Samsung Phone Flaws Added to CISA ‘Must Patch’ List Likely Exploited by Spyware Vendor

The US Cybersecurity and Infrastructure Security Agency (CISA) has added half a dozen flaws affecting Samsung smartphones to its Known Exploited Vulnerabilities Catalog, and they have all likely been exploited by a commercial spyware vendor.

CISA added eight new vulnerabilities to its catalog on Thursday, including two D-Link router and access point vulnerabilities exploited by a Mirai botnet variant. The six remaining security holes impact Samsung mobile devices and they were all patched by the technology giant in 2021.

The vulnerabilities include CVE-2021-25487, an out-of-bounds read in the modem interface driver that can lead to arbitrary code execution, fixed in October 2021. Samsung has classified the bug as ‘moderate’, but its NVD advisory says it’s ‘high severity’ based on CVSS score. 

The same October 2021 round of patches also addresses CVE-2021-25489, a low-severity format string bug in the modem interface driver that can lead to a DoS condition.

CISA also added CVE-2021-25394 and CVE-2021-25395, moderate-severity use-after-free bugs in the MFC charger driver. Both were fixed by Samsung in May 2021. 

The remaining two are CVE-2021-25371 a moderate-severity issue that can allow an attacker to load arbitrary ELF files inside the DSP driver, and CVE-2021-25372, a moderate-severity out-of-bounds access vulnerability in the same driver, both patched in March 2021. 

Samsung does not appear to have updated its old advisories to warn users about the exploitation of the vulnerabilities.

There are no public reports describing exploitation of the Samsung mobile device vulnerabilities added to CISA’s ‘must-patch’ list this week. However, they have likely been exploited by a commercial spyware vendor.

Samsung and CISA recently warned users about CVE-2023-21492, a kernel pointer exposure issue related to log files that can allow a privileged local attacker to bypass the ASLR exploit mitigation technique.

Google, whose researchers discovered CVE-2023-21492, noted that the vulnerability has been known since 2021. 

In addition, in November 2022, Google disclosed the details of three similar Samsung phone vulnerabilities with 2021 CVEs that have been exploited by an unnamed spyware vendor against Android devices, including while they still had a zero-day status.

The three vulnerabilities disclosed in November 2022 were patched in March 2021. In addition, Google said at the time that it had been aware of half a dozen other Samsung vulnerabilities with 2021 CVE identifiers that have been exploited in attacks. This reinforces the theory that the flaws added by CISA this week to its catalog were exploited by spyware vendors whose activities have been monitored by Google. 

SecurityWeek has reached out to Google for confirmation. 

UPDATE: In response to SecurityWeek’s inquiry, Google pointed to a tweet from Google Project Zero researcher Maddie Stone. The tweet confirms that all the Samsung vulnerabilities were discovered as part of the same research. They were added to Google’s zero-day exploitation tracker for the year 2021.

Related: Google Links Exploitation Frameworks to Spanish Spyware Vendor Variston

Related: New Samsung Message Guard Protects Mobile Devices Against Zero-Click Exploits

Related: Android Security Update Patches Kernel Vulnerability Exploited by Spyware Vendor