Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Warns of Samsung Zero-Day Exploited in the Wild

A zero-day vulnerability in Samsung mobile processors has been abused as part of an exploit chain for arbitrary code execution.

Samsung bug bounty program

A zero-day vulnerability in Samsung’s mobile processors has been leveraged as part of an exploit chain for arbitrary code execution, Google’s Threat Analysis Group (TAG) warns.

Tracked as CVE-2024-44068 (CVSS score of 8.1) and patched as part of Samsung’s October 2024 set of security fixes, the issue is described as a use-after-free bug that could be abused to escalate privileges on a vulnerable Android device.

“An issue was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920. A use-after-free in the mobile processor leads to privilege escalation,” a NIST advisory reads.

Samsung’s scarce advisory on CVE-2024-44068 makes no mention of the vulnerability’s exploitation, but Google researcher Xingyu Jin, who was credited for reporting the flaw in July, and Google TAG researcher Clement Lecigene, warn that an exploit exists in the wild.

According to them, the issue resides in a driver that provides hardware acceleration for media functions, and which maps userspace pages to I/O pages, executes a firmware command, and tears down mapped I/O pages.

Because of the bug, the page reference count is not incremented for PFNMAP pages and is only decremented for non-PFNMAP pages when tearing down I/O virtual memory.

This allows an attacker to allocate PFNMAP pages, map them to I/O virtual memory and free the pages, allowing them to map I/O virtual pages to freed physical pages, the researchers explain.

“This zero-day exploit is part of an EoP chain. The actor is able to execute arbitrary code in a privileged cameraserver process. The exploit also renamed the process name itself to ‘[email protected]’, probably for anti-forensic purposes,” Jin and Lecigene note.

Advertisement. Scroll to continue reading.

The exploit unmaps the pages, triggers the use-after-free bug, and then uses a firmware command to copy data to the I/O virtual pages, leading to a Kernel Space Mirroring Attack (KSMA) and breaking the Android kernel isolation protections.

While the researchers have not provided details on the observed attacks, Google TAG often discloses zero-days exploited by spyware vendors, including against Samsung devices.

Related: Microsoft: macOS Vulnerability Potentially Exploited in Adware Attacks

Related: Smart TV Surveillance? How Samsung and LG’s ACR Technology Tracks What You Watch

Related: New ‘Unc0ver’ Jailbreak Uses Vulnerability That Apple Said Was Exploited

Related: Proportion of Exploited Vulnerabilities Continues to Drop

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Former Barclay’s CISO Oliver Newbury has joined ransomware protection firm Halcyon as a strategic advisor

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.