HQ/EMEAFind out how we can help your business
A newly discovered Samsung zero-day vulnerability has allegedly been actively exploited in the cybercriminal landscape.
Google TAG released an advisory about this flaw, dubbed CVE-2024-44068. The vulnerability is a use-after-free bug that hackers might exploit to acquire admin access on a flawed Android device. According to reports, the critical flaw is in the Samsung mobile CPUs, and hackers have incorporated it into additional flaws to allow arbitrary code execution on susceptible devices.
The affected company has released a patch to address the Samsung zero-day flaw.
The Samsung zero-day already has a security patch that the affected company released earlier this month. A recent report explained that the use-after-free option in mobile processors causes privilege escalation.
The organisation has yet to verify whether malicious entities have started to take advantage of the flaw in the wild. As of now, the affected versions include the Exynos 9820, 9825, 980, 990, 850, and W920.
However, the fact that Google TAG spotted the bug implies that commercial spyware providers may have already exploited it to target Samsung devices. These researchers explained that the flaw could provide a threat actor with the ability to execute arbitrary code within a privileged camera server process. Additionally, the exploit also alters the process name to “vendor.samsung.hardware.camera.provider@3.0-service” to prevent forensic analysis.
Google researchers revealed the vulnerability, stating it exists in a driver with hardware acceleration for media functions such as JPEG decoding and image scaling. Furthermore, the researchers noted that the driver that provides hardware acceleration for media functions such as JPEG decoding and picture scaling can map userspace pages to I/O pages, initiate a firmware prompt, and delete mapped I/O pages by interacting with the IOCTL M2M1SHOT_IOC_PROCESS.
Additionally, the exploit operates by unmapping PFNMAP pages, resulting in a UAF vulnerability in which I/O virtual pages can map to freed physical memory.
The exploit code executes a specific firmware command to copy data that might overwrite a page middle directory (PMD) entry in a page table. This process can lead to a Kernel Space Mirroring Attack (KSMA), which involves spamming page tables, manipulating kernel memory, and exploiting freed pages.
Users that still run on flawed versions should update their devices using the released patch that addresses the zero-day to avoid threat actors that are looking to exploit the flaw.
