Business
Samsung fixes critical Android bugs in March 2021 updates
This week Samsung has started rolling out Android’s March security updates to mobile devices to patch critical security vulnerabilities in the runtime, operating system, and related components.
This comes after Android had published their March 2021 security updates bulletin, which includes patches for critical vulnerabilities impacting the latest devices.
As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates released on March 5, 2021, this week.
These updates mainly comprise significant security fixes with a couple of enhancements across Samsung Galaxy built-in apps like Calendar, Display, Social Platform, and SmartThings.
Source: BleepingComputer
Every vulnerability addressed by this update, has either a ‘High’ or ‘Critical’ severity rating, making this update a must for Android users so that their devices remain protected.
From RCE via Bluetooth to Privilege Escalation
There’s the critical vulnerability, CVE-2021-0397 lurking in the Android System arising from a null pointer, which has been fixed by this update.
The vulnerability in Android’s Bluetooth Service Discovery Protocol (SDP) implementation, called Fluoride Bluetooth stack could let an attacker perform remote code execution (RCE) attacks via a specially crafted Bluetooth transmission.
.jpg?w=740&ssl=1)
Source: Google Source for Android
Additionally, Google Play Protect has stepped up protections and made exploitation of Android vulnerabilities more challenging by adding security enhancements.
“Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform.”
“We encourage all users to update to the latest version of Android where possible,” stated this month’s Android advisory.
Other flaws impacting components like Framework, System, and Android runtime could allow sensitive information disclosure and privilege escalation by attackers.
The list of vulnerabilities patched by this update includes:
Android runtime
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2021-0395 | A-170315126 | EoP | High | 11 |
Framework
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2021-0391 | A-172841550 | EoP | High | 8.1, 9, 10, 11 |
| CVE-2021-0398 | A-173516292 | EoP | High | 11 |
System
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2021-0397 | A-174052148 | RCE | Critical | 8.1, 9, 10, 11 |
| CVE-2017-14491 | A-158221622 | RCE | High | 8.1, 9, 10, 11 |
| CVE-2021-0393 | A-168041375 | RCE | High | 8.1, 9, 10, 11 |
| CVE-2021-0396 | A-160610106 | RCE | High | 8.1, 9, 10, 11 |
| CVE-2021-0390 | A-174749461 | EoP | High | 8.1, 9, 10, 11 |
| CVE-2021-0392 | A-175124730 | EoP | High | 9, 10, 11 |
| CVE-2021-0394 | A-172655291 [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] | ID | High | 8.1, 9, 10, 11 |
Google Play system updates
| Component | CVE |
|---|---|
| WiFi | CVE-2021-0390 |
Some bugs may still be exploitable
On select Samsung Galaxy devices, the updates pushed this week have their latest “security patch level” dated “2021-03-01.”
This implies the high and critical severity vulnerabilities yet to be fixed by the “2021-03-05 security patch” could still be exploitable.
Users are advised to update their Android devices immediately to safeguard against these bugs, and ensure their devices have the “auto-update” settings enabled.
A full description of enhancements and optimizations this update brings is provided on Samsung’s website.
IoT security threats highlight the need for zero trust principles
New infosec products of the week: October 27, 2023
Raven: Open-source CI/CD pipeline security scanner
Apple news: iLeakage attack, MAC address leakage bug
Hackers earn over $1 million for 58 zero-days at Pwn2Own Toronto
