Business

Samsung fixes critical Android bugs in March 2021 updates

Published

on

This week Samsung has started rolling out Android’s March security updates to mobile devices to patch critical security vulnerabilities in the runtime, operating system, and related components.

This comes after Android had published their March 2021 security updates bulletin, which includes patches for critical vulnerabilities impacting the latest devices.

As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates released on March 5, 2021, this week.

These updates mainly comprise significant security fixes with a couple of enhancements across Samsung Galaxy built-in apps like Calendar, Display, Social Platform, and SmartThings.

Samsung Galaxy S10 prompting users to get March 2021 updates
Source: BleepingComputer

Every vulnerability addressed by this update, has either a ‘High’ or ‘Critical’ severity rating, making this update a must for Android users so that their devices remain protected.

From RCE via Bluetooth to Privilege Escalation

There’s the critical vulnerability, CVE-2021-0397 lurking in the Android System arising from a null pointer, which has been fixed by this update.

The vulnerability in Android’s Bluetooth Service Discovery Protocol (SDP) implementation, called Fluoride Bluetooth stack could let an attacker perform remote code execution (RCE) attacks via a specially crafted Bluetooth transmission.

Fix made for CVE-2021-0397, critical RCE vulnerability
Source: Google Source for Android

Additionally, Google Play Protect has stepped up protections and made exploitation of Android vulnerabilities more challenging by adding security enhancements.

“Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform.”

“We encourage all users to update to the latest version of Android where possible,” stated this month’s Android advisory.

Other flaws impacting components like Framework, System, and Android runtime could allow sensitive information disclosure and privilege escalation by attackers.

The list of vulnerabilities patched by this update includes:

Android runtime

CVEReferencesTypeSeverityUpdated AOSP versions
CVE-2021-0395A-170315126EoPHigh11

Framework

CVEReferencesTypeSeverityUpdated AOSP versions
CVE-2021-0391A-172841550EoPHigh8.1, 9, 10, 11
CVE-2021-0398A-173516292EoPHigh11

System

CVEReferencesTypeSeverityUpdated AOSP versions
CVE-2021-0397A-174052148RCECritical8.1, 9, 10, 11
CVE-2017-14491A-158221622RCEHigh8.1, 9, 10, 11
CVE-2021-0393A-168041375RCEHigh8.1, 9, 10, 11
CVE-2021-0396A-160610106RCEHigh8.1, 9, 10, 11
CVE-2021-0390A-174749461EoPHigh8.1, 9, 10, 11
CVE-2021-0392A-175124730EoPHigh9, 10, 11
CVE-2021-0394A-172655291 [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]IDHigh8.1, 9, 10, 11

Google Play system updates

ComponentCVE
WiFiCVE-2021-0390

Some bugs may still be exploitable

On select Samsung Galaxy devices, the updates pushed this week have their latest “security patch level” dated “2021-03-01.”

This implies the high and critical severity vulnerabilities yet to be fixed by the “2021-03-05 security patch” could still be exploitable.

Users are advised to update their Android devices immediately to safeguard against these bugs, and ensure their devices have the “auto-update” settings enabled.

A full description of enhancements and optimizations this update brings is provided on Samsung’s website.

Source: https://www.bleepingcomputer.com/news/security/samsung-fixes-critical-android-bugs-in-march-2021-updates/

Click to comment
Exit mobile version