close

Samsung Mobile Security
Cookie Policy

Updated on Jan 17, 2022

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie Domain Purpose
JSESSIONID security.samsungmobile.com to keep login session
lastActivityTime security.samsungmobile.com to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Go straight to the menu Go straight to the text

Security Updates

Disclaimer

  • Please note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include up-to-date security patches when delivered.
  • While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.
  • Some patches to be received from chipset vendors (also known as Device Specific patches) may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.

Acknowledgements

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – January 2023 package. The Bulletin (January 2023) contains the following CVE items:

Critical
None

High
CVE-2021-39660, CVE-2022-23960(A-215557547), CVE-2022-32619, CVE-2022-32594, CVE-2022-32597, CVE-2022-32598, CVE-2022-32596, CVE-2022-25698, CVE-2022-25697, CVE-2022-25681, CVE-2022-25672, CVE-2022-25685, CVE-2022-25692, CVE-2022-25689, CVE-2022-25673, CVE-2022-25695, CVE-2022-25691, CVE-2022-25702, CVE-2022-25682, CVE-2022-33235, CVE-2022-39106, CVE-2022-39129, CVE-2022-39130, CVE-2022-39131, CVE-2022-39132, CVE-2022-39134, CVE-2022-42756, CVE-2022-42754, CVE-2022-42755, CVE-2022-39133, CVE-2022-42771, CVE-2022-42770, CVE-2022-42772, CVE-2022-20456, CVE-2022-20489, CVE-2022-20490, CVE-2022-20492, CVE-2022-20493, CVE-2023-20912, CVE-2023-20916, CVE-2023-20919, CVE-2023-20920, CVE-2023-20921, CVE-2022-20494, CVE-2023-20908, CVE-2023-20922, CVE-2022-20461, CVE-2023-20904, CVE-2023-20905, CVE-2023-20913, CVE-2023-20915

Moderate
None

Already included in previous updates
CVE-2022-32620, CVE-2022-33238, CVE-2022-33268

Not applicable to Samsung devices
None


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 20 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Jan-2023 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2022-2537(CVE-2023-21430): An out-of-bound read vulnerability in libSDKRecognitionText.spensdk.samsung.so library

Severity: Moderate
Affected versions: Q(10), R(11), S(12), T(13)
Reported on: October 24, 2022
Disclosure status: Privately disclosed
An out-of-bound read vulnerability in mapToBuffer function in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Jan-2023 Release 1 allows attacker to cause memory access fault.
The patch adds proper boundary check logic to prevent out-of-bound access.


SVE-2022-2338(CVE-2023-21429): Implicit intent hijacking vulnerability in ePDG

Severity: Moderate
Affected versions: Q(10), R(11), S(12), T(13)
Reported on: September 20, 2022
Disclosure status: Privately disclosed
Improper usage of implicit intent in ePDG prior to SMR Jan-2023 Release 1 allows attacker to access SSID.
The patch change the implicit intent to explicit intent.


SVE-2022-2320(CVE-2023-21428): Improper input validation vulnerability in TelephonyUI

Severity: Moderate
Affected versions: R(11), S(12), T(13)
Reported on: September 19, 2022
Disclosure status: Privately disclosed
Improper input validation vulnerability in TelephonyUI prior to SMR Jan-2023 Release 1 allows attackers to configure Preferred Call.
The patch removes unused code.


SVE-2022-2280(CVE-2023-21427): Improper access control vulnerabilities in NfcTile

Severity: Moderate
Affected versions: R(11), S(12), T(13)
Reported on: September 15, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in NfcTile prior to SMR Jan-2023 Release 1 allows to attacker to use NFC without user recognition.
The patch adds proper permission in NfcTile to prevent unauthorized access.


SVE-2022-2278(CVE-2023-21426): Hardcoded encryption key vulnerability in NFC

Severity: Moderate
Affected versions: Select Q(10) devices
Reported on: September 15, 2022
Disclosure status: Privately disclosed
Hardcoded AES key to encrypt cardemulation PINs in NFC prior to SMR Jan-2023 Release 1 allows attackers to access cardemulation PIN.
The patch adds proper usage of random private key api to prevent key exposure.


SVE-2022-2261(CVE-2023-21425): Improper access control vulnerability in telecom application

Severity: Moderate
Affected versions: Q(10), R(11), S(12), T(13)
Reported on: September 15, 2022
Disclosure status: Privately disclosed
Improper access control vulnerability in telecom application prior to SMR Jan-2023 Release 1 allows local attackers to get sensitive information.
The patch adds proper access control logic to prevent sensitive information leakage.


SVE-2022-2118(CVE-2023-21424): Improper Authorization vulnerability in SemChameleonHelper

Severity: Moderate
Affected versions: R(11), S(12), T(13)
Reported on: September 3, 2022
Disclosure status: Privately disclosed
Improper handling of insufficient permissions or privileges vulnerability in SemChameleonHelper prior to SMR Jan-2023 Release 1 allows attacker to modify network related values, network code, carrier id and operator brand.
The patch restricts privilege of the app that calls SemChameleonHelper in Telephony.


SVE-2022-1967(CVE-2023-21423): Improper authorization vulnerability in ChnFileShareKit

Severity: Moderate
Affected versions: S(12), T(13)
Reported on: August 17, 2022
Disclosure status: Privately disclosed
Improper authorization vulnerability in ChnFileShareKit prior to SMR Jan-2023 Release 1 allows attacker to control BLE advertising without permission using unprotected action.
The patch adds proper permission.


SVE-2022-1931(CVE-2023-21422): Improper authorization vulnerability in WifiSevice

Severity: Moderate
Affected versions: R(11), S(12)
Reported on: August 14, 2022
Disclosure status: Privately disclosed
Improper authorization vulnerability in semAddPublicDnsAddr in WifiSevice prior to SMR Jan-2023 Release 1 allows attackers to set custom DNS server without permission via binding WifiService.
The patch adds permission check logic when call the service API.


SVE-2022-1672(CVE-2023-21421): Improper Handling of Insufficient Permissions or Privileges vulnerability in Knox Service

Severity: Moderate
Affected versions: Q(10), R(11), S(12), T(13)
Reported on: July 14, 2022
Disclosure status: Privately disclosed
Improper handling of insufficient permissions or privileges vulnerability in KnoxCustomManagerService prior to SMR Jan-2023 Release 1 allows attacker to access device SIM PIN.
The patch adds proper signature check in KnoxCustomManagerService to prevent unauthorized access.


SVE-2022-1364(CVE-2023-21420): Use of Externally-Controlled Format String vulnerabilities in STST TA

Severity: High
Affected versions: Q(10), R(11) devices with Teegris
Reported on: June 3, 2022
Disclosure status: Privately disclosed
Use of Externally-Controlled Format String vulnerabilities in STST TA prior to SMR Jan-2023 Release 1 allows arbitrary code execution.
The patch restricts the triggering for the print of externally controlled format string code.


SVE-2022-0471(CVE-2023-21419): A vulnerability in Secure Folder

Severity: Moderate
Affected versions: S(12)
Reported on: February 28, 2022
Disclosure status: Privately disclosed
An improper implementation logic in Secure Folder prior to SMR Jan-2023 Release 1 allows the Secure Folder container remain unlocked under certain condition.
The patch adds restriction that lock the SecureFolder container when PIP is closed.


Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.


Acknowledgements
dg: SVE-2022-2537
Oversecured Inc: SVE-2022-2338, SVE-2022-2320, SVE-2022-2280, SVE-2022-2278, SVE-2022-2261, SVE-2022-2118, SVE-2022-1931, SVE-2022-1672
Stealth Assassin: SVE-2022-1967
Thalium: SVE-2022-1364
Vijay Vignesh Baskaran: SVE-2022-0471