Security Advisory: Critical Zero-Day Vulnerability in Samsung Mobile Processors

A zero-day vulnerability, tracked as CVE-2024-44068 with a CVSS score of 8.1, has been discovered in Samsung’s mobile and wearable processors, including Exynos models 9820, 9825, 980, 990, 850, and W920. The vulnerability allows for arbitrary code execution, making it a critical threat to Android devices using these chips.

Discovered by Google’s Threat Analysis Group (TAG), the flaw has already been exploited in the wild as part of an exploit chain enabling attackers to escalate privileges on vulnerable devices. Samsung has released a patch as part of its October 2024 security updates.

Critical Zero-Day Vulnerability in Samsung Mobile Processors Technical Overview

The vulnerability is a use-after-free bug located in the m2m scaler driver, which provides hardware acceleration for media functions on affected processors. Attackers can manipulate memory management by allocating PFNMAP pages and mapping them to I/O virtual memory, which are then freed. This allows the attacker to remap the freed physical pages, leading to arbitrary code execution within privileged processes, such as the cameraserver process.

This exploit could potentially be used for kernel space mirroring attacks (KSMA), bypassing Android kernel isolation protections and allowing attackers to maintain persistence and escalate privileges.

Affected Devices

• Samsung Exynos 9820, 9825, 980, 990, 850, and W920 mobile and wearable processors.

What We Suggest to Mitigate the Critical Zero-Day Vulnerability in Samsung Mobile Processors

• Apply Samsung’s October 2024 Patch: Organizations and users should immediately apply the October 2024 security update released by Samsung, which addresses CVE-2024-44068.
• Monitor Device Behavior: Watch for unusual processes, especially those renamed to appear as legitimate system services.
• Enhance Endpoint Monitoring: Implement mobile device management (MDM) solutions that can detect privilege escalation attempts or unauthorized process execution.
• Regularly Update Devices: Encourage timely updates of mobile devices, as failure to do so can leave vulnerabilities unpatched, creating a significant risk of exploitation.
• Review App Permissions: Regularly review and restrict permissions for applications, especially those that interact with media and camera functions, to minimize exposure.