Researcher Details 0-Day Flaw CVE-2024-44068 in Samsung Exynos Processors
Samsung has released a critical security patch to address CVE-2024-44068, a high-severity vulnerability impacting devices equipped with Exynos processors. Discovered by Xingyu Jin of Google, this zero-day flaw, which earned a CVSS score of 8.1, stemmed from improper memory management in the m2m1shot_scaler0 driver, responsible for key image and video processing tasks such as scaling and JPEG decoding.
The vulnerability, present in Exynos processors including the 9820, 9825, 980, 990, 850, and W920 models, arises from a Use-After-Free (UAF) condition. UAF vulnerabilities occur when memory is freed but continues to be used by the system, potentially leading to severe security risks. In this case, the m2m1shot_scaler0 driver could improperly release memory pages and subsequently reuse them, creating an opening for attackers to hijack these memory regions and execute malicious code.
Exploitation of CVE-2024-44068 is particularly concerning due to its potential for Kernel Space Mirroring Attack (KSMA). Attackers can leverage this flaw by manipulating IOCTL calls, effectively rewriting kernel page tables to gain system-level privileges. A real-world example of this vulnerability in action was demonstrated on a Samsung S10 (model G973FXXSGHWC2), where attackers were able to manipulate system processes and conceal malicious activity, granting them deep access to the device.
To execute the attack, malicious actors utilized mmap and mincore system calls, which enabled them to monitor when memory was mapped to virtual I/O pages. By freeing the memory during this process, the driver was left in a vulnerable state, still using invalid pages, allowing the exploit to take hold.
Samsung has addressed the issue with the SMR-Oct-2024 security update, revising object reference management for PFNMAP pages to ensure freed memory is no longer reused. This update is now available for all affected devices, and Samsung strongly urges users to install the patch immediately to protect their devices from potential exploitation.
Experts in the field have also highlighted the importance of source code audits and rigorous testing of IOCTL calls to prevent similar vulnerabilities in the future.
