CISA warns of Samsung ASLR bypass flaw exploited in attacks – Source: www.bleepingcomputer.com

CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass Android address space layout randomization (ASLR) protection.

ASLR is an Android security feature that randomizes the memory addresses where key app and OS components are loaded into the device’s memory.

This makes it more difficult for attackers to exploit memory-related vulnerabilities and successfully launch attacks like buffer overflow, return-oriented programming, or other memory-based exploits.

The flaw (CVE-2023-21492) impacts Samsung mobile devices running Android 11, 12, and 13 and is due to an insertion of sensitive information into log files.

The exposed info can be used by local attackers with high privileges to conduct an ASLR bypass which could enable the exploitation of memory-management issues.

In this month’s security updates, Samsung has addressed this issue by ensuring that the kernel pointers are no longer printed in log files.

“Samsung was notified that an exploit for this issue had existed in the wild,” the company says in the May 2023 Security Maintenance Release (SMR) advisory.

While Samsung didn’t provide details about CVE-2023-21492 exploitation, such security vulnerabilities are often abused as part of complex exploit chains in highly-targeted attacks. 

For instance, in March, Google’s Threat Analysis Group (TAG) and Amnesty International exposed two recent series of attacks employing exploit chains of Android, iOS, and Chrome flaws to install commercial spyware, with one of the campaigns targeting Samsung users in the United Arab Emirates (UAE).

Federal agencies ordered to patch by June 9

U.S. Federal Civilian Executive Branch Agencies (FCEB) have been given a three-week deadline, until June 9, to secure their Samsung Android devices against attacks exploiting CVE-2023-21492 after CISA added the vulnerability on Friday to its catalog of Known Exploited Vulnerabilities.

This is in line with a binding operational directive (BOD 22-01) issued in November 2021 requiring federal agencies to address all flaws added to CISA’s KEV list before the deadline expires.

While primarily aimed at U.S. federal agencies, it is strongly recommended that private companies also prioritize addressing vulnerabilities listed in the cybersecurity agency’s list of bugs exploited in attacks.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.

One week ago, U.S. federal agencies were also ordered to patch a critical remote code execution (RCE) Ruckus bug abused in the wild to infect Wi-Fi access points with AndoryuBot malware.