The initiation of the Android boot sequence begins with the “Boot ROM,” which sets up the “bootloader.” Subsequently, the bootloader loads the kernel, responsible for managing system resources and launching the init process.
Recently, cybersecurity experts at QuarksLab uncovered diverse vulnerabilities affecting the boot chain of numerous Samsung devices.
A group of security analysts identified crucial security weaknesses in Samsung Galaxy gadgets (particularly model “A225F”) where they unearthed multiple vulnerabilities in the device’s boot chain system.
Boot Chain Of Samsung Devices
The primary vulnerabilities are labeled as “CVE-2024-20832” and “CVE-2024-20865,” impacting two critical elements:-
- The Little Kernel (third bootloader responsible for starting Android).
- The Secure Monitor (highest-privilege software).
The initial vulnerability exploits a heap overflow in Little Kernel’s personalized JPEG parser, which lacks size verification when loading images into fixed-size heap structures.
The second vulnerability bypasses Odin’s authentication system (Samsung’s recovery tool) by manipulating the “GUID Partition Table (GPT)” and “Partition Information Table (PIT).”
When these vulnerabilities are “chained together,” malicious actors can implement malevolent code through “USB access” to:-
- Attain enduring root-level Android access (surviving reboots and factory resets).
- Modify the up_param partition containing crucial JPEG files.
- Bypass boot image verification.
- Retrieve sensitive data from the Secure World’s memory (Comprising “Android Keystore encryption keys”).
This security violation was showcased at “BlackHat USA 2024,” affecting several devices in the Galaxy A series, with researchers unveiling “proof-of-concept” demonstrations on “GitHub.”
It illustrates how the exploitation of these “combined vulnerabilities” undermines the entire device’s security chain from the “bootloader” to the “operating system” level.
Researchers detected vulnerabilities in the ARM Trusted Firmware (also known as “Secure Monitor”), which is the highest-privileged element on Android devices.
Here, two critical vulnerabilities were spotted and are cataloged as “CVE-2024-20820”, a read out-of-bounds problem in an SMC handler, and “CVE-2024-20021,” allowing mapping of arbitrary physical memory.
By linking these vulnerabilities, attackers could circumvent “Android’s security model,” like root permissions to access secured components such as the “Android Keystore.”
The exploit chain presented on a “Samsung Galaxy A225F” with a “Mediatek SoC,” incorporated four glitches that facilitated code execution in Little Kernel via USB.
This permitted threat actors to obtain “root access on Android with persistence,” and disclose data from the “Secure World’s memory.”
This breach authorized entry to sensitive details like “Keystore keys,” typically inaccessible even with root privileges.
The researchers exhibited their discoveries at BlackHat USA 2024 highlighting the significant “security implications” for numerous Samsung devices utilizing “Mediatek SoCs.”
The post Multiple Flaws Impacting Boot Chain Of Samsung Devices appeared first on Cyber Security News.