Google's Threat Analysis Group has warned that a zero-day vulnerability in the processors used in vast numbers of Samsung mobile phones has been exploited in the wild.
The bug is tracked as CVE-2024-44068 and has a CVSS score of 8.1. It's been addressed in Samsung's October 2024 security fixes and is a Use After Free (UAF) memory vulnerability that could enable attackers to escalate privileges on Android devices.
Although the bug is not critical, it impacts chips in many, many phones: the Exynos 9820, 9825, 980, 990, 850, and W920 processors that have been used in devices across Samsung’s product range.
The Exynos 9820, for instance, can be found in the Samsung Galaxy S10 series, which reportedly sold 37 million units in the first months after its release.
A Use After Free bug can strike when a program continues to use a pointer to memory (a stored memory address of another variable or object's location) after that memory has been freed or deallocated.
If a block of memory is freed but the pointer is not reset, an attacker can insert malicious code.
READ MORE: TSMC and Samsung reportedly planning $100bn UAE "megafactories"
“An issue was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920. A use-after-free in the mobile processor leads to privilege escalation,” a NIST advisory stated.
Samsung's own advisory about CVE-2024-44068 does not reveal that the vulnerability has been exploited.
However, a pair of Google researchers have claimed that an exploit already exists in the wild.
Xingyu Jin, Google Devices & Services Security Research, and Clement Lecigene, Google Threat Analysis Group, said that interacting with the IOCTL (input/output driver which provides hardware acceleration for media functions such as JPEG decoding and image scaling could allow the mapping of the userspace pages to I/O pages, execute a firmware command and then "tear down" mapped I/O pages.
"By spamming a number of page tables, it means the exploit may overwrite a PMD entry to a page table in-use and implement Kernel Space Mirroring Attack (KSMA)," the researchers wrote.
"This 0-day exploit is part of an EoP chain," they continued. "The actor is able to execute arbitrary code in a privileged cameraserver process. The exploit also renamed the process name... probably for anti-forensic purposes."
The researchers also said the exploit's code logic "is not complex" and advised defenders to "trace every IOCTL call for identifying and validating arguments."
