The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities Catalog to include six vulnerabilities affecting Samsung smartphones. These flaws are suspected to have been exploited by a commercial spyware vendor. In addition to these, CISA also added two D-Link router and access point vulnerabilities that have been exploited by a Mirai botnet variant.
The six Samsung vulnerabilities were all patched by the tech giant in 2021. They include CVE-2021-25487, an out-of-bounds read in the modem interface driver that can lead to arbitrary code execution, fixed in October 2021. Samsung rated this bug as 'moderate', however, its NVD advisory classified it as 'high severity' based on CVSS score. CVE-2021-25489, a low-severity format string bug in the modem interface driver that can lead to a DoS condition, was also addressed in the October 2021 patch.
CISA's list also includes CVE-2021-25394 and CVE-2021-25395, moderate-severity use-after-free bugs in the MFC charger driver, both of which were patched by Samsung in May 2021. The final two are CVE-2021-25371, a moderate-severity issue that can allow an attacker to load arbitrary ELF files inside the DSP driver, and CVE-2021-25372, a moderate-severity out-of-bounds access vulnerability in the same driver, both patched in March 2021.
Samsung has not updated its old advisories to warn users about the exploitation of these vulnerabilities. There are no public reports describing the exploitation of the Samsung mobile device vulnerabilities added to CISA's 'must-patch' list this week. However, they are believed to have been exploited by a commercial spyware vendor.
Samsung and CISA recently alerted users about CVE-2023-21492, a kernel pointer exposure issue related to log files that can allow a privileged local attacker to bypass the ASLR exploit mitigation technique. Google researchers, who discovered CVE-2023-21492, noted that the vulnerability has been known since 2021.
In November 2022, Google revealed three similar Samsung phone vulnerabilities with 2021 CVEs that have been exploited by an unnamed spyware vendor against Android devices, including while they still had a zero-day status. These three vulnerabilities were patched in March 2021. Google also mentioned it was aware of six other Samsung vulnerabilities with 2021 CVE identifiers that have been exploited in attacks, supporting the theory that the flaws added by CISA this week to its catalog were exploited by spyware vendors monitored by Google. A confirmation from Google is awaited.