SAMSUNG Mobile Security Maintenance February 2023

SAMSUNG 사이트 참고

SAMSUNG Mobile Security Maintenance February 2023

Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.

Google patches include patches up to Android Security Bulletin – February 2023 package. The Bulletin (February 2023) contains the following CVE items:

Critical CVE-2022-42719, CVE-2022-42721, CVE-2022-42720, CVE-2022-41674, CVE-2022-22088 High CVE-2022-20235, CVE-2023-20928, CVE-2022-2959, CVE-2022-32636, CVE-2022-32637, CVE-2022-25746, CVE-2022-23960, CVE-2022-25725, CVE-2022-33284, CVE-2022-33286, CVE-2022-33276, CVE-2022-33285, CVE-2022-44426, CVE-2022-44425, CVE-2022-44427, CVE-2022-44428, CVE-2022-44431, CVE-2022-44429, CVE-2022-44432, CVE-2022-44430, CVE-2022-44435, CVE-2022-44437, CVE-2022-44434, CVE-2022-44436, CVE-2022-44438, CVE-2022-20443, CVE-2022-20551, CVE-2023-20934, CVE-2023-20942, CVE-2023-20943, CVE-2023-20944, CVE-2023-20948, CVE-2023-20933, CVE-2022-20481, CVE-2022-43680, CVE-2023-20939, CVE-2023-20945, CVE-2023-20946, CVE-2023-20932, CVE-2022-20455, CVE-2020-27059, CVE-2022-20441, CVE-2022-20451 Moderate None Already included in previous updates CVE-2021-35097, CVE-2021-35113, CVE-2021-35134, CVE-2022-33274, CVE-2022-33252, CVE-2022-33253, CVE-2022-33283, CVE-2022-20006 Not applicable to Samsung devices CVE-2022-32635, CVE-2022-33266, CVE-2022-33255, CVE-2023-20940 ※ Please see Android Security Bulletin for detailed information on Google patches. Along with Google patches, Samsung Mobile provides 7 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices. Samsung security index (SSI), found in “Security software version”, SMR Feb-2023 Release 1 includes all patches from Samsung and Google. Some of the SVE items may not be included in this package, in case these items were already included in a previous maintenance release.

SVE-2022-2738(CVE-2023-21440): Improper access control vulnerability in WindowManagerService

Severity: High Affected versions: T(13) Reported on: November 21, 2022 Disclosure status: Privately disclosed Improper access control vulnerability in WindowManagerService prior to SMR Feb-2023 Release 1 allows attackers to take a screen capture. The patch adds proper permission check to prevent unauthorized access.

SVE-2022-2726(CVE-2023-21439): Improper input validation in UwbDataTxStatusEven

Severity: High Affected versions: S(12), T(13) Reported on: November 19, 2022 Disclosure status: Privately disclosed Improper input validation vulnerability in UwbDataTxStatusEvent prior to SMR Feb-2023 Release 1 allows attackers to launch certain activities. The patch adds proper validation logic to prevent privilege escalation.

SVE-2022-2546(CVE-2023-21438): App preview disclosure protected by Secure Folder in Recents

Severity: Moderate Affected versions: R(11), S(12) Reported on: October 25, 2022 Disclosure status: Privately disclosed Improper logic in HomeScreen prior to SMR Feb-2023 Release 1 allows physical attacker to access App preview protected by Secure Folder. The patch adds proper validation logic to prevent unauthorized access.

SVE-2022-2328(CVE-2023-21437): Improper access control vulnerability in Phone application

Severity: Moderate Affected versions: Q(10), R(11), S(12), T(13) Reported on: September 20, 2022 Disclosure status: Privately disclosed Improper access control vulnerability in Phone application prior to SMR Feb-2023 Release 1 allows local attackers to access sensitive information via implicit broadcast. The patch adds proper permission to prevent improper access.

SVE-2022-2296(CVE-2023-21436): Implicit intent hijacking vulnerability in Contacts

Severity: Moderate Affected versions: Q(10), R(11), S(12), T(13) Reported on: September 17, 2022 Disclosure status: Privately disclosed Improper usage of implicit intent in Contacts prior to SMR Feb-2023 Release 1 allows attacker to get account ID. The patch change the implicit intent to explicit intent.

SVE-2022-2195(CVE-2023-21435): Exposure of Sensitive Information vulnerability in Fingerprint TA

Severity: Moderate Affected versions: Select R(11), S(12), T(13) devices Reported on: September 9, 2022 Disclosure status: Privately disclosed Exposure of sensitive information vulnerability in Fingerprint TA prior to SMR Feb-2023 Release 1 allows attackers to access the memory address information via log. The patch removes log that show the memory address. Some SVE items included in the Samsung Android Security Update cannot be disclosed at this time.

Acknowledgements

Michał Bednarski: SVE-2022-2738
Binwei Shen: SVE-2022-2726
Emilio Garza Cantu: SVE-2022-2546
Oversecured Inc: SVE-2022-2328, SVE-2022-2296
Zhongquan Li @ ADLab of VenusTech: SVE-2022-2195

출처 : 바로가기

Last updated