Samsung Mobile Devices Improper Input Validation Vulnerability - 20230703002

Overview

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug leading to kernel panic.

What is the vulnerability?

CVE-2021-25489 - CVSS v3 Base Score: 5.5

What is vulnerable?

The vulnerability exists in the following products:

• Exynos devices O(8.1), P(9.0), Q(10.0), R(11.0)

What has been observed?

CISA added this vulnerabilty in their Known Exploited Vulnerabilties catalog on 29 June 2023. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of two weeks as per E8 (refer Patch Management):

• https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=10
• https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-assessment-process-guide