close

Samsung Mobile Security and Cookies

Our site uses essential cookies only. You can read our Privacy Policy and Cookie Policy for more information.

close

Samsung Mobile Security
Cookie Policy

Updated on Jan 17, 2022

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie Domain Purpose
JSESSIONID security.samsungmobile.com to keep login session
lastActivityTime security.samsungmobile.com to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Go straight to the menu Go straight to the text
Home>Security Updates>Firmware Updates

Security Updates

2021Open selected window by year

Close selected window by year
January February March April May June July August September October November December

Disclaimer

  • Please note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include up-to-date security patches when delivered.
  • While we are doing our best to deliver the security patches as soon as possible to all applicable models, delivery time of security patches may vary depending on the regions and models.
  • Some patches to be received from chipset vendors (also known as Device Specific patches) may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.

Acknowledgements

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – December 2021 package. The Bulletin (December 2021) contains the following CVE items:

Critical
CVE-2021-1924, CVE-2021-1975, CVE-2021-0967(P9.0), CVE-2021-0968, CVE-2021-0956

High
CVE-2021-1979, CVE-2021-30255, CVE-2021-1921, CVE-2021-1973, CVE-2021-0929, CVE-2021-0920, CVE-2021-30284, CVE-2021-30254, CVE-2021-1982, CVE-2021-1981, CVE-2021-1048, CVE-2021-0955, CVE-2021-0970, CVE-2021-0704, CVE-2021-0967(Q10,R11,S12), CVE-2021-0964, CVE-2021-0953, CVE-2021-0954, CVE-2021-0963, CVE-2021-0965, CVE-2021-0952, CVE-2021-0966

Moderate
CVE-2021-0958, CVE-2021-0969, CVE-2021-1903

Already included in previous updates
CVE-2021-0924

Not applicable to Samsung devices
CVE-2021-0672, CVE-2021-0889, CVE-2021-0927


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 18 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR December-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-22920: AMPDU sequence number attack

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0) devices with selected Broadcom WiFi chipsets
Reported on: April 26, 2021
Disclosure status: Publicly disclosed
A remote temporary denial of service vulnerability in Broadcom Wi-Fi chipsets prior to SMR Dec-2021 Release 1 allows attackers to force victim’s device unresponsive until the device reconnects to the AP.
The patch adds proper handling to prevent DoS.


SVE-2021-20291 (CVE-2021-25516): Not standard-compliant behavior on handling RRC MeasurementReport message

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0) devices with selected Exynos chipsets
Reported on: January 11, 2021
Disclosure status: Privately disclosed.
An improper check or handling of exceptional conditions in Exynos baseband prior to SMR Dec-2021 Release 1 allows attackers to track locations.
The patch adds proper check RRC security variable in Exynos baseband.


SVE-2021-23037 (CVE-2021-25513): Information leak in lockscreen

Severity: Low
Affected versions: Select R(11.0) devices
Reported on: August 22, 2021
Disclosure status: Privately disclosed.
An improper privilege management vulnerability in Apps Edge application prior to SMR Dec-2021 Release 1 allows unauthorized access to some device data on the lockscreen.
The patch adds proper device lock status validation logic.


SVE-2021-23271 (CVE-2021-25514): Intent redirection vulnerability in Tags

Severity: Moderate
Affected versions: Q(10.0), R(11.0)
Reported on: September 16, 2021
Disclosure status: Privately disclosed.
An improper intent redirection handling in Tags prior to SMR Dec-2021 Release 1 allows attackers to access sensitive information.
The patch sanitizes incoming Intent before using it.


SVE-2021-23088 (CVE-2021-25515): BSSID exposure in SemRewardManager

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: August 29, 2021
Disclosure status: Privately disclosed.
An improper usage of implicit intent in SemRewardManager prior to SMR Dec-2021 Release 1 allows attackers to access BSSID.
The patch restricts app that can receive the intent.


SVE-2021-23076 (CVE-2021-25510, CVE-2021-25511): Camera privilege escalation and arbitrary file write in FilterProvider (system_app) in Samsung Device

Severity: High
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: August 27, 2021
Disclosure status: Privately disclosed.
An improper validation vulnerability in FilterProvider prior to SMR Dec-2021 Release 1 allows local privilege escalation.
The patch adds proper validation logic to prevent privilege escalation.


SVE-2021-22943 (CVE-2021-25519): CPLC information exposure vulnerability

Severity: Low
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: August 12, 2021
Disclosure status: Privately disclosed.
An improper access control vulnerability in CPLC prior to SMR Dec-2021 Release 1 allows local attackers to access CPLC information without permission.
The patch blocks access CPLC information without privilege.


SVE-2021-23031 (CVE-2021-25512): Possible to launch any activities via LaunchAnyWhere vulnerability

Severity: High
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: August 21, 2021
Disclosure status: Privately disclosed.
An improper validation vulnerability in telephony prior to SMR Dec-2021 Release 1 allows attackers to launch certain activities.
The patch adds proper validation logic to prevent privilege escalation.


SVE-2021-23016 (CVE-2021-25518): Arbitrary memory/register write in secure_log of BL31 and LDFW

Severity: Critical
Affected versions: Q(10.0), R(11.0) devices with selected Exynos chipsets
Reported on: August 20, 2021
Disclosure status: Privately disclosed.
An improper boundary check in secure_log of LDFW and BL31 prior to SMR Dec-2021 Release 1 allows arbitrary memory write and code execution.
The patch adds proper validation logic to prevent arbitrary memory write.


SVE-2021-22719 (CVE-2021-25517): Loadable firmwares can be overwritten at runtime

Severity: Critical
Affected versions: Q(10.0), R(11.0) devices with selected Exynos chipsets
Reported on: July 24, 2021
Disclosure status: Privately disclosed.
An improper input validation vulnerability in LDFW prior to SMR Dec-2021 Release 1 allows attackers to perform arbitrary code execution.
The patch addresses the vulnerability in LDFW.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

CheolJun Park, Sangwook Bae and BeomSeok Oh @ KAIST SysSec: SVE-2021-20291
dohki, Ethan JH Park: SVE-2021-23037
Sergey Toshin: SVE-2021-23271
XiaGuangshuai in Wuheng Lab of ByteDance: SVE-2021-23088
Dawn Security Lab, JD.com: SVE-2021-23076
Xia Guangshuai: SVE-2021-22943
MyTyrannosaurusBuddy: SVE-2021-23031
Federico Menarini and Martijn Bogaard of Riscure: SVE-2021-23016, SVE-2021-22719
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – November 2021 package. The Bulletin (November 2021) contains the following CVE items:

Critical
CVE-2021-0870, CVE-2021-0918, CVE-2021-0930

High
CVE-2021-29647, CVE-2020-29660, CVE-2021-1949, CVE-2021-1936, CVE-2021-1959, CVE-2021-1917, CVE-2021-30288, CVE-2021-30302, CVE-2021-30306, CVE-2021-30305, CVE-2020-24588, CVE-2020-26141, CVE-2021-1977, CVE-2021-0799, CVE-2021-0921, CVE-2021-0923, CVE-2021-0933, CVE-2021-0928, CVE-2021-0925, CVE-2021-0931

Moderate
CVE-2021-0922, CVE-2021-0919

Already included in previous updates
CVE-2020-11264, CVE-2020-11301, CVE-2021-1932, CVE-2021-1913, CVE-2020-24587, CVE-2020-26146, CVE-2020-26145, CVE-2020-26139, CVE-2021-27666, CVE-2020-13871, CVE-2021-0653, CVE-2021-0650, CVE-2021-0434, CVE-2021-0649, CVE-2021-0932

Not applicable to Samsung devices
CVE-2020-10768, CVE-2021-1983, CVE-2021-30257, CVE-2021-1984, CVE-2021-30297, CVE-2021-30292, CVE-2021-1985, CVE-2021-30291, CVE-2021-30258, CVE-2021-30256, CVE-2020-26147, CVE-2020-26140, CVE-2020-11303, CVE-2021-30310, CVE-2021-1980, CVE-2021-30312, CVE-2021-0926


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 13 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR November-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-22911 (CVE-2021-25502): Insecure Storage of Sensitive Information vulnerability in Property Settings

Severity: High
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: August 10, 2021
Disclosure status: Privately disclosed.
A vulnerability of storing sensitive information insecurely in Property Settings prior to SMR Nov-2021 Release 1 allows attackers to read ESN value without priviledge.
The patch removes the property with ESN value.


SVE-2021-22863 (CVE-2021-25500): Unchecked IRQ index in HDCP LDFW

Severity: Critical
Affected versions: Select Q(10.0), R(11.0) devices with Exynos 980, 9820, 9830, 2100 chipset
Reported on: August 5, 2021
Disclosure status: Privately disclosed.
A missing input validation in HDCP LDFW prior to SMR Nov-2021 Release 1 allows attackers to overwrite TZASC allowing TEE compromise.
The patch adds proper input validation in HDCP LDFW.


SVE-2021-22784 (CVE-2021-25501): Improper access control in SCloudBnRReceiver

Severity: Moderate
Affected versions: Q(10.0), R(11.0)
Reported on: June 30, 2021
Disclosure status: Privately disclosed.
An improper access control vulnerability in SCloudBnRReceiver in SecTelephonyProvider prior to SMR Nov-2021 Release 1 allows untrusted application to call some protected providers.
The patch adds the proper permission check to prevent improper access to SCloudBnRReceiver.


SVE-2021-22402 (CVE-2021-25503): Arbitrary read/write/code execution in the Linux kernel through the /dev/hdcp2 device

Severity: Moderate
Affected versions: Select O(8.1), P(9.0), Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: July 1, 2021
Disclosure status: Privately disclosed.
Improper input validation vulnerability in HDCP prior to SMR Nov-2021 Release 1 allows attackers to arbitrary code execution.
The patch removes the legacy code in HDCP.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Xia Guangshuai: SVE-2021-22911
Federico Menarini and Martijn Bogaard of Riscure: SVE-2021-22863, SVE-2021-22402
Dawuge of Pangu Team: SVE-2021-22784
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – October 2021 package. The Bulletin (October 2021) contains the following CVE items:

Critical
CVE-2021-1886, CVE-2021-1889, CVE-2021-1888, CVE-2021-1890, CVE-2021-1933, CVE-2021-1946

High
CVE-2021-1923, CVE-2021-1909, CVE-2021-1935, CVE-2021-1952, CVE-2021-1934, CVE-2021-30290, CVE-2021-30294, CVE-2021-30295, CVE-2021-0695, CVE-2021-1948, CVE-2021-1941, CVE-2021-1974, CVE-2021-1971, CVE-2020-26558, CVE-2021-0703, CVE-2021-0652, CVE-2021-0705, CVE-2021-0708, CVE-2020-15358, CVE-2021-0702, CVE-2021-0651, CVE-2021-0483

Moderate
CVE-2021-0534, CVE-2021-0568, CVE-2021-0554, CVE-2021-0563, CVE-2021-0535, CVE-2021-0543, CVE-2021-0544, CVE-2021-0545, CVE-2021-0546, CVE-2021-0541, CVE-2021-0542, CVE-2021-0551

Already included in previous updates
CVE-2021-0571

Not applicable to Samsung devices
CVE-2021-0681, CVE-2021-0680, CVE-2021-0636, CVE-2021-0635, CVE-2021-0540


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 32 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR October-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-22636 (CVE-2021-25485): Path traversal vulnerability in FactoryAirCommandManager

Severity: High
Affected versions: Q(10.0), R(11.0)
Reported on: July 14, 2021
Disclosure status: Privately disclosed.
Path traversal vulnerability in FactoryAirCommnadManger prior to SMR Oct-2021 Release 1 allows attackers to write file as system UID via BT remote socket.
The patch fixes incorrect implementation of file path validation check logic.


SVE-2021-22658 (CVE-2021-25490): Downgrade attack in Keymaster TA

Severity: High
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: July 16, 2021
Disclosure status: Privately disclosed.
A keyblob downgrade attack in keymaster prior to SMR Oct-2021 Release 1 allows attacker to trigger IV reuse vulnerability with privileged process.
The patch removes the legacy implementation for minor keyblob.


SVE-2021-21621 (CVE-2021-25491): Memory corruption vulnerabilities in kernel driver

Severity: Low
Affected versions: Selected P(9.0), Q(10.0), R(11.0) Exynos devices
Reported on: April 27, 2021
Disclosure status: Privately disclosed.
A vulnerability in mfc driver prior to SMR Oct-2021 Release 1 allows memory corruption via NULL-pointer dereference.
The patch adds proper validation logic to prevent null pointer dereference.


SVE-2021-22558 (CVE-2021-25472): Improper access control in BluetoothSettingsProvider

Severity: Moderate
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: July 7, 2021
Disclosure status: Privately disclosed.
An improper access control vulnerability in BluetoothSettingsProvider prior to SMR Oct-2021 Release 1 allows untrusted application to overwrite some Bluetooth information.
The patch adds the proper permission check to prevent improper access to BluetoothSettingsProvider.


SVE-2021-21958 (CVE-2021-25467): Kernel Local Privilege Escalation in the Vision DSP Kernel Driver

Severity: Moderate
Affected versions: R(11.0) devices with Exynos 980, 9830, 2100
Reported on: May 25, 2021
Disclosure status: Privately disclosed.
Assuming system privilege is gained, possible buffer overflow vulnerabilities in the Vision DSP kernel driver prior to SMR Oct-2021 Release 1 allows privilege escalation to Root by hijacking loaded library.
The patch adds proper boundary check to prevent buffer overflow.


SVE-2021-21904 (CVE-2021-25468): Arbitrary read in the Widevine TA

Severity: High
Affected versions: Select Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: June 2, 2021
Disclosure status: Privately disclosed.
A possible guessing and confirming a byte memory vulnerability in Widevine trustlet prior to SMR Oct-2021 Release 1 allows attackers to read arbitrary memory address.
The patch adds the proper validation logic to prevent guessing a byte memory.


SVE-2021-21905 (CVE-2021-25469): Stack-based buffer overflow in the Widevine TA

Severity: High
Affected versions: Select Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: June 2, 2021
Disclosure status: Privately disclosed.
A possible stack-based buffer overflow vulnerability in Widevine trustlet prior to SMR Oct-2021 Release 1 allows arbitrary code execution.
The patch adds proper boundary check and input validation to prevent buffer overflow.


SVE-2021-22065 (CVE-2021-25470): TEE can be compromised through the Widevine TA

Severity: Critical
Affected versions: Select P(9.0), Q(10.0), R(11.0) devices with Exynos and Mediatek chipsets
Reported on: June 2, 2021
Disclosure status: Privately disclosed.
An improper caller check logic of SMC call in TEEGRIS secure OS prior to SMR Oct-2021 Release 1 can be used to compromise TEE.
The patch addresses the caller check logic to prevent illegal use of SMC call.


SVE-2021-21906 (CVE-2021-25476): Pointer leak in Widevine TA

Severity: Moderate
Affected versions: Select Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: May 20, 2021
Disclosure status: Privately disclosed.
An information disclosure vulnerability in Widevine TA log prior to SMR Oct-2021 Release 1 allows attackers to bypass the ASLR protection mechanism in TEE.
The patch fixes the problematic code.


SVE-2021-22327 (CVE-2021-25471): Possible replay attack before attach procedure completion

Severity: Moderate
Affected versions: O(8.1), P(9.0), Q(10.0) devices with Exynos CP chipsets
Reported on: June 27, 2021
Disclosure status: Privately disclosed.
A lack of replay attack protection in Security Mode Command process prior to SMR Oct-2021 Release 1 can lead to denial of service on mobile network connection and battery depletion.
The patch prevents replay attack by using NAS count.


SVE-2021-22412 (CVE-2021-25483): OOB read in libsflvextractor library

Severity: Low
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: July 2, 2021
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in livfivextractor library prior to SMR Oct-2021 Release 1 allows OOB read.
The patch adds proper boundary check to prevent out of bounds read.


SVE-2021-22215 (CVE-2021-25484): Unauthorized access in InputManagerService

Severity: Moderate
Affected versions: O(8.1 go), Q(10.0 go), R(11.0 go)
Reported on: June 14, 2021
Disclosure status: Privately disclosed.
Improper authentication in InputManagerService prior to SMR Oct-2021 Release 1 allows monitoring the touch event.
The patch adds proper permission check logic in Android GO branches


SVE-2021-22360 (CVE-2021-25473): Local permanent denial of service in SystemUI

Severity: Moderate
Affected versions: R(11.0)
Reported on: June 28, 2021
Disclosure status: Privately disclosed.
Assuming a shell privilege is gained, an improper exception handling for multi_sim_bar_hide_by_meadia_full value in SystemUI prior to SMR Oct-2021 Release 1 allows an attacker to cause a permanent denial of service in user device before factory reset.
The patch adds proper exception handling to prevent crash.


SVE-2021-22361 (CVE-2021-25474): Local permanent denial of service in SystemUI

Severity: Moderate
Affected versions: Q(10.0), R(11.0)
Reported on: June 28, 2021
Disclosure status: Privately disclosed.
Assuming a shell privilege is gained, an improper exception handling for multi_sim_bar_show_on_qspanel value in SystemUI prior to SMR Oct-2021 Release 1 allows an attacker to cause a permanent denial of service in user device before factory reset.
The patch adds proper exception handling to prevent crash.


SVE-2021-20329 (CVE-2021-25486): Exposure of information vulnerability in ipcdump

Severity: Low
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: January 16, 2021
Disclosure status: Privately disclosed.
Exposure of information vulnerability in ipcdump prior to SMR Oct-2021 Release 1 allows an attacker detect device information via analyzing packet in log.
The patch enforces access control of ipcdump.


SVE-2021-21957 (CVE-2021-25475): Kernel Local Privilege Escalation in the Vision DSP Kernel Diver

Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with Exynos 980, 9830, 2100 chipsets
Reported on: May 25, 2021
Disclosure status: Privately disclosed.
A possible heap-based buffer overflow vulnerability in DSP kernel driver prior to SMR Oct-2021 Release 1 allows arbitrary memory write and code execution.
The patch adds proper boundary check to prevent buffer overflow.


SVE-2021-22199 (CVE-2021-25477): Baseband MCCH Double Free

Severity: High
Affected versions: Select P(9.0), Q(10.0), R(11.0) devices with MT6765,MT6853,MT6762 chipsets.
Reported on: June 11, 2021
Disclosure status: Privately disclosed.
An improper error handling in Mediatek RRC Protocol stack prior to SMR Oct-2021 Release 1 allows modem crash and remote denial of service.
The patch fixes the problematic code.


SVE-2021-22665 (CVE-2021-25487): Arbitrary code execution via OOB read in modem interface driver

Severity: Moderate
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0) Exynos devices
Reported on: July 16, 2021
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in set_skb_priv() of modem interface driver prior to SMR Oct-2021 Release 1 allows OOB read and it results in arbitrary code execution by dereference of invalid function pointer.
The patch adds proper boundary check to prevent out of bounds read.


SVE-2021-22666 (CVE-2021-25488): OOB read in modem interface driver

Severity: Moderate
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0) Exynos devices
Reported on: July 16, 2021
Disclosure status: Privately disclosed.
Lack of boundary checking of a buffer in recv_data() of modem interface driver prior to SMR Oct-2021 Release 1 allows OOB read.
The patch adds proper boundary check to prevent out of bounds read.


SVE-2021-22051 (CVE-2021-25478): LTE RRC Connection Reconfiguration Stack Bufferoverflow

Severity: Critical
Affected versions: Select O(8.1), P(9.0), Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: June 1, 2021
Disclosure status: Privately disclosed.
A possible stack-based buffer overflow vulnerability in Exynos CP Chipset prior to SMR Oct-2021 Release 1 allows arbitrary memory write and code execution.
The patch adds proper boundary check to prevent buffer overflow.


SVE-2021-22079 (CVE-2021-25479): LTE RRC Reconfiguration Heap-based Bufferoverflow

Severity: Critical
Affected versions: Select O(8.1), P(9.0), Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: June 3, 2021
Disclosure status: Privately disclosed.
A possible heap-based buffer overflow vulnerability in Exynos CP Chipset prior to SMR Oct-2021 Release 1 allows arbitrary memory write and code execution.
The patch adds proper boundary check to prevent buffer overflow.


SVE-2021-22324 (CVE-2021-25480): Replayed GUTI REALLOCATION COMMAND accepted after SECURITY MODE COMMAND

Severity: High
Affected versions: O(8.x), P(9.0), Q(10.0), R(11.0) devices with Qualcomm chipsets
Reported on: June 27, 2021
Disclosure status: Privately disclosed.
A lack of replay attack protection in GUTI REALLOCATION COMMAND message process in Qualcomm modem prior to SMR Oct-2021 Release 1 can lead to remote denial of service on mobile network connection.
The patch adds proper check when a GUTI REALLOCATION COMMAND message is being reused.


SVE-2021-22403 (CVE-2021-25481): Baseband secure range can be disabled though an IOCTL

Severity: Moderate
Affected versions: Select O(8.1), P(9.0), Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: July 1, 2021
Disclosure status: Privately disclosed.
An improper error handling in Exynos CP booting driver prior to SMR Oct-2021 Release 1 allows local attackers to bypass a Secure Memory Protector of Exynos CP Memory.
The patch fixes the problematic code.


SVE-2021-22563 (CVE-2021-25482): Multiple SQL Injection vulnerabilities in privileged content provider 'com.samsung.android.cmfa.framework.provider.CmfaProvider'

Severity: Moderate
Affected versions: R(11.0)
Reported on: July 7, 2021
Disclosure status: Privately disclosed.
SQL injection vulnerabilities in CMFA framework prior to SMR Oct-2021 Release 1 allow untrusted application to overwrite some CMFA framework information.
The patch adds proper access control for the CMFA Provider in CMFA framework.


SVE-2021-22667 (CVE-2021-25489): Format string bug in modem interface driver

Severity: Low
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0) Exynos devices
Reported on: July 16, 2021
Disclosure status: Privately disclosed.
Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug leading to kernel panic.
The patch addressed the issue.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Dawn Security Lab, JD.com: SVE-2021-22636
Alon Shakevsky, Avishai Wool and Eyal Ronen: SVE-2021-22658
Gyorgy Miru: SVE-2021-21621, SVE-2021-21958, SVE-2021-21957
pox of Singular Security Lab: SVE-2021-22558, SVE-2021-22563
Federico Menarini and Martijn Bogaard of Riscure: SVE-2021-21904, SVE-2021-21905, SVE-2021-21906, SVE-2021-22065, SVE-2021-22403
Syed Rafiul Hussain, Imtiaz Karim, Abdullah Al Ishtiaq, Omar Chowdhury, Elisa Bertino: SVE-2021-22327, SVE-2021-22324
Le Wu of Baidu Security: SVE-2021-22412
Yousra Aafer: SVE-2021-22215
WuHeng Lab of Bytedance: SVE-2021-22360, SVE-2021-22361
Andr. Ess: SVE-2021-20329
Team FirmWire: SVE-2021-22199, SVE-2021-22051, SVE-2021-22079
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – September 2021 package. The Bulletin (September 2021) contains the following CVE items:

Critical
CVE-2021-1972, CVE-2021-1976, CVE-2021-0687

High
CVE-2021-28375, CVE-2020-14381, CVE-2021-0582, CVE-2021-0578, CVE-2021-0579, CVE-2021-0580, CVE-2021-0581, CVE-2021-30261, CVE-2021-30260, CVE-2021-1939, CVE-2021-1947, CVE-2021-1904, CVE-2021-0639, CVE-2019-10581, CVE-2021-0518, CVE-2021-0595, CVE-2021-0683, CVE-2021-0684, CVE-2021-0685, CVE-2021-0688, CVE-2021-0686, CVE-2021-0689, CVE-2021-0690, CVE-2021-0598, CVE-2021-0692, CVE-2021-0428, CVE-2021-0644, CVE-2021-0682, CVE-2021-0693

Moderate
CVE-2021-0565, CVE-2021-0556, CVE-2021-0562, CVE-2021-0566, CVE-2021-0536, CVE-2021-0537, CVE-2021-0538, CVE-2021-0539, CVE-2021-0547, CVE-2021-0548, CVE-2021-0553, CVE-2021-0549, CVE-2021-0552, CVE-2021-0691

Already included in previous updates
CVE-2021-3347, CVE-2021-0564

Not applicable to Samsung devices
CVE-2021-1919, CVE-2021-1916, CVE-2021-1920, CVE-2021-0573, CVE-2021-0574, CVE-2021-0576, CVE-2021-1914, CVE-2021-1978, CVE-2020-3633


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 23 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR September-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-21619 (CVE-2021-25457): Kernel Information Disclosure in the Vision DSP Kernel Driver

Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with Exynos 980, 9830, 2100 chipsets
Reported on: April 27, 2021
Disclosure status: Privately disclosed.
An improper input validation vulnerability in DSP driver prior to SMR Sep-2021 Release 1 allows local attackers to get a limited kernel memory information.
The patch adds proper input validation in DSP driver.


SVE-2021-21943 (CVE-2021-25450): Path traversal vulnerability in FactoryAirCommandManager

Severity: High
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: May 24, 2021
Disclosure status: Privately disclosed.
Path traversal vulnerability in FactoryAirCommnadManger prior to SMR Sep-2021 Release 1 allows attackers to write file as system uid via remote socket.
The patch addresses incorrect implementation of file path validation check logic.


SVE-2021-22094 (CVE-2021-25449): Arbitrary code execution on mediaextractor process

Severity: Moderate
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: June 4, 2021
Disclosure status: Privately disclosed.
An improper input validation vulnerability in libsapeextractor library prior to SMR Sep-2021 Release 1 allows attackers to execute arbitrary code in mediaextractor process.
The patch adds proper input check to prevent buffer overflow.


SVE-2021-21959 (CVE-2021-25452): Kernel Permanent Denial of Service Vulnerability in the Vision DSP Kernel Driver

Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with Exynos 980, 9830, 2100 chipsets
Reported on: May 25, 2021
Disclosure status: Privately disclosed.
An improper input validation vulnerability in loading graph file in DSP driver prior to SMR Sep-2021 Release 1 allows attackers to perform permanent denial of service on the device.
The patch adds proper input check to prevent loading unintended file in path.


SVE-2021-21041 (CVE-2021-25453): Leak Bluetooth information through Broadcast in Bluetooth app

Severity: High
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: March 13, 2021
Disclosure status: Privately disclosed.
Some improper access control in Bluetooth APIs prior to SMR Sep-2021 Release 1 allows untrusted application to get Bluetooth information.
The patches add proper access control to prevent Bluetooth information leak.


SVE-2021-21620 (CVE-2021-25458): NULL pointer dereference vulnerability in the ION Driver

Severity: Low
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: April 27, 2021
Disclosure status: Privately disclosed.
NULL pointer dereference vulnerability in ION driver prior to SMR Sep-2021 Release 1 allows attackers to cause memory corruption.
The patch adds proper input check to prevent null pointer dereference.


SVE-2021-22602 (CVE-2021-25459): Improper access control in BlockChainService

Severity: Moderate
Affected versions: Select Q(10.0), R(11.0)
Reported on: July 12, 2021
Disclosure status: Privately disclosed.
An improper access control vulnerability in sspInit() in BlockchainTZService prior to SMR Sep-2021 Release 1 allows attackers to start BlockchainTZService.
The patch adds the proper permission check to prevent improper access to BlockchainTZService.


SVE-2021-22603 (CVE-2021-25460): Improper access control in BlockChainService

Severity: Moderate
Affected versions: Select Q(10.0), R(11.0)
Reported on: July 12, 2021
Disclosure status: Privately disclosed.
An improper access control vulnerability in sspExit() in BlockchainTZService prior to SMR Sep-2021 Release 1 allows attackers to terminate BlockchainTZService.
The patch adds the proper permission check to prevent improper access to BlockchainTZService.


SVE-2021-22411 (CVE-2021-25461): APAService Stack Overflow

Severity: Low
Affected versions: O(8.1)
Reported on: July 2, 2021
Disclosure status: Privately disclosed.
An improper length check in APAService prior to SMR Sep-2021 Release 1 results in stack based Buffer Overflow.
The patch adds proper length check in APAService.


SVE-2021-21413 (CVE-2021-25451): Sensitive information disclosure in NetworkPolicyManagerService

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: April 11, 2021
Disclosure status: Privately disclosed.
A PendingIntent hijacking in NetworkPolicyManagerService prior to SMR Sep-2021 Release 1 allows attackers to get IMSI data.
The patch addresses the intent in NetworkPolicyManagerService to prevent unprivileged access.


SVE-2021-22278 (CVE-2021-25454): OOB read vulnerability in 'libsaacextractor.so'

Severity: Low
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: June 23, 2021
Disclosure status: Privately disclosed.
OOB read vulnerability in libsaacextractor.so library prior to SMR Sep-2021 Release 1 allows attackers to execute remote DoS via forged aac file.
The patch adds length check code in libsaacextractor library.


SVE-2021-22291 (CVE-2021-25455): OOB read vulnerability in 'libsaviextractor.so'

Severity: Low
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: June 24, 2021
Disclosure status: Privately disclosed.
OOB read vulnerability in libsaviextractor.so library prior to SMR Sep-2021 Release 1 allows attackers to access arbitrary address through pointer via forged avi file.
The patch adds length check code in libsaviextractor library.


SVE-2021-22343 (CVE-2021-25456): OOB read vulnerability in 'libswmfextractor.so'

Severity: Moderate
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: June 27, 2021
Disclosure status: Privately disclosed.
OOB read vulnerability in libswmfextractor.so library prior to SMR Sep-2021 Release 1 allows attackers to execute memcpy at arbitrary address via forged wmf file.
The patch adds length check code in libswmfextractor library.


SVE-2021-21969 (CVE-2021-25462): Null Pointer Dereference vulnerability in the NPU Driver

Severity: Low
Affected versions: P(9.0), Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: May 25, 2021
Disclosure status: Privately disclosed.
NULL pointer dereference vulnerability in NPU driver prior to SMR Sep-2021 Release 1 allows attackers to cause memory corruption.
The patch adds proper input check to prevent null pointer dereference.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Gyorgy Miru: SVE-2021-21619, SVE-2021-21959, SVE-2021-21620
R of Dawn Security Lab, JD.com: SVE-2021-21943
Le Wu of Baidu Security: SVE-2021-22094, SVE-2021-22278, SVE-2021-22291, SVE-2021-22343
hard_______: SVE-2021-21041
Sigmund Gorski: SVE-2021-22602, SVE-2021-22603
Mounir Elgharabawy: SVE-2021-22411
En He of OPPO ZIWU Security lab: SVE-2021-21413
Maxime Peterlin: SVE-2021-21969
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – August 2021 package. The Bulletin (August 2021) contains the following CVE items:

Critical
CVE-2021-0592, CVE-2021-1965

High
CVE-2021-1931, CVE-2021-1940, CVE-2021-1953, CVE-2021-1943, CVE-2021-1964, CVE-2021-1907, CVE-2021-1955, CVE-2021-1945, CVE-2021-1970, CVE-2021-1954, CVE-2020-0368, CVE-2021-0514, CVE-2021-0515, CVE-2021-0603, CVE-2021-0640, CVE-2021-0645, CVE-2021-0646, CVE-2021-0519, CVE-2021-0591, CVE-2021-0593, CVE-2021-0584, CVE-2021-0641, CVE-2021-0642

Moderate
CVE-2021-0555, CVE-2020-1971, CVE-2021-0567, CVE-2021-0570, CVE-2021-0572, CVE-2021-0557, CVE-2021-0558, CVE-2021-0559, CVE-2021-0561

Already included in previous updates
CVE-2021-1938

Not applicable to Samsung devices
CVE-2020-11307, CVE-2021-0577, CVE-2021-0550


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 8 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR August-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-20831 (CVE-2021-25443): UAF in conn_gadget driver

Severity: Low
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: February 26, 2021
Disclosure status: Privately disclosed.
A use after free vulnerability in conn_gadget driver prior to SMR AUG-2021 Release 1 allows malicious action by an attacker.
The patch adds proper check logic to prevent use after free.


SVE-2021-21948 (CVE-2021-25444): IV reuse in Keymaster TA

Severity: High
Affected versions: O(8.1), P(9.0), Q(10.0)
Reported on: May 25, 2021
Disclosure status: Privately disclosed.
An IV reuse vulnerability in keymaster prior to SMR AUG-2021 Release 1 allows decryption of custom keyblob with privileged process.
The patch prevents reusing IV by blocking addition of custom IV.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Kyungtae Kim: SVE-2021-20831
Alon Shakevsky, Avishai Wool and Eyal Ronen: SVE-2021-21948
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – July 2021 package. The Bulletin (July 2021) contains the following CVE items:

Critical
CVE-2020-26558(A-179039983), CVE-2020-11176, CVE-2020-11291

High
CVE-2020-26555(A-181682537, A-174626251), CVE-2020-11304, CVE-2020-11298, CVE-2020-11306, CVE-2021-1900, CVE-2021-0512, CVE-2021-0525, CVE-2021-0527, CVE-2021-0533, CVE-2021-0526, CVE-2021-0528, CVE-2021-0529, CVE-2021-0531, CVE-2021-0530, CVE-2021-0532, CVE-2020-11292, CVE-2020-11267, CVE-2020-14305, CVE-2021-1937, CVE-2020-26558(A-174886838), CVE-2021-0513, CVE-2021-0478, CVE-2021-0441, CVE-2021-0486, CVE-2021-0587, CVE-2021-0601, CVE-2020-0417, CVE-2021-0585, CVE-2021-0586, CVE-2021-0589, CVE-2021-0594, CVE-2021-0600, CVE-2021-0602, CVE-2021-0590, CVE-2021-0596, CVE-2021-0597, CVE-2021-0599, CVE-2021-0604

Moderate
None

Already included in previous updates
CVE-2021-1925

Not applicable to Samsung devices
CVE-2021-0588


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 8 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR July-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-20903 (CVE-2021-25426): Possible to access Message files

Severity: Moderate
Affected versions: P(9.0), Q(10.0) , R(11.0)
Reported on: March 3, 2021
Disclosure status: Privately disclosed.
Improper component protection vulnerability in SmsViewerActivity of Samsung Message prior to SMR July-2021 Release 1 allows untrusted applications to access Message files.
The patch adds access control to prevent unauthorized access.


SVE-2021-19827: Multiple Bluetooth Core Specification Vulnerabilities

Severity: High
Affected versions: Selected O(8.1), Q(10.0) devices with Exynos 7570, 980 chipset
Reported on: October 22, 2020
Disclosure status: Publicly disclosed.
There are several vulnerabilities in the Bluetooth core protocol as listed below.
CVE-2020-26555
The Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack. When an attacker connects to a victim device using the address of the device and the victim initiates a Pairing, the attacker can reflect the encrypted nonce even without knowledge of the key.
CVE-2020-26558
The Passkey Entry protocol used in Secure Simple Pairing (SSP), Secure Connections (SC) and LE Secure Connections (LESC) of the Bluetooth Core Specification is vulnerable to an impersonation attack where an active attacker can impersonate the initiating device without any previous knowledge.
The authentication property of the Bluetooth LE Legacy Pairing procedures is vulnerable to a reflection attack. A remote attacker without knowledge of the token key can complete the authentication protocol.
The patch fixes exception handling for the Bluetooth core protocol.


SVE-2021-21041 (CVE-2021-25429, CVE-2021-25430): Leak bluetooth information through broadcast in bluetooth app

Severity: Low
Affected versions: O(8.1), P(9.0), Q(10.0) , R(11.0)
Reported on: March 13, 2021
Disclosure status: Privately disclosed.
Improper privilege management and improper access control vulnerabilities in Bluetooth application prior to SMR July-2021 Release 1 allows untrusted application to access the Bluetooth information in Bluetooth application.
The patch adds proper access control for the Bluetooth information in Bluetooth application.


SVE-2021-21231 (CVE-2021-25427): SQL Injection in Bluetooth

Severity: Moderate
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: March 28, 2021
Disclosure status: Privately disclosed.
SQL injection vulnerability in Dialer Storage prior to SMR July-2021 Release 1 allows unauthorized access to paired Bluetooth information
The patch adds proper input validation in Bluetootn.


SVE-2021-20754 (CVE-2021-25428): Allow dangerous level permission without user confirmation in limited circumstances

Severity: Moderate
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: February 20, 2021
Disclosure status: Privately disclosed.
Improper validation check vulnerability in PackageManager prior to SMR July-2021 Release 1 allows untrusted applications to get dangerous level permission without user confirmation in limited circumstances.
The patch adds proper validation check in PackageManager.


SVE-2021-21468: Information disclosure in ptrace module of kernel

Severity: Moderate
Affected versions: All O(8.1), P(9.0) devices and select Q(10.0), R(11.0) devices
Reported on: April 14, 2021
Disclosure status: Publicly disclosed.
Improper validation check vulnerability in ptrace kernel module prior to SMR July-2021 Release 1 allows information disclosure of kernel data.
The patch adds proper validation check in ptrace kernel module.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Sergey Toshin of Oversecured Inc: SVE-2021-20903
France’s national cybersecurity agency ANSSI: SVE-2021-19827
hard_______: SVE-2021-21041
Calum Hutton: SVE-2021-21231
Zhongquan Li @ ADLab: SVE-2021-20754
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – June 2021 package. The Bulletin (June 2021) contains the following CVE items:

Critical
CVE-2021-0507, CVE-2021-0516

High
CVE-2021-1891, CVE-2020-11284, CVE-2021-1905, CVE-2021-1915, CVE-2021-1927, CVE-2021-28663, CVE-2021-28664, CVE-2021-0495, CVE-2020-11279, CVE-2020-11273, CVE-2020-11274, CVE-2020-11285, CVE-2020-29661, CVE-2019-2219, CVE-2021-0511, CVE-2021-0521, CVE-2021-0508, CVE-2021-0509, CVE-2021-0510, CVE-2021-0520, CVE-2021-0505, CVE-2021-0506, CVE-2021-0523, CVE-2021-0504, CVE-2021-0517, CVE-2021-0522, CVE-2021-0304

Moderate
CVE-2021-1906, CVE-2021-0381, CVE-2020-0025, CVE-2021-0385, CVE-2021-0389

Already included in previous updates
CVE-2021-0492, CVE-2021-0491, CVE-2021-0493, CVE-2021-0494, CVE-2021-0497, CVE-2021-0498, CVE-2021-0489, CVE-2021-0490, CVE-2021-0496

Not applicable to Samsung devices
CVE-2021-0324, CVE-2021-0467, CVE-2020-11288, CVE-2020-11289, CVE-2021-1910


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 19 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR June-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-20702 (CVE-2021-25410): Arbitrary file access vulnerability in CallBGProvider

Severity: High
Affected versions: R(11.0)
Reported on: February 15, 2021
Disclosure status: Privately disclosed.
Improper access control of a component in CallBGProvider prior to SMR JUN-2021 Release 1 allows local attackers to access arbitrary files with an escalated privilege.
The patch adds proper permission to prevent unauthorized access.


SVE-2021-20877 (CVE-2021-25413): Possible to access arbitrary content providers

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: March 2, 2021
Disclosure status: Privately disclosed.
Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to get permissions to access arbitrary data with Samsung Contacts privilege.
The patch sanitizes incoming Intent before using it.


SVE-2021-20879 (CVE-2021-25414): Possible to theft or overwrite arbitrary files

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: March 2, 2021
Disclosure status: Privately disclosed.
Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to copy or overwrite arbitrary files with Samsung Contacts privilege.
The patch sanitizes incoming Intent before using it.


SVE-2021-21161 (CVE-2021-25407): Out of bounds write in Samsung NPU driver

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0) devices with Exynos9820, 9830, 980, 2100 chipsets
Reported on: March 20, 2021
Disclosure status: Privately disclosed.
A possible out of bounds write vulnerability in NPU driver prior to SMR JUN-2021 Release 1 allows arbitrary memory write.
The patch adds proper boundary check to prevent out of bounds write.


SVE-2021-20641 (CVE-2021-25417): Improper authorization in SDP SDK

Severity: Moderate
Affected versions: P(9.0), Q(10.0)
Reported on: February 9, 2021
Disclosure status: Privately disclosed.
Improper authorization in SDP SDK prior to SMR JUN-2021 Release 1 allows access to internal storage.
The patch removes the logic for granting internal storage privilege.


SVE-2021-20984 (CVE-2021-25412): Improper access control in genericssoservice service

Severity: High
Affected versions: Q(10.0)
Reported on: March 8, 2021
Disclosure status: Privately disclosed.
An improper access control vulnerability in genericssoservice prior to SMR JUN-2021 Release 1 allows local attackers to execute protected activity with system privilege via untrusted applications.
The patch adds the proper caller check to prevent improper access to genericssoservice.


SVE-2021-20948 (CVE-2021-25409): Configure Notification settings without authorization

Severity: Moderate
Affected versions: Q(10.0)
Reported on: March 8, 2021
Disclosure status: Privately disclosed.
Improper access in Notification setting prior to SMR JUN-2021 Release 1 allows physically proximate attackers to set arbitrary notification via physically configuring device.
The patch adds proper authorization to configure Notification setting in lockscreen.


SVE-2021-20178 (CVE-2021-25415): Possible remapping RKP memory as writable from EL1

Severity: High
Affected versions: Q(10.0), R(11.0) devices with Exynos9610, 9810, 9820, 9830
Reported on: January 4, 2021
Disclosure status: Privately disclosed.
Assuming EL1 is compromised, an improper address validation in RKP prior to SMR JUN-2021 Release 1 allows local attackers to remap EL2 memory as writable.
The patch adds the proper address validation in RKP to prevent change of EL2 memory attribution from EL1.


SVE-2021-20179 (CVE-2021-25416): Possible creating executable kernel page via abusing dynamic load functions

Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with Exynos9610, 9810, 9820, 9830
Reported on: January 5, 2021
Disclosure status: Privately disclosed.
Assuming EL1 is compromised, an improper address validation in RKP prior to SMR JUN-2021 Release 1 allows local attackers to create executable kernel page outside code area.
The patch adds the proper address validation in RKP to prevent creating executable kernel page.


SVE-2021-20176 (CVE-2021-25411): Vulnerable api in RKP allows attackers to write read-only kernel memory

Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with Exynos9610, 9810, 9820, 9830
Reported on: January 4, 2021
Disclosure status: Privately disclosed.
Improper address validation vulnerability in RKP api prior to SMR JUN-2021 Release 1 allows root privileged local attackers to write read-only kernel memory.
The patch adds a proper address validation check to prevent unprivileged write to kernel memory.


SVE-2021-21074 (CVE-2021-25408): Buffer overflow in Samsung NPU driver

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0) devices with Exynos9820, 9830, 980, 2100 chipsets
Reported on: March 16, 2021
Disclosure status: Privately disclosed.
A possible buffer overflow vulnerability in NPU driver prior to SMR JUN-2021 Release 1 allows arbitrary memory write and code execution.
The patch adds proper boundary check to prevent buffer overflow.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Sergey Toshin of Oversecured Inc: SVE-2021-20702, SVE-2021-20877, SVE-2021-20879
Ben Hawkes of Google Project Zero: SVE-2021-21161
Abdulla Aldoseri, David Oswald: SVE-2021-20641
hard_______: SVE-2021-20984
Tony: SVE-2021-20948
Alexandre Adamski of Longterm Security: SVE-2021-20178, SVE-2021-20179, SVE-2021-20176
Maxime Peterlin of Longterm Security: SVE-2021-21074

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – May 2021 package. The Bulletin (May 2021) contains the following CVE items:

Critical
CVE-2021-0473, CVE-2021-0474, CVE-2021-0475

High
CVE-2020-25705, CVE-2020-11246, CVE-2020-11234, CVE-2020-15436, CVE-2020-29368, CVE-2020-11251, CVE-2020-11236, CVE-2020-11247, CVE-2020-11237, CVE-2020-11191, CVE-2020-11255, CVE-2020-11243, CVE-2021-0445, CVE-2021-0472, CVE-2021-0485, CVE-2021-0487, CVE-2021-0482, CVE-2021-0484, CVE-2021-0476, CVE-2021-0477, CVE-2021-0481, CVE-2021-0466, CVE-2021-0480

Moderate
CVE-2021-0375, CVE-2021-0387, CVE-2021-0369, CVE-2021-0382, CVE-2021-0368, CVE-2021-0374, CVE-2021-0378, CVE-2021-0379, CVE-2021-0384, CVE-2021-0370, CVE-2021-0372, CVE-2021-0377, CVE-2021-0380, CVE-2021-0383, CVE-2021-0386, CVE-2021-0388, CVE-2021-0371

Already included in previous updates
CVE-2020-11242, CVE-2020-11245, CVE-2020-11210, CVE-2020-11252, CVE-2020-11292*

*Select devices have been patched since January of 2021


Not applicable to Samsung devices
CVE-2021-0468


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 23 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR May-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-20636 (CVE-2021-25388): Arbitray app installation vulnerability in Knox Core

Severity: High
Affected versions: R(11.0)
Reported on: February 16, 2021
Disclosure status: Privately disclosed
Improper caller check vulnerability in Knox Core prior to SMR MAY-2021 Release 1 allows attackers to install arbitrary app.
The patch restricts privilege of app that calls Knox Core.


SVE-2021-20690 (CVE-2021-25392): Possible to access notification policy file of DeX

Severity: Moderate
Affected versions: P(9.0), Q(10.0) , R(11.0)
Reported on: February 14, 2021
Disclosure status: Privately disclosed
Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allows local attackers to get sensitive information via changing the path.
The patch removes the vulnerable code.


SVE-2021-20731 (CVE-2021-25393): Possible to read/write access to arbitrary files as system user

Severity: High
Affected versions: Q(10.0) , R(11.0)
Reported on: February 18, 2021
Disclosure status: Privately disclosed
Improper sanitization of incoming intent in SecSettings prior to SMR MAY-2021 Release 1 allows local attackers to get permissions to access system uid data.
The patch sanitizes incoming Intent before passing it to caller.


SVE-2021-20167 (CVE-2021-25394), SVE-2021-20168 (CVE-2021-25395): UAF in mfc charger driver

Severity: Moderate
Affected versions: Selected O(8.1), P(9.0), Q(10.0), R(11.0) Exynos and Qualcomm devices
Reported on: December 31, 2020
Disclosure status: Privately disclosed
A use after free vulnerability via race condition in MFC charger driver prior to SMR MAY-2021 Release 1 allows arbitrary write given a radio privilege is compromised.
The patch adds proper synchronization points to avoid all possibility of a race condition.


SVE-2021-20511 (CVE-2021-25396): Arbitrary memory write in the Neural Processing Unit Firmware

Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with Exynos9820, 9830, 980, 2100 chipsets
Reported on: January 31, 2021
Disclosure status: Privately disclosed
An improper input validation vulnerability in NPU firmware prior to SMR MAY-2021 Release 1 allows arbitrary memory write and code execution.
The patch fixes incorrect implementation of NPU firmware.


SVE-2021-20716 (CVE-2021-25397): Arbitrary file write int TelephonyUI

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0) devices
Reported on: February 16, 2021
Disclosure status: Privately disclosed
An improper access control vulnerability in TelephonyUI prior to SMR MAY-2021 Release 1 allows local attackers to write arbitrary files of telephony process via untrusted applications.
The patch adds the proper permission check to prevent improper access to TelephonyUI.


SVE-2021-20204 (CVE-2021-25389): Authentication bypass in S Secure

Severity: Low
Affected versions: P(9.0)
Reported on: January 6, 2021
Disclosure status: Privately disclosed
Improper running task check in S Secure prior to SMR MAY-2021 Release 1 allows attackers to use locked app without authentication.
The patch modifies the logic that check running process.


SVE-2021-20724 (CVE-2021-25390): Intent redirection in PhotoTable

Severity: Moderate
Affected versions: O(8.1), P(9.x), Q(10.0), R(11.0)
Reported on: February 17, 2021
Disclosure status: Privately disclosed
Intent redirection vulnerability in PhotoTable prior to SMR MAY-2021 Release 1 allows attackers to execute privileged action.
The patch restricts apps that can call PhotoTable.


SVE-2021-20500 (CVE-2021-25391): Intent redirection in Secure Folder

Severity: Moderate
Affected versions: R(11.0)
Reported on: January 29, 2021
Disclosure status: Privately disclosed
Intent redirection vulnerability in Secure Folder prior to SMR MAY-2021 Release 1 allows attackers to execute privileged action.
The patch restricts apps that can call SecureFolder.


SVE-2021-20154 (CVE-2021-25383): Arbitrary code execution on mediaextractor process

Severity: Moderate
Affected versions: O(8.1), P(9.x), Q(10.0), R(11.0)
Reported on: January 3, 2021
Disclosure status: Privately disclosed.
An improper input validation vulnerability in scmn_mfal_read() in libsapeextractor library prior to SMR MAY-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
The patch adds proper input check to prevent buffer overflow.


SVE-2021-20183 (CVE-2021-25384): Arbitrary code execution on mediaextractor process

Severity: Moderate
Affected versions: O(8.1), P(9.x), Q(10.0), R(11.0)
Reported on: January 5, 2021
Disclosure status: Privately disclosed.
An improper input validation vulnerability in sdfffd_parse_chunk_PROP() with Sample Rate Chunk in libsdffextractor library prior to SMR MAY-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
The patch adds proper input check to prevent buffer overflow.


SVE-2021-20184 (CVE-2021-25385): Arbitrary code execution on mediaextractor process

Severity: Moderate
Affected versions: O(8.1), P(9.x), Q(10.0), R(11.0)
Reported on: January 5, 2021
Disclosure status: Privately disclosed.
An improper input validation vulnerability in sdfffd_parse_chunk_PROP() in libsdffextractor library prior to SMR MAY-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
The patch adds proper input check to prevent buffer overflow.


SVE-2021-20185 (CVE-2021-25386): Arbitrary code execution on mediaextractor process

Severity: Moderate
Affected versions: O(8.1), P(9.x), Q(10.0), R(11.0)
Reported on: January 5, 2021
Disclosure status: Privately disclosed.
An improper input validation vulnerability in sdfffd_parse_chunk_FVER() in libsdffextractor library prior to SMR MAY-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
The patch adds proper input check to prevent buffer overflow.


SVE-2021-20202 (CVE-2021-25387): Arbitrary code execution on mediaextractor process

Severity: Moderate
Affected versions: O(8.1), P(9.x), Q(10.0), R(11.0)
Reported on: January 6, 2021
Disclosure status: Privately disclosed.
An improper input validation vulnerability in sflacfd_get_frm() in libsflacextractor library prior to SMR MAY-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
The patch adds proper input check to prevent buffer overflow.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.



Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Sergey Toshin of Oversecured Inc: SVE-2021-20636, SVE-2021-20690, SVE-2021-20731, SVE-2021-20716, SVE-2021-20724, SVE-2021-20500
Maxime Peterlin of Longterm Security: SVE-2021-20511
Harsh Tyagi: SVE-2021-20204
Le Wu of Baidu Security: SVE-2021-20154, SVE-2021-20183, SVE-2021-20184, SVE-2021-20185, SVE-2021-20202
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – April 2021 package. The Bulletin (April 2021) contains the following CVE items:

Critical
CVE-2020-11204, CVE-2020-11228, CVE-2020-11218, CVE-2020-11192, CVE-2020-11227, CVE-2021-0430

High
CVE-2020-11178, CVE-2020-11165, CVE-2020-11195, CVE-2020-11198, CVE-2020-11194, CVE-2020-11220, CVE-2020-11199, CVE-2020-11221, CVE-2020-11308, CVE-2020-11290, CVE-2020-11309, CVE-2020-11186, CVE-2020-11226, CVE-2020-11171, CVE-2020-11222, CVE-2020-11188, CVE-2020-11190, CVE-2020-11189, CVE-2020-11166, CVE-2021-0399, CVE-2021-0400, CVE-2021-0426, CVE-2021-0427, CVE-2021-0432, CVE-2021-0438, CVE-2021-0439, CVE-2021-0442, CVE-2021-0443, CVE-2021-0444, CVE-2021-0338, CVE-2021-0437, CVE-2021-0436, CVE-2021-0471, CVE-2021-0429, CVE-2021-0433, CVE-2021-0431, CVE-2021-0435

Moderate
None

Already included in previous updates
CVE-2020-11223

Not applicable to Samsung devices
CVE-2020-11299, CVE-2021-0446


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 21 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR April-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-19881 (CVE-2021-25358): Improper store path for IMSI value

Severity: Moderate
Affected versions: P(9.0), Q(10.0)
Reported on: December 9, 2020
Disclosure status: Privately disclosed.
A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications.
The patch modifies the store path for IMSI values to proper path to prevent unauthorized access.


SVE-2021-20333 (CVE-2021-25362): Improper permission management in CertInstaller

Severity: Moderate
Affected versions: O(8.1), P(9.x), Q(10.0)
Reported on: January 16, 2021
Disclosure status: Privately disclosed.
An improper permission management in CertInstaller prior to SMR APR-2021 Release 1 allows untrusted applications to delete certain local files.
The patch deletes mis-used permission in CertInstaller to prevent untrusted access to local files.


SVE-2021-19820 (CVE-2021-25359): AP information leakage vulnerability

Severity: Low
Affected versions: Q(10.0), R(11.0)
Reported on: December 3, 2020
Disclosure status: Privately disclosed.
An improper SELinux policy prior to SMR APR-2021 Release 1 allows local attackers to access AP information without proper permissions via untrusted applications.
The patch removes the improper SELinux policy item.


SVE-2021-20274 (CVE-2021-25360): Arbitrary code execution on mediaextractor process

Severity: Moderate
Affected versions: Q(10.0)
Reported on: January 11, 2021
Disclosure status: Privately disclosed.
An improper input validation vulnerability in libswmfextractor library prior to SMR APR-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
The patch adds proper input check to prevent buffer overflow.


SVE-2021-19180 (CVE-2021-25361): Arbitrary file read/write vulnerability via unprotected StickerCenter content provider

Severity: High
Affected versions: P(9.0), Q(10.0)
Reported on: October 8, 2020
Disclosure status: Privately disclosed.
An improper access control vulnerability in StickerCenter prior to SMR APR-2021 Release 1 allows local attackers to read or write arbitrary files of system process via untrusted applications.
The patch adds the proper caller check to prevent improper access to StickerCenter.


SVE-2021-19620 (CVE-2021-25357): PendingIntent hijacking vulnerability in Create Movie

Severity: Moderate
Affected versions: O(8.1), P(9.0)
Reported on: November 10, 2020
Disclosure status: Privately disclosed.
A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information.
The patch changes implicit intent to explicit intent in PendingIntent of Create Movie to prevent unprivileged access to contact.


SVE-2021-20190 (CVE-2021-25363): Process information exposure vulnerability in ActivityManagerService

Severity: Moderate
Affected versions: Selected O(8.1), P(9.0), Q(10.0), R(11.0) devices
Reported on: January 5, 2021
Disclosure status: Privately disclosed.
An improper access control in ActivityManagerService prior to SMR APR-2021 Release 1 allows untrusted applications to access running processes delete some local files.
The patch deletes mis-used permission in CertInstaller not to allow untrusted access to local files.


SVE-2021-19667 (CVE-2021-25364): PendingIntent hijacking vulnerability in Secure Folder

Severity: Moderate
Affected versions: R(11.0)
Reported on: November 16, 2020
Disclosure status: Privately disclosed.
A pendingIntent hijacking vulnerability in Secure Folder prior to SMR APR-2021 Release 1 allows unprivileged applications to access contact information.
The patch changes implicit intent to explicit intent in Secure Folder to prevent unprivileged access to contact.


SVE-2021-20733 (CVE-2021-25356): 3rd party authentication bypass in Managed Provisioning

Severity: High
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: February 15, 2021
Disclosure status: Privately disclosed.
An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application, grant device admin permission and then delete several installed application.
The patch prevents creating knox container without privilege to mitigate the vulnerability.


SVE-2021-20454 (CVE-2021-25365): Arbitrary memory address unmap vulnerability in softsimd

Severity: High
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: January 26, 2021
Disclosure status: Privately disclosed.
An improper exception control in softsimd prior to SMR APR-2021 Release 1 allows unprivileged applications to access the API in softsimd.
The patch adds proper exception check logic code in softsimd to prevent unprivileged access.


SVE-2021-20775 (CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26142, CVE-2020-26143, CVE-2020-26144, CVE-2020-26145, CVE-2020-26146, CVE-2020-26147, CVE-2020-11264, CVE-2020-11301): Wi-Fi Fragment & Forge vulnerabilities

Severity: High to Critical
Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0)
Reported on: January 26, 2021
Disclosure status: Privately disclosed.
Multiple vulnerabilities in the Wi-Fi standards related to fragmentation and aggregation implemented by Wi-Fi chipset providers allow proximate attacker to inject arbitrary packets, forge encrypted frames and exfiltrate data in protected Wi-Fi network.
Respective patches are provided by the Wi-Fi chipset providers to address the vulnerabilities.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Zhang Qing , Bytedance and Bai Guang dong, The University of Queensland: SVE-2021-19881, SVE-2021-19820
Anonymous: SVE-2021-19180
Le Wu of Baidu Security: SVE-2021-20274
Sergey Toshin of Oversecured Inc: SVE-2021-20733
hard_______: SVE-2021-19620, SVE-2021-19667
heeeeen of ZIWU Security Lab: SVE-2021-20333
Zhang Qing from Bytedance WuHeng team: SVE-2021-20190
Zhongquan Li @ CytQ: SVE-2021-20454
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – March 2021 package. The Bulletin (March 2021) contains the following CVE items:

Critical
CVE-2020-11170, CVE-2020-11163, CVE-2020-11272, CVE-2021-0397

High
CVE-2020-11271, CVE-2020-11282, CVE-2017-18509, CVE-2020-11286, CVE-2020-11177, CVE-2020-11187, CVE-2020-11253, CVE-2020-11281, CVE-2020-11296, CVE-2020-11269, CVE-2020-11275, CVE-2020-11280, CVE-2020-11287, CVE-2020-11276, CVE-2020-11270, CVE-2020-11297, CVE-2020-11278, CVE-2021-0395, CVE-2021-0391, CVE-2021-0398, CVE-2017-14491, CVE-2021-0393, CVE-2021-0396, CVE-2021-0390, CVE-2021-0392, CVE-2021-0394

Moderate
None

Already included in previous updates
CVE-2020-11180, CVE-2020-11277

Not applicable to Samsung devices
CVE-2020-11283


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 19 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR March-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-19153 (CVE-2021-25335): Hidden notification contents leak over the lockscreen

Severity: Low
Affected versions: Q(10.0) devices with ONEUI 2.5
Reported on: October 6, 2020
Disclosure status: Privately disclosed.
An improper lockscreen status check in cocktailbar service prior to SMR MAR-2021 Release 1 allows unauthenticated users to see hidden notification contents over the lockscreen in specific conditions.
The patch adds the proper lockscreen status check to prevent hidden notification contents leak.


SVE-2021-19527 (CVE-2021-25337): Arbitrary file read/write vulnerability via unprotected clipboard content provider

Severity: Moderate
Affected versions: P(9.0), Q(10.0), R(11.0) devices except ONEUI 3.1 in R(11.0)
Reported on: November 3, 2020
Disclosure status: Privately disclosed.
An improper access control in clipboard service prior to SMR MAR-2021 Release 1 allows untrusted applications to read or write arbitrary files in the device.
The patch adds the proper caller check to prevent improper access to clipboard service.


SVE-2021-19553 (CVE-2021-25336): Improper access control in NotificationManagerService

Severity: High
Affected versions: P(9.0), Q(10.0)
Reported on: November 6, 2020
Disclosure status: Privately disclosed.
An improper access control in NotificationManagerService prior to SMR MAR-2021 Release 1 allows untrusted applications to acquire notification access.
The patch adds higher permission not to allow untrusted access to notification contents.


SVE-2021-19731 (CVE-2021-25339): EL2 memory can be corrupted with HArx HVC call

Severity: High
Affected versions: Q(10.0), R(11.0) devices with Exynos 9830 chipset
Reported on: November 24, 2020
Disclosure status: Privately disclosed.
An improper address validation in HArx prior to SMR MAR-2021 Release 1 allows EL2 memory corruption using compromised kernel.
The patch adds the proper address validation in HArx to prevent EL2 memory corruption.


SVE-2021-19759 (CVE-2021-25338): RKP region list is writable by EL1

Severity: High
Affected versions: Q(10.0), R(11.0) devices with Exynos 9830 chipset
Reported on: November 25, 2020
Disclosure status: Privately disclosed.
An improper memory access control in RKP prior to SMR MAR-2021 Release 1 allows attackers to write some part of RKP EL2 memory region using compromised kernel.
The patch adds the proper memory access control in RKP to make EL2 memory region inaccessible.


SVE-2021-19945 (CVE-2021-25344): Serial number leak

Severity: High
Affected versions: Q(10.0), R(11.0)
Reported on: December 15, 2020
Disclosure status: Privately disclosed.
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to get device’s serial number without permission.
The patch adds proper permission check on the API to get serial number.


SVE-2021-20009 (CVE-2021-25345): Kernel panic by graphic format mismatch

Severity: Low
Affected versions: Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: December 21, 2020
Disclosure status: Privately disclosed.
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
The patch addressed the issue.


SVE-2021-19897 (CVE-2021-25369): Potential kernel information exposure from sec_log

Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0)
Reported on: December 10, 2020
Disclosure status: Privately disclosed.
An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.
The patch removes vulnerable file.


SVE-2021-19925 (CVE-2021-25370): Memory corruption in dpu driver

Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0), R(11.0) devices with selected Exynos chipsets
Reported on: December 12, 2020
Disclosure status: Privately disclosed.
An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic.
The patch fixes incorrect implementation in dpu driver to address memory corruption.


SVE-2021-20029 (CVE-2021-25371): Possible to load arbitrary ELF library inside DSP

Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with exynos980, exynos2100, exynos9830
Reported on: December 22, 2020
Disclosure status: Privately disclosed.
A vulnerability in DSP driver prior to SMR Mar-2021 Release 1 allows attackers load arbitrary ELF libraries inside DSP.
The patch deletes the improper commands in DSP driver.


SVE-2021-20030 (CVE-2021-25372): Out of bounds access vulnerability in DSP driver

Severity: Moderate
Affected versions: Q(10.0), R(11.0) devices with exynos980, exynos2100, exynos9830
Reported on: December 22, 2020
Disclosure status: Privately disclosed.
An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access.
The patch adds proper boundary check code to prevent out of bounds access.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

GSerg: SVE-2021-19153
Shaechi Security Lab: SVE-2021-19527
Aleksandr Tarasikov: SVE-2021-19731, SVE-2021-19759
Xia Guangshuai & Zhang Qing of ByteDance, Bai Guangdong of The University of Queensland: SVE-2021-19945
Ben Toson: SVE-2021-20009
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – February 2021 package. The Bulletin (February 2021) contains the following CVE items:

Critical
CVE-2021-0325(O8.1, P9), CVE-2021-0326, CVE-2020-11182, CVE-2020-11134

High
CVE-2021-0325(Q10, R11), CVE-2020-10732, CVE-2020-11126, CVE-2020-11159, CVE-2020-11233, CVE-2020-11235, CVE-2020-11238, CVE-2020-11239, CVE-2020-11240, CVE-2020-11241, CVE-2020-11250, CVE-2020-11261, CVE-2020-11262, CVE-2021-0301, CVE-2021-0302, CVE-2021-0305, CVE-2021-0314, CVE-2021-0327, CVE-2021-0328, CVE-2021-0329, CVE-2021-0330, CVE-2021-0331, CVE-2021-0332, CVE-2021-0333, CVE-2021-0334, CVE-2021-0335, CVE-2021-0336, CVE-2021-0337, CVE-2021-0338, CVE-2021-0339, CVE-2021-0340, CVE-2021-0341

Moderate
None

Already included in previous updates
CVE-2020-11181, CVE-2020-11260

Not applicable to Samsung devices
CVE-2020-10767, CVE-2020-10766


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 11 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR February-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2021-18243 (CVE-2021-25340): Arbitrary Settings change using Samsung keyboard

Severity: Moderate
Affected Versions: Q(10.0)
Reported on: July 06, 2020
Disclosure status: Privately disclosed.
Improper access control vulnerability in Samsung keyboard version prior to SMR Feb-2021 Release 1 allows arbitrary change in Settings during Initialization State.
The patch adds proper access control for additional functions of Samsung keyboard.


SVE-2021-19221 (CVE-2021-25334): Local permanent DoS vulnerability in wallpaper service

Severity: High
Affected versions: P(9.0), Q(10.0) , R(11.0)
Reported on: October 12, 2020
Disclosure status: Privately disclosed.
An improper input check in wallpaper service prior to SMR Feb-2021 Release 1 results in permanent denial of service from using the device.
The patch adds the proper input validation to prevent local permanent denial of service.


SVE-2021-19482: Address leakage vulnerability in libhwui library

Severity: Low
Affected versions: Q(10.0) , R(11.0)
Reported on: October 31, 2020
Disclosure status: Privately disclosed.
Unnecessary logs in libhwui library version prior to SMR Feb-2021 Release 1 allows leakage of object address.
The patch fixes incorrect implementation of address logging.


SVE-2021-19507 (CVE-2021-25330): Possible access to non-existent provider

Severity: Moderate
Affected versions: Select Q(10.0) devices
Reported on: November 3, 2020
Disclosure status: Privately disclosed.
Calling of non-existent provider in MobileWips application prior to SMR Feb-2021 Release 1 allows unauthorized actions including denial of service attack by hijacking the provider.
The patch blocks access to MobileWips content provider in case MobileWips is not supported.


SVE-2021-19528 (CVE-2021-25347): Hijacking vulnerability in Samsung Email

Severity: Low
Affected versions: P(9.0), Q(10.0), R(11.0)
Reported on: November 03, 2020
Disclosure status: Privately disclosed.
Hijacking vulnerability in Samsung Email application version prior to SMR Feb-2021 Release 1 allows attackers to intercept when the provider is executed.
The patch adds the proper signature check for Samsung Email.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

SeungHyun Cho (@netkingj): SVE-2021-18243
Yunxuan Qu and Zhenjiang Zhao @ Panguite Forensics Lab of Qianxin: SVE-2021-19482
Zhongquan Li @ Xiaomi AIoT Security Lab: SVE-2021-19221, SVE-2021-19507, SVE-2021-19528
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.


Google patches include patches up to Android Security Bulletin – January 2021 package. The Bulletin (January 2021) contains the following CVE items:

Critical
CVE-2020-0457

High
CVE-2020-0466, CVE-2020-0465, CVE-2020-0444, CVE-2020-0455, CVE-2020-0456, CVE-2020-11138, CVE-2020-11139, CVE-2020-3685, CVE-2020-11143, CVE-2020-11136, CVE-2020-11137, CVE-2020-3691, CVE-2020-3686, CVE-2020-11140, CVE-2020-11179, CVE-2020-11146, CVE-2020-11145, CVE-2020-11144, CVE-2020-11200, CVE-2020-11214, CVE-2020-11215, CVE-2020-11212, CVE-2020-11213, CVE-2020-11119, CVE-2020-11225, CVE-2021-0313, CVE-2021-0303, CVE-2021-0306, CVE-2021-0307, CVE-2021-0310, CVE-2021-0315, CVE-2021-0317, CVE-2021-0318, CVE-2021-0319, CVE-2021-0304, CVE-2021-0309, CVE-2021-0321, CVE-2021-0322, CVE-2019-9376, CVE-2020-15999, CVE-2016-6328, CVE-2021-0311, CVE-2021-0312, CVE-2021-0316, CVE-2020-0471, CVE-2021-0308, CVE-2021-0320

Moderate
None

Already included in previous updates
CVE-2020-11167, CVE-2020-11185

Not applicable to Samsung devices
CVE-2020-11217, CVE-2020-11197, CVE-2020-0016, CVE-2020-0019, CVE-2020-11216


※ Please see Android Security Bulletin for detailed information on Google patches.


Along with Google patches, Samsung Mobile provides 9 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR January-2021 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.


SVE-2020-18731: Buffer overflow in bluetooth UART driver

Severity: Moderate
Affected versions: Selected O(8.x), P(9.0), Q(10.0) devices using Broadcom bluetooth chipsets
Reported on: August 19, 2020
Disclosure status: Privately disclosed.
A possible buffer overflow exists in selected broadcom bluetooth UART driver.
The patch adds proper validation of the buffer length.


SVE-2020-18811 (CVE-2021-25346): Memory corruption in quram library with decoding dng

Severity: High
Affected versions: O(8.x), P(9.0), Q(10.0) devices
Reported on: September 6, 2020
Disclosure status: Privately disclosed.
A possible arbitrary memory overwrite vulnerabilities in quram library allow arbitrary code execution.
The patches add the proper validation of the buffer length.


SVE-2020-19174: Out of bounds access vulnerability in mali GPU driver

Severity: Moderate
Affected versions: O(8.x), P(9.0), Q(10.0), R(11.0) devices with Exynos chipsets
Reported on: October 7, 2020
Disclosure status: Privately disclosed.
An improper boundary check in mali GPU driver allows out of bounds memory access resulting in device reset.
The patch adds proper boundary check code to prevent out of bounds access.

Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements
We truly appreciate the following researchers for helping Samsung to improve the security of our products.

Jiska Classen: SVE-2020-18731
Anonymous: SVE-2020-18811
9462ACEE94608EA1643688D026AA95DD: SVE-2020-19174