Samsung Mobile Devices Unspecified Vulnerability - 20230703005

Overview

An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access. The product writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

What is the vulnerability?

CVE-2021-25372 - CVSS v3 Base Score: 6.7

What is vulnerable?

The vulnerability exists in the following products:

• Q(10.0), R(11.0) devices with exynos980, exynos2100, exynos9830

What has been observed?

CISA added this vulnerabilty in their Known Exploited Vulnerabilties catalog on 29 June 2023. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of two weeks as per E8 (refer Patch Management):

• https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=10
• https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-assessment-process-guide