Samsung started presenting patches over the weekend to fix 6 critical bugs discovered in its flagship Android handsets as part of its May spot bulletin. Flaws range from a remote code execution bug to a buffer overflow vulnerability, plus a
peek-and-poke command bug that leaves memory places open on targeted devices.All six of Samsung’s critical vulnerabilities covered this month were recognized in Google’s April Android Security Bulletin. Google released its May Android Security Bulletin last week. In all, Samsung disclosed and patched 27 vulnerabilities, 21 identified as high seriousness.
Qualcomm and HackerOne Partner on Bounty Program Five of the important bugs recognized by Samsung are connected to Qualcomm and its Snapdragon processors utilized in Samsung handhelds, however also the chipmaker’s Snapdragon Use and Automotive platforms. Impacted are Samsung handheld designs varying from its Galaxy family of S9, Note 8 and S8 phones.One critical vulnerability is an RCE bug()recognized by Google last month that might”enable a proximate aggressor utilizing a specifically crafted file to carry out arbitrary code within the context of a fortunate process.”The flaw, which has a CVSS score of 9.8, is connected to a third-party Broadcom cordless chipset driver(bcmdhd). Another vulnerability (),
which is still going through analysis, likewise has a CVSS score of 9.8. That bug is described by the National Vulnerabilities Database as”incorrect gain access to control while setting up MPU(Memory Security Unit)securing error correction registers might possibly lead to direct exposure of related secured data.”An extra bug( )affects Samsung handsets and the Elliptic Curve Digital Signature Algorithm (ECDSA) signature confirmation element. ECDSA is a variant of the Digital Signature Algorithm and typically utilized by Android gadgets to validate the authenticity and preserve the integrity of SMS messages, inning accordance with an IEEE abstract.”In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Vehicle, Snapdragon
Mobile, and Snapdragon Use … in some corner cases, ECDSA signature verification can stop working, “according to the NVD description of the CVE.The”peek and poke”portion of the
CVE-2018-3591 vulnerability refers to a method most often referenced in ancient (i.e., circa 1980s)computer system systems where a user has the ability to”peek”into a memory address and “poke” it, implying change the value.The peek-and-poke vulnerability is referred to as affecting the Snapdragon Mobile platform where the “default develop setup of gadget programmer in BOOT.BF.3.0 enables the flag SKIP_SECBOOT_CHECK_NOT_RECOMMENDED_BY_QUALCOMM which will open up the peek and poke commands to any memory place on the target. “The CVEs detailed by Samsung also affect a number of other Android devices varying from Google Pixel 2, HTC U11, LG V30 and Motorola Moto Z Force(second-gen), to call a couple of.