CVE-2021-25337
published 2021-03-04CVE-2021-25337: Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write certain…
PriorityP179high7.1CVSS 3.1
AVLACLPRNUIRSUCHIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-11-29
Exploited in the wild
EPSS
2.83%
84.9th percentile
Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write certain local files.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| samsung | android | — | — |
| samsung | android | — | — |
| samsung | android | — | — |
| samsung_mobile | samsung_mobile_devices | >= Selected P(9.0), Q(10.0), R(11.0) < SMR Mar-2021 Release 1 | SMR Mar-2021 Release 1 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2021-25337 is exploited as part of a chain with CVE-2021-25369 and CVE-2021-25370; detection should look for concurrent or sequential exploitation of all three vulnerabilities on Samsung mobile devices using Mali GPU. ↗
- →The vulnerability allows untrusted (third-party) applications to read or write arbitrary files via the clipboard service; monitor for unusual file access patterns originating from unprivileged/untrusted apps interacting with the clipboard service. ↗
- →CVE-2021-25369 (chained with this CVE) exposes sensitive kernel information via the sec_log file to userspace; monitor for untrusted application access to sec_log. ↗
- →CVE-2021-25370 (chained with this CVE) causes memory corruption and kernel panic via incorrect file descriptor handling in the dpu driver on Mali GPU devices; kernel panic or crash logs on Samsung Mali GPU devices may indicate exploitation. ↗
- ·Vulnerability affects Samsung mobile devices prior to SMR Mar-2021 Release 1; devices patched at or after this release are not affected. ↗
- ·The full exploit chain (CVE-2021-25337 + CVE-2021-25369 + CVE-2021-25370) specifically targets Samsung mobile devices using Mali GPU; non-Mali GPU Samsung devices may only be partially affected. ↗
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vulncheck4.4MEDIUM
cisa7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Project0
A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain - Project Zero
project_zero·2022-11-01·CVSS 4.4
CVE-2019-2215 [MEDIUM] A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain - Project Zero
Posted by Maddie Stone, Project Zero
Note: The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device is running SMR Mar-2021 or later.
As defenders, in-the-wild exploit samples give us important insight into what attackers are really doing. We get the “ground truth” data about the vulnerabilities and exploit techniques they’re using, which then informs our further research and guidance to security teams on what could have the biggest impact or return on investment. To do this, we need to know that the vulnerabilities and exploit samples were found in-the-wild. Over the past few years the
GHSA
GHSA-7x25-8cjm-2rj9: Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write
ghsa_unreviewed·2022-05-24
CVE-2021-25337 [HIGH] CWE-269 GHSA-7x25-8cjm-2rj9: Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write
Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write certain local files.
VulnCheck
Samsung Mobile Devices Memory Corruption Vulnerability
vulncheck·2021·CVSS 4.4
CVE-2021-25370 [MEDIUM] CWE-416 Samsung Mobile Devices Memory Corruption Vulnerability
Samsung Mobile Devices Memory Corruption Vulnerability
Samsung mobile devices using Mali GPU contain an incorrect implementation handling file descriptor in dpu driver. This incorrect implementation results in memory corruption, leading to kernel panic. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25369.
Affected: Samsung Mobile Devices
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-11-29
VulnCheck
Samsung Mobile Devices Improper Access Control Vulnerability
vulncheck·2021·CVSS 4.4
CVE-2021-25369 [MEDIUM] CWE-200 Samsung Mobile Devices Improper Access Control Vulnerability
Samsung Mobile Devices Improper Access Control Vulnerability
Samsung mobile devices using Mali GPU contains an improper access control vulnerability in sec_log file. Exploitation of the vulnerability exposes sensitive kernel information to the userspace. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25370.
Affected: Samsung Mobile Devices
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; http
VulnCheck
Samsung Mobile Devices Improper Access Control Vulnerability
vulncheck·2021·CVSS 4.4
CVE-2021-25337 [MEDIUM] CWE-269 Samsung Mobile Devices Improper Access Control Vulnerability
Samsung Mobile Devices Improper Access Control Vulnerability
Samsung mobile devices contain an improper access control vulnerability in clipboard service which allows untrusted applications to read or write arbitrary files. This vulnerability was chained with CVE-2021-25369 and CVE-2021-25370.
Affected: Samsung Mobile Devices
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-11-29
Project0
Project Zero RCA: CVE-2021-25337: Samsung file system r/w in clipboard provider
project_zero·CVSS 4.4
CVE-2021-25337 [MEDIUM] Project Zero RCA: CVE-2021-25337: Samsung file system r/w in clipboard provider
# CVE-2021-25337: Samsung file system r/w in clipboard provider
*Maddie Stone*
## The Basics
**Disclosure or Patch Date:** March 01, 2021
**Product:** Samsung Android
**Advisory:** https://security.samsungmobile.com/securityUpdate.smsb
**Affected Versions:** pre SMR-Mar-2021
**First Patched Version:** SMR-Mar-2021
**Issue/Bug Report:** N/A
**Patch CL:** N/A
**Bug-Introducing CL:** N/A
**Reporter(s):** Anonymous
## The Code
**Proof-of-concept:**
```java
ContentValues vals = new ContentValues();
vals.put("_data", "/data/system/users/0/newFile.bin");
URI semclipboard_uri =
URI.parse("content://com.sec.android.semclipboardprovider")
ContentResolver resolver = getContentResolver();
URI newFile_uri = resolver.insert(semclipboard_uri, vals);
return resolver.openFileDescriptor(newFil
CISA
Samsung Mobile Devices Improper Access Control Vulnerability
cisa·2022-11-08·CVSS 7.1
CVE-2021-25369 [HIGH] CWE-200 Samsung Mobile Devices Improper Access Control Vulnerability
Vulnerability: Samsung Mobile Devices Improper Access Control Vulnerability
Affected: Samsung Mobile Devices
Samsung mobile devices using Mali GPU contains an improper access control vulnerability in sec_log file. Exploitation of the vulnerability exposes sensitive kernel information to the userspace. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25370.
Required Action: Apply updates per vendor instructions.
Notes: https://security.samsungmobile.com/securityUpdate.smsb; https://nvd.nist.gov/vuln/detail/CVE-2021-25369
Remediation Due Date: 2022-11-29
CISA
Samsung Mobile Devices Improper Access Control Vulnerability
cisa·2022-11-08·CVSS 7.1
CVE-2021-25337 [HIGH] CWE-269 Samsung Mobile Devices Improper Access Control Vulnerability
Vulnerability: Samsung Mobile Devices Improper Access Control Vulnerability
Affected: Samsung Mobile Devices
Samsung mobile devices contain an improper access control vulnerability in clipboard service which allows untrusted applications to read or write arbitrary files. This vulnerability was chained with CVE-2021-25369 and CVE-2021-25370.
Required Action: Apply updates per vendor instructions.
Notes: https://security.samsungmobile.com/securityUpdate.smsb; https://nvd.nist.gov/vuln/detail/CVE-2021-25337
Remediation Due Date: 2022-11-29
CISA
Samsung Mobile Devices Memory Corruption Vulnerability
cisa·2022-11-08·CVSS 7.1
CVE-2021-25370 [HIGH] CWE-416 Samsung Mobile Devices Memory Corruption Vulnerability
Vulnerability: Samsung Mobile Devices Memory Corruption Vulnerability
Affected: Samsung Mobile Devices
Samsung mobile devices using Mali GPU contain an incorrect implementation handling file descriptor in dpu driver. This incorrect implementation results in memory corruption, leading to kernel panic. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25369.
Required Action: Apply updates per vendor instructions.
Notes: https://security.samsungmobile.com/securityUpdate.smsb; https://nvd.nist.gov/vuln/detail/CVE-2021-25370
Remediation Due Date: 2022-11-29
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-03-04
Published
2022-11-08
Added to CISA KEV
Exploited in the wild