware acceleration for media functions like JPEG decoding and image scaling may map the userspace pages to I/O pages, execute a firmware command and tear down mapped I/O pages.”

The exploit operates by unmapping PFNMAP pages, resulting in a use-after-free vulnerability, where I/O virtual pages may map to freed physical memory. The exploit code then uses a specific firmware command to copy data, potentially overwriting a page middle directory (PMD) entry in a page table. This could lead to a Kernel Space Mirroring Attack (KSMA) by spamming page tables, manipulating kernel memory, and exploiting the freed pages.

Latest News

• VMware Issues New Security Update for Critical vCenter Server RCE Vulnerability
• F5 Patches High-Severity Vulnerabilities in BIG-IP and BIG-IQ Products
• New Speculative Execution Attacks Bypass Spectre Mitigations on Intel and AMD CPUs on Linux
• Microsoft Uncovers 'HM Surf' Vulnerability in macOS TCC Framework
• Iran's APT34 Ramps Up Espionage Using MS Exchange Servers