CVE-2021-25369
published 2021-03-26CVE-2021-25369: An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.
PriorityP277medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-11-29
Exploited in the wild
EPSS
1.12%
62.1th percentile
An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| samsung | android | — | — |
| samsung | android | — | — |
| samsung | android | — | — |
| samsung | android | — | — |
| samsung_mobile | samsung_mobile_devices | >= O(8.x), P(9.0), Q(10.0) < SMR Mar-2021 Release 1 | SMR Mar-2021 Release 1 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2021-25369 is exploited as part of a three-CVE chain; detections should account for concurrent exploitation of CVE-2021-25337 (clipboard service arbitrary file read/write) and CVE-2021-25370 (Mali GPU dpu driver memory corruption/kernel panic) ↗
- →Target environment is Samsung Mobile Devices using Mali GPU; focus monitoring on sec_log file access from userspace processes that should not have kernel-level read access ↗
- →Monitor for untrusted or low-privilege applications accessing the sec_log file, which should be restricted to kernel/privileged contexts only ↗
- ·Vulnerability is present only on Samsung Mobile Devices using Mali GPU, prior to SMR MAR-2021 Release 1; patched devices are not affected ↗
- ·Full exploit chain requires all three CVEs (CVE-2021-25337, CVE-2021-25369, CVE-2021-25370) to be present and unpatched on the target device ↗
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
vulncheck4.4MEDIUM
cisa7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Project0
A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain - Project Zero
project_zero·2022-11-01·CVSS 4.4
CVE-2019-2215 [MEDIUM] A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain - Project Zero
Posted by Maddie Stone, Project Zero
Note: The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device is running SMR Mar-2021 or later.
As defenders, in-the-wild exploit samples give us important insight into what attackers are really doing. We get the “ground truth” data about the vulnerabilities and exploit techniques they’re using, which then informs our further research and guidance to security teams on what could have the biggest impact or return on investment. To do this, we need to know that the vulnerabilities and exploit samples were found in-the-wild. Over the past few years the
GHSA
GHSA-g6pj-gc3g-pf4q: An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace
ghsa_unreviewed·2022-05-24
CVE-2021-25369 [MEDIUM] CWE-200 GHSA-g6pj-gc3g-pf4q: An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace
An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.
VulnCheck
Samsung Mobile Devices Memory Corruption Vulnerability
vulncheck·2021·CVSS 4.4
CVE-2021-25370 [MEDIUM] CWE-416 Samsung Mobile Devices Memory Corruption Vulnerability
Samsung Mobile Devices Memory Corruption Vulnerability
Samsung mobile devices using Mali GPU contain an incorrect implementation handling file descriptor in dpu driver. This incorrect implementation results in memory corruption, leading to kernel panic. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25369.
Affected: Samsung Mobile Devices
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-11-29
VulnCheck
Samsung Mobile Devices Improper Access Control Vulnerability
vulncheck·2021·CVSS 4.4
CVE-2021-25369 [MEDIUM] CWE-200 Samsung Mobile Devices Improper Access Control Vulnerability
Samsung Mobile Devices Improper Access Control Vulnerability
Samsung mobile devices using Mali GPU contains an improper access control vulnerability in sec_log file. Exploitation of the vulnerability exposes sensitive kernel information to the userspace. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25370.
Affected: Samsung Mobile Devices
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; http
VulnCheck
Samsung Mobile Devices Improper Access Control Vulnerability
vulncheck·2021·CVSS 4.4
CVE-2021-25337 [MEDIUM] CWE-269 Samsung Mobile Devices Improper Access Control Vulnerability
Samsung Mobile Devices Improper Access Control Vulnerability
Samsung mobile devices contain an improper access control vulnerability in clipboard service which allows untrusted applications to read or write arbitrary files. This vulnerability was chained with CVE-2021-25369 and CVE-2021-25370.
Affected: Samsung Mobile Devices
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-11-29
Project0
Project Zero RCA: CVE-2021-25369: Samsung kernel info leak in sec_log
project_zero·CVSS 6.2
CVE-2021-25369 [MEDIUM] Project Zero RCA: CVE-2021-25369: Samsung kernel info leak in sec_log
# CVE-2021-25369: Samsung kernel info leak in sec_log
*Maddie Stone*
## The Basics
**Disclosure or Patch Date:** March 01, 2021
**Product:** Samsung Android
**Advisory:** https://security.samsungmobile.com/securityUpdate.smsb
**Affected Versions:** Samsung Exynos, kernel 4.14.113, pre SMR-Mar-2021
**First Patched Version:** SMR-Mar-2021
**Issue/Bug Report:** N/A
**Patch CL:** N/A
**Bug-Introducing CL:** N/A
**Reporter(s):** Anonymous
## The Code
**Proof-of-concept:**
```c
// To triger the WARN_ON
hwcnt_fd = ioctl(dev_mali_fd, 0x40148008, &v4);
ioctl(hwcnt_fd, 0x4004BEFE, 0);
// To start the bugreport which writes kmsg contents to /data/log/sec_log.log
system("setprop dumpstate.options bugreportfull; setprop ctl.start bugreport");
```
**Exploit sample:** N/A
**Access to the
CISA
Samsung Mobile Devices Improper Access Control Vulnerability
cisa·2022-11-08·CVSS 7.1
CVE-2021-25369 [HIGH] CWE-200 Samsung Mobile Devices Improper Access Control Vulnerability
Vulnerability: Samsung Mobile Devices Improper Access Control Vulnerability
Affected: Samsung Mobile Devices
Samsung mobile devices using Mali GPU contains an improper access control vulnerability in sec_log file. Exploitation of the vulnerability exposes sensitive kernel information to the userspace. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25370.
Required Action: Apply updates per vendor instructions.
Notes: https://security.samsungmobile.com/securityUpdate.smsb; https://nvd.nist.gov/vuln/detail/CVE-2021-25369
Remediation Due Date: 2022-11-29
CISA
Samsung Mobile Devices Improper Access Control Vulnerability
cisa·2022-11-08·CVSS 7.1
CVE-2021-25337 [HIGH] CWE-269 Samsung Mobile Devices Improper Access Control Vulnerability
Vulnerability: Samsung Mobile Devices Improper Access Control Vulnerability
Affected: Samsung Mobile Devices
Samsung mobile devices contain an improper access control vulnerability in clipboard service which allows untrusted applications to read or write arbitrary files. This vulnerability was chained with CVE-2021-25369 and CVE-2021-25370.
Required Action: Apply updates per vendor instructions.
Notes: https://security.samsungmobile.com/securityUpdate.smsb; https://nvd.nist.gov/vuln/detail/CVE-2021-25337
Remediation Due Date: 2022-11-29
CISA
Samsung Mobile Devices Memory Corruption Vulnerability
cisa·2022-11-08·CVSS 7.1
CVE-2021-25370 [HIGH] CWE-416 Samsung Mobile Devices Memory Corruption Vulnerability
Vulnerability: Samsung Mobile Devices Memory Corruption Vulnerability
Affected: Samsung Mobile Devices
Samsung mobile devices using Mali GPU contain an incorrect implementation handling file descriptor in dpu driver. This incorrect implementation results in memory corruption, leading to kernel panic. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25369.
Required Action: Apply updates per vendor instructions.
Notes: https://security.samsungmobile.com/securityUpdate.smsb; https://nvd.nist.gov/vuln/detail/CVE-2021-25370
Remediation Due Date: 2022-11-29
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-03-26
Published
2022-11-08
Added to CISA KEV
Exploited in the wild