Vulnerability in Samsung’s SW Update Tool Exposes Systems to Man-in-the-middle Attacks
Samsung has released an update for its SW Update Tool that resolves a man-in-the-middle (MiTM) vulnerability affecting Windows-based laptops.
Designed to analyze the system drivers of a computer and install relevant software, Samsung’s SW Update Tool was found to include a flaw that could result in integrity corruption of the transferred data, as well as in information leak and arbitrary code execution.
According to researchers from Core Security, the tool does not perform appropriate verification of the packages it downloads on the target computer. This remotely exploitable vulnerability was found and tested on version 126.96.36.199 of the SW Update Tool, but other products and versions might be affected too, researchers say.
The SW Update Tool can be used on both Samsung and non-Samsung machines to determine which updates users should install. On some Samsung systems, the tool can automatically detect the model of hardware, while on others, as well as on non-Samsung computers, it requires the user to specify the model they would like to download drivers for.
To perfom updates, the tool uses an XML file, which includes the name and model ID for which the drivers are being requested, and also includes a tag called 'FURL,' which has the URL of the file that will be downloaded and executed by the application, Core Security explained.
Once the necessary files are found, the user is presented with the available driver updates and, after the they have been downloaded, users can launch an automatic install process from within the SW Update Tool., however, the SW Update Tool does not not perform verification of the downloaded files.
Although there are a series of “controls” within the XML file, an attacker could easily disable them by manipulating the file, while also being able to modify the returning XML file to achieve code execution on the victim's machine.
Core Security CoreLabs Team researcher Joaquin Rodriguez Varela discovered the vulnerability in January, when he informed Samsung on the matter, and the vendor released the patch for the tool in early March. However, it appears that some users might not be able to connect to the company’s servers as of yet, since they are transitioning to the more secure HTTPS protocol.
Samsung informed Core Security that users with older versions of the client-side application that still uses HTTP won’t be able to connect to its servers as they move to HTTPS. However, the company is looking to resolve the issue in the next few months by pushing the updated tool to all users while still keeping HTTP active on its server.
In the meantime, Samsung SW Update Tool users are advised to download the latest version of the application from Samsung’s website to ensure they are protected.
Intel’s Driver Update Utility received an update in January this year to resolve an information disclosure flaw identified by researchers at Core Security. In November, Lenovo released a new version of its System Update software (previously known as ThinkVantage System Update) to address a couple of privilege escalation vulnerabilities discovered by an IOActive researcher.