On the 21st of September, 2024, Google researchers discovered a crucial security flaw in the Monkey’s Audio (APE) decoder utilized in Samsung’s leading Galaxy S23 and S24 gadgets.
After 3 months, the security issue was resolved following the disclosure of the vulnerability by Google Project Zero team with a set deadline of 90 days.
The most recent update has tackled critical vulnerabilities within the Android operating system, integrating essential security fixes from both Google and Samsung.
Significantly, it resolves CVE-2024-49415, which impacted Android versions 12, 13, and 14, enabling remote attackers to execute arbitrary code.
The error, which concerns an out-of-bounds write in the libsaped.so library, might permit malicious entities to crash the system process or potentially exploit the problem further, leading to severe consequences.
Details of Vulnerability
The problem lies within the saped_rec function of the libsaped.so library. This function inscribes data into a DMA buffer allocated by the C2 media service.
“Although the buffer has a fixed size of 0x120000, the function can exceed the maximum allowable size by up to three times under specific circumstances. Particularly, when handling APE files with a substantial blocksperframe value and 24-bit input samples, the buffer experiences significant overflow, resulting in memory corruption,” explained Google researchers.
This glitch is particularly worrisome because it can be activated remotely without user interaction, denoted as a “0-click” vulnerability.
On Samsung gadgets, Google Messages is set up to utilize Rich Communication Services (RCS) automatically. Given this setup, if a deceitful APE audio file is transmitted as an RCS message, the system might endeavor to transcribe the file without any user intervention, resulting in a breakdown in the C2 process of the target device.
Researchers have demonstrated techniques to replicate the crash locally and remotely:
- Local Replication:
- Transfer the deceitful APE file (
overflow.ape) to the device. - Play the file utilizing the “My Files” application.
- Remote Replication:
- Establish a test device to dispatch RCS messages to the aimed Samsung phone.
- Substitute the RCS media cache file with the deceitful APE document.
- Transmit an audio message to the aimed device.
Upon receipt of the malevolent file, the C2 service of the aimed device crashes, generating debugging logs that ratify the buffer overflow. The pertinent process crash specifics incorporate a SIGSEGV (segmentation fault) within the saped_rec function of the libsaped.so library.
The vulnerability is exceedingly worrying due to its 0-click characteristic, offering attackers the ability to target devices without necessitating any user activity. While it’s indistinct whether the bug is exploitable beyond just crashing the process (e.g., executing arbitrary code), it persists as a critical threat, notably due to the memory corruption affecting adjacent DMA and non-DMA data.
Samsung Galaxy S23 and S24 gadgets have been confirmed to be affected, without any suggestion yet that other Samsung models or Android phones have suffered any impact.
The vulnerability was reported in accordance with Google’s Project Zero disclosure protocol, which grants vendors a 90-day period to issue remedies before the matter is publicly disclosed.
If the solution is applied ahead of the due date, the specifics will be made public 30 days later. The disclosure due date for this matter is fixed for 19th December, 2024, unless an earlier fix is released.
Google Project Zero’s disclosure guidelines aim to inspire prompt resolutions to critical flaws while boosting user safety.
Google proposed that users follow the subsequent steps: Prior to a solution being issued, users are urged to:
- Deactivate RCS messaging when it isn’t necessary.
- Refrain from opening or engaging untrusted audio files via messaging apps or file browsers.
- Implement security updates from Samsung as soon as they are available.
The Solution
During the recent update patch by Samsung, out of the critical vulnerabilities identified, five Common Vulnerabilities and Exposures (CVE) have been prioritized for immediate action, including this 0-click vulnerability:
These vulnerabilities present substantial risks as they allow attackers to execute arbitrary code, possibly leading to illicit access to sensitive data and control over affected devices.
This vulnerability emphasizes the dangers within modern smartphone ecosystems where media management services and messaging standards introduce fresh attack avenues. It’s advisable for users to remain cautious and confirm their devices are equipped with the latest security patches.
The article “Critical Samsung 0-Click Vulnerability Found in Samsung S24 and S23 Devices Got Fixed” was initially posted on Cyber Security News.