Hoplon InfoSec
10 Jan, 2025
On September 21, 2024, Google researchers identified a critical security vulnerability affecting the Monkey’s Audio (APE) decoder used in Samsung’s flagship Galaxy S23 and S24 devices. This flaw, initially disclosed by Google’s Project Zero team, highlighted severe security risks that required immediate attention. However, it took three months to release a fix, following the standard 90-day disclosure policy.
In this article, we will explore the details of these Critical 0-Click Vulnerabilities, their implications, and the measures taken to address them.
The vulnerability, CVE-2024-49415, affected Android versions 12, 13, and 14. This flaw is located in the libsaped. So, the library could allow remote attackers to execute arbitrary code on the affected devices. It involved an out-of-bounds write in the saped_rec function, posing a serious risk of system crashes or further exploitation.
This flaw could be triggered without user interaction, classifying it as a “0-click” vulnerability. Such vulnerabilities are particularly alarming because they exploit devices silently, without requiring the user to act, making detection and prevention much more challenging.
The root of the issue was found in the saped_rec function of the libsaped. So, the library writes data into a Direct Memory Access (DMA) buffer allocated by the C2 media service. While this buffer had a fixed size of 0x120000, the function could write up to three times the allowable size under specific conditions. This condition occurred when processing APE files with a sizeable blocksperframe value and 24-bit input samples. As a result, the buffer was significantly exceeded, leading to memory corruption.
Google researchers demonstrated methods to exploit the vulnerability both locally and remotely:
Local Reproduction:
Transfer a malicious APE file (e.g., overflow.ape) to the device.
Play the file using the “My Files” application.
Remote Reproduction:
Set up a test device to send Rich Communication Services (RCS) messages to the target Samsung phone.
Replace the RCS media cache file with the malicious APE file.
Send an audio message to the target device.
When the malicious file was received, the target device’s C2 service crashed, generating debug logs that confirmed the buffer overflow. This process crash was identified by a SIGSEGV (segmentation fault) in the saped_rec function of the libsaped—such a library.
This vulnerability’s zero-click nature makes it especially dangerous. Attackers could exploit devices remotely without requiring any user action. While it remains unclear whether the flaw could be exploited to execute arbitrary code, the associated risks are significant due to memory corruption involving adjacent DMA and non-DMA data.
Affected devices included Samsung Galaxy S23 and S24 models. At the time of reporting, there was no evidence that other Samsung models or Android devices were impacted.
The vulnerability was reported under Google’s Project Zero disclosure policy. This policy gives vendors 90 days to release fixes before publicizing the issue. If the fix is deployed within this timeframe, the vulnerability details are disclosed after an additional 30 days. For this issue, the disclosure deadline was set for December 19, 2024, unless a patch was released earlier.
Their latest update and other critical security fixes included Samsung’s patch for this vulnerability.
Before the patch was released, Google advised users to take the following precautions:
Disable RCS Messaging: If not required, disabling RCS messaging could reduce the risk of exploitation.
Avoid Untrusted Files: Users were advised to avoid opening or playing untrusted audio files received through messaging apps or file browsers.
Apply Security Updates: Ensuring devices were updated with the latest security patches was the most effective way to mitigate risks.
In Samsung’s latest patch update, multiple critical vulnerabilities were addressed, including CVE-2024-49415. This update also resolved four other Common Vulnerabilities and Exposures (CVEs):
CVE-2024-43096
CVE-2024-43770
CVE-2024-43771
CVE-2024-49747
CVE-2024-49748
These vulnerabilities posed severe risks, including the potential for unauthorized access to sensitive data and complete device control by attackers. By prioritizing these fixes, Samsung demonstrated its commitment to safeguarding its users.
This vulnerability underscores the increasing risks associated with modern smartphone ecosystems. As smartphones continue to integrate advanced media handling services and messaging protocols, new attack vectors emerge. Vulnerabilities like this highlight the importance of rigorous security measures and timely updates.
Google’s Project Zero is crucial in identifying and addressing critical security flaws. Their disclosure policies encourage swift action from vendors while enhancing overall user security. However, the responsibility also lies with device manufacturers like Samsung to prioritize timely and effective responses to such issues.
While technical measures and patches are essential, user awareness remains a critical line of defense. By adopting best practices such as avoiding untrusted files, turning off unnecessary services, and applying updates promptly, users can reduce their exposure to potential threats.
The discovery and resolution of this critical vulnerability in Samsung Galaxy devices are a stark reminder of the evolving challenges in smartphone security. While the patch has addressed the immediate risks, the incident underscores vendors’ and users’ importance of proactive measures.
As the complexity of smartphone ecosystems continues to grow, the collaboration between researchers, manufacturers, and users will remain vital in ensuring the safety and security of these ubiquitous devices. By staying informed and vigilant, we can collectively mitigate the risks posed by emerging threats in the digital age.
For more:
https://cybersecuritynews.com/samsung-0-click-vulnerability-fixed/
Share this :