SMR-MAR-2021
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
Google patches include patches up to Android Security Bulletin – March 2021 package. The Bulletin (March 2021) contains the following CVE items:Critical
CVE-2020-11170, CVE-2020-11163, CVE-2020-11272, CVE-2021-0397
High
CVE-2020-11271, CVE-2020-11282, CVE-2017-18509, CVE-2020-11286, CVE-2020-11177, CVE-2020-11187, CVE-2020-11253, CVE-2020-11281, CVE-2020-11296, CVE-2020-11269, CVE-2020-11275, CVE-2020-11280, CVE-2020-11287, CVE-2020-11276, CVE-2020-11270, CVE-2020-11297, CVE-2020-11278, CVE-2021-0395, CVE-2021-0391, CVE-2021-0398, CVE-2017-14491, CVE-2021-0393, CVE-2021-0396, CVE-2021-0390, CVE-2021-0392, CVE-2021-0394
Moderate
None
Already included in previous updates
CVE-2020-11180, CVE-2020-11277
Not applicable to Samsung devices
CVE-2020-11283
※ Please see Android Security Bulletin for detailed information on Google patches.
Along with Google patches, Samsung Mobile provides 19 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR March-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
SVE-2021-19153 (CVE-2021-25335): Hidden notification contents leak over the lockscreen
Severity: Low
Affected versions: Q(10.0) devices with ONEUI 2.5
Reported on: October 6, 2020
Disclosure status: Privately disclosed.
An improper lockscreen status check in cocktailbar service prior to SMR MAR-2021 Release 1 allows unauthenticated users to see hidden notification contents over the lockscreen in specific conditions.
The patch adds the proper lockscreen status check to prevent hidden notification contents leak.
SVE-2021-19527 (CVE-2021-25337): Arbitrary file read/write vulnerability via unprotected clipboard content provider
Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0) devices except ONEUI 3.1 in R(11.0)
Reported on: November 3, 2020
Disclosure status: Privately disclosed.
An improper access control in clipboard service prior to SMR MAR-2021 Release 1 allows untrusted applications to read or write arbitrary files in the device.
The patch adds the proper caller check to prevent improper access to clipboard service.
SVE-2021-19553 (CVE-2021-25336): Improper access control in NotificationManagerService
Severity: Moderate
Affected versions: P(9.0), Q(10.0)
Reported on: November 6, 2020
Disclosure status: Privately disclosed.
An improper access control in NotificationManagerService prior to SMR MAR-2021 Release 1 allows untrusted applications to acquire notification access.
The patch adds higher permission not to allow untrusted access to notification contents.
SVE-2021-19731 (CVE-2021-25339): EL2 memory can be corrupted with HArx HVC call
Severity: High
Affected versions: Q(10.0), R(11.0) devices with Exynos 9830 chipset
Reported on: November 24, 2020
Disclosure status: Privately disclosed.
An improper address validation in HArx prior to SMR MAR-2021 Release 1 allows EL2 memory corruption using compromised kernel.
The patch adds the proper address validation in HArx to prevent EL2 memory corruption.
SVE-2021-19759 (CVE-2021-25338): RKP region list is writable by EL1
Severity: High
Affected versions: Q(10.0), R(11.0) devices with Exynos 9830 chipset
Reported on: November 25, 2020
Disclosure status: Privately disclosed.
An improper memory access control in RKP prior to SMR MAR-2021 Release 1 allows attackers to write some part of RKP EL2 memory region using compromised kernel.
The patch adds the proper memory access control in RKP to make EL2 memory region inaccessible.
SVE-2021-19945 (CVE-2021-25344): Serial number leak
Severity: High
Affected versions: Q(10.0), R(11.0)
Reported on: December 15, 2020
Disclosure status: Privately disclosed.
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to get device’s serial number without permission.
The patch adds proper permission check on the API to get serial number.
SVE-2021-20009 (CVE-2021-25345): Kernel panic by graphic format mismatch
Severity: Low
Affected versions: Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: December 21, 2020
Disclosure status: Privately disclosed.
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
The patch addressed the issue.
SVE-2021-19897 (CVE-2021-25369): Potential kernel information exposure from sec_log
Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: December 10, 2020
Disclosure status: Privately disclosed.
An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.
The patch removes vulnerable file.
SVE-2021-19925 (CVE-2021-25370): Memory corruption in dpu driver
Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0), R(11.0) devices with selected Exynos chipsets
Reported on: December 12, 2020
Disclosure status: Privately disclosed.
An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic.
The patch fixes incorrect implementation in dpu driver to address memory corruption.
SVE-2021-20029 (CVE-2021-25371): Possible to load arbitrary ELF library inside DSP
Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with exynos980, exynos2100, exynos9830
Reported on: December 22, 2020
Disclosure status: Privately disclosed.
A vulnerability in DSP driver prior to SMR Mar-2021 Release 1 allows attackers load arbitrary ELF libraries inside DSP.
The patch deletes the improper commands in DSP driver.
SVE-2021-20030 (CVE-2021-25372): Out of bounds access vulnerability in DSP driver
Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with exynos980, exynos2100, exynos9830
Reported on: December 22, 2020
Disclosure status: Privately disclosed.
An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access.
The patch adds proper boundary check code to prevent out of bounds access.
Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.
Acknowledgements
Moderate
None
Already included in previous updates
CVE-2020-11180, CVE-2020-11277
Not applicable to Samsung devices
CVE-2020-11283
※ Please see Android Security Bulletin for detailed information on Google patches.
Along with Google patches, Samsung Mobile provides 19 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR March-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.
SVE-2021-19153 (CVE-2021-25335): Hidden notification contents leak over the lockscreen
Severity: Low
Affected versions: Q(10.0) devices with ONEUI 2.5
Reported on: October 6, 2020
Disclosure status: Privately disclosed.
An improper lockscreen status check in cocktailbar service prior to SMR MAR-2021 Release 1 allows unauthenticated users to see hidden notification contents over the lockscreen in specific conditions.
The patch adds the proper lockscreen status check to prevent hidden notification contents leak.
SVE-2021-19527 (CVE-2021-25337): Arbitrary file read/write vulnerability via unprotected clipboard content provider
Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0) devices except ONEUI 3.1 in R(11.0)
Reported on: November 3, 2020
Disclosure status: Privately disclosed.
An improper access control in clipboard service prior to SMR MAR-2021 Release 1 allows untrusted applications to read or write arbitrary files in the device.
The patch adds the proper caller check to prevent improper access to clipboard service.
SVE-2021-19553 (CVE-2021-25336): Improper access control in NotificationManagerService
Severity: Moderate
Affected versions: P(9.0), Q(10.0)
Reported on: November 6, 2020
Disclosure status: Privately disclosed.
An improper access control in NotificationManagerService prior to SMR MAR-2021 Release 1 allows untrusted applications to acquire notification access.
The patch adds higher permission not to allow untrusted access to notification contents.
SVE-2021-19731 (CVE-2021-25339): EL2 memory can be corrupted with HArx HVC call
Severity: High
Affected versions: Q(10.0), R(11.0) devices with Exynos 9830 chipset
Reported on: November 24, 2020
Disclosure status: Privately disclosed.
An improper address validation in HArx prior to SMR MAR-2021 Release 1 allows EL2 memory corruption using compromised kernel.
The patch adds the proper address validation in HArx to prevent EL2 memory corruption.
SVE-2021-19759 (CVE-2021-25338): RKP region list is writable by EL1
Severity: High
Affected versions: Q(10.0), R(11.0) devices with Exynos 9830 chipset
Reported on: November 25, 2020
Disclosure status: Privately disclosed.
An improper memory access control in RKP prior to SMR MAR-2021 Release 1 allows attackers to write some part of RKP EL2 memory region using compromised kernel.
The patch adds the proper memory access control in RKP to make EL2 memory region inaccessible.
SVE-2021-19945 (CVE-2021-25344): Serial number leak
Severity: High
Affected versions: Q(10.0), R(11.0)
Reported on: December 15, 2020
Disclosure status: Privately disclosed.
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to get device’s serial number without permission.
The patch adds proper permission check on the API to get serial number.
SVE-2021-20009 (CVE-2021-25345): Kernel panic by graphic format mismatch
Severity: Low
Affected versions: Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: December 21, 2020
Disclosure status: Privately disclosed.
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
The patch addressed the issue.
SVE-2021-19897 (CVE-2021-25369): Potential kernel information exposure from sec_log
Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: December 10, 2020
Disclosure status: Privately disclosed.
An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.
The patch removes vulnerable file.
SVE-2021-19925 (CVE-2021-25370): Memory corruption in dpu driver
Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0), R(11.0) devices with selected Exynos chipsets
Reported on: December 12, 2020
Disclosure status: Privately disclosed.
An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic.
The patch fixes incorrect implementation in dpu driver to address memory corruption.
SVE-2021-20029 (CVE-2021-25371): Possible to load arbitrary ELF library inside DSP
Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with exynos980, exynos2100, exynos9830
Reported on: December 22, 2020
Disclosure status: Privately disclosed.
A vulnerability in DSP driver prior to SMR Mar-2021 Release 1 allows attackers load arbitrary ELF libraries inside DSP.
The patch deletes the improper commands in DSP driver.
SVE-2021-20030 (CVE-2021-25372): Out of bounds access vulnerability in DSP driver
Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with exynos980, exynos2100, exynos9830
Reported on: December 22, 2020
Disclosure status: Privately disclosed.
An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access.
The patch adds proper boundary check code to prevent out of bounds access.
Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.
Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.
GSerg: SVE-2021-19153
Shaechi Security Lab: SVE-2021-19527
Ryan Johnson: SVE-2021-19553
Aleksandr Tarasikov: SVE-2021-19731, SVE-2021-19759
Xia Guangshuai & Zhang Qing of ByteDance, Bai Guangdong of The University of Queensland: SVE-2021-19945
Ben Toson: SVE-2021-20009
0 Comments