High-Risk Zero-Day Vulnerability Exposed in Samsung Devices, Already Exploited in the Wild

Google's Threat Analysis Group (TAG) has warned that Samsung has a zero-day vulnerability tracked as CVE-2024-44068 (CVSS score of 8.1) that has been found to be exploited.

An attacker could exploit the vulnerability to escalate privileges on an Android device. Experts say the flaw exists in Samsung mobile processors and has been chained with other vulnerabilities to enable arbitrary code execution on vulnerable devices.

Samsung officially released a security update in October this year to address the vulnerability. The group's announcement read: "Use-After-Free in mobile processors can lead to privilege escalation." The company has not confirmed that the vulnerability is actively exploited in the wild.

The versions affected by this vulnerability include: Exynos 9820, 9825, 980, 990, 850 and W920.

The vulnerability was first discovered by researchers Xingyu Jin from Google's Devices and Services Security Research department and Clement Lecigene from Google's Threat Analysis Group.

The fact that Google TAG discovered the vulnerability suggests that commercial spyware vendors may have used it to target Samsung devices. The advisory published by Google Project Zero warns that the zero-day vulnerability is part of a privilege escalation chain. The actor is able to execute arbitrary code in a privileged process. The vulnerability also renames the process name to "vendor.samsung.hardware.camera.provider@3.0-service", probably for anti-forensic purposes.

Google researchers explained in a report that the vulnerability exists in a driver that provides hardware acceleration for media functions such as JPEG decoding and image scaling.

By interacting with the IOCTL M2M1SHOT_IOC_PROCESS, a driver that provides hardware acceleration for media functions such as JPEG decoding and image scaling may map user-space pages into I/O pages, execute firmware commands, and remove the mapped I/O pages.

The vulnerability works by unmapping PFNMAP pages, resulting in a 'use after free' vulnerability, where an I/O virtual page may be mapped to freed physical memory. The exploit code then copies data using specific firmware commands, potentially overwriting a Page Middle Directory (PMD) entry in the page table. This can lead to a Kernel Space Mirroring Attack (KSMA) by spamming the page tables, manipulating kernel memory, and exploiting freed pages.

Reference source: https://securityaffairs.com/170119/security/samsung-zero-day-activey-exploited.html