CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass Android address space layout randomization (ASLR) protection.
ASLR is an Android security feature that randomizes the memory addresses where key app and OS components are loaded into the device’s memory.
This makes it more difficult for attackers to exploit memory-related vulnerabilities and successfully launch attacks like buffer overflow, return-oriented programming, or other memory-based exploits.
The flaw (CVE-2023-21492) impacts Samsung mobile devices running Android 11, 12, and 13 and is due to an insertion of sensitive information into log files.
The exposed info can be used by local attackers with high privileges to conduct an ASLR bypass which could enable the exploitation of memory-management issues.
In this month’s security updates, Samsung has addressed this issue by ensuring that the kernel pointers are no longer printed in log files.
“Samsung was notified that an exploit for this issue had existed in the wild,” the company says in the May 2023 Security Maintenance Release (SMR) advisory.
Abused to install mercenary spyware
While Samsung didn’t provide details about CVE-2023-21492 exploitation, this security vulnerability was used as part of a complex exploit chain in highly-targeted attacks targeting Samsung users in the United Arab Emirates (UAE).
As Google’s Threat Analysis Group (TAG) and Amnesty International revealed in March, two recent series of attacks employing exploit chains of Android, iOS, and Chrome flaws to install commercial spyware, with one of them abusing the CVE-2023-21492 bug.
The attackers deployed a C++-based Android spyware suite capable of decrypting and extracting data from multiple chat and browser apps.
The exploit chains were spotted by Amnesty International’s Security Lab findings which also shared details concerning the domains and infrastructure employed in the attacks.
“The newly discovered spyware campaign has been active since at least 2020 and targeted mobile and desktop devices, including users of Google’s Android operating system,” Amnesty International reported.
“The spyware and zero-day exploits were delivered from an extensive network of more than 1000 malicious domains, including domains spoofing media websites in multiple countries.”
Federal agencies ordered to patch by June 9
U.S. Federal Civilian Executive Branch Agencies (FCEB) have been given a three-week deadline, until June 9, to secure their Samsung Android devices against attacks exploiting CVE-2023-21492 after CISA added the vulnerability on Friday to its catalog of Known Exploited Vulnerabilities.
This is in line with a binding operational directive (BOD 22-01) issued in November 2021 requiring federal agencies to address all flaws added to CISA’s KEV list before the deadline expires.
While primarily aimed at U.S. federal agencies, it is strongly recommended that private companies also prioritize addressing vulnerabilities listed in the cybersecurity agency’s list of bugs exploited in attacks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
One week ago, U.S. federal agencies were also ordered to patch a critical remote code execution (RCE) Ruckus bug abused in the wild to infect Wi-Fi access points with AndoryuBot malware.
Update: Added more info on attacks exploiting CVE-2023-2149.