Samsung has released a security update to address the vulnerability identified as CVE-2024-44068, which impacted devices running on Exynos processors. The vulnerability was found in the M2M1SHOT_SCALER0 driver, which is responsible for processing images and videos, including tasks like scaling and decoding JPEG files.
The CVE-2024-44068 vulnerability, with a CVSS rating of 8.1, was discovered by specialists from Google’s Project Zero and was linked to improper memory handling. The flaw allowed malicious actors to exploit the driver’s incorrect memory release process, potentially gaining access to freed memory areas to execute harmful code. Devices powered by Exynos 9820, 9825, 980, 990, 850, and W920 processors that had not been updated to the SMR-Oct-2024 version were affected by this issue.
Exploiting the vulnerability involved a technique known as USE-After-Free (UAF), where released memory is still accessed. Attackers could manipulate the driver through iOctl calls to carry out a Kernel Space Mirroring Attack (KSMA), enabling them to modify kernel pages and perform unauthorized actions with system privileges. For instance, on the Samsung S10 (G973FXSSGHWC2) smartphone, the attack allowed for the manipulation of system processes and concealing malicious activities.
Attackers leveraged the MMAP and Mincore system calls to track memory associations with I/O pages, freeing up memory at a strategic point to leave the driver utilizing invalid pages. Samsung addressed the vulnerability by updating the control links for PFNMAP pages to prevent the reuse of freed memory. Experts have advised conducting source code audits and testing all iOCTL calls as crucial steps to avoid similar issues in the future.
The SMR-Oct-2024 security update is now available for all impacted devices. Users are strongly encouraged to install the update promptly to safeguard against potential exploitation of the vulnerability.