Samsung Email bug could let attackers access your attachments
This month, Samsung has fixed multiple high severity vulnerabilities across multiple Samsung apps that come pre-installed on Samsung mobile devices.
These vulnerabilities impact apps and services including, Samsung Email, Samsung Members, SmartThings, Samsung Experience Service, Samsung Account, Gallery and Bixby.
Remote attackers could tap into your email attachments
One of these vulnerabilities, CVE-2021-25375 in particular, exists in the Samsung Email app prior to version 126.96.36.199.
By exploiting this vulnerability, a remote attacker could access email attachments from your Samsung Email app.
While the exact mechanism of the exploitation is yet to be fully known, the security advisory for the vulnerability explains:
Using predictable index for attachments in Samsung Email prior to version 188.8.131.52 allows remote attackers to get attachments of another emails when users open the malicious attachment.
This implies, a remote attacker would typically need to send a Samsung Email app user an email with a malicious attachment.
But because of the predictable way attachment IDs are generated on the Samsung Email app, should the user open the attacker’s malicious attachment, the remote attacker would now be able to access more email attachments from the user’s other received emails.
This severe flaw was discovered by Juno Im and reported to Samsung on March 18, 2020.
A fix for the vulnerability went into version 184.108.40.206 of the app.
More severe vulnerabilities patched
Other vulnerabilities patched by Samsung in its mobile apps are as follows:
SVE-2021-19144 (CVE-2021-25374): Samsung Members
Resolved Version: 220.127.116.11 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above
Reported on: October 4, 2020
Description: An improper authorization vulnerability in Samsung Members “samsungrewards” scheme for deeplink in versions 18.104.22.168 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account.
Acknowledgement: Ken Gannon
SVE-2021-18085 (CVE-2021-25376): Samsung Email
Resolved Version: 22.214.171.124
Reported on: June 17, 2020
Description: An improper synchronization logic in Samsung Email prior to version 126.96.36.199 can leak messages in certain mailbox in plain text when STARTTLS negotiation is failed.
Acknowledgement: Damian Poddebniak, Fabian Ising
SVE-2021-20637 (CVE-2021-25377): Samsung Experience Service
Resolved Version: 10.8.0.4 in Android P(9.0) below, and 188.8.131.52 in Android Q(10.0) above
Reported on: February 9, 2021
Description: Intent redirection in Samsung Experience Service versions 10.8.0.4 in Android P(9.0) below, and 184.108.40.206 in Android Q(10.0) above allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin
SVE-2021-20386 (CVE-2021-25378): SmartThings
Resolved Version: 220.127.116.11
Reported on: January 19, 2021
Description: Improper access control of certain port in SmartThings prior to version 18.104.22.168 allows remote temporary denial of service.
Acknowledgement: Zhongquan Li ( CytQ) of Xiaomi AIoT Security Lab
SVE-2021-20601 (CVE-2021-25379): Gallery
Resolved Version: 22.214.171.124
Reported on: February 5, 2021
Description: Intent redirection vulnerability in Gallery prior to version 126.96.36.199 allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin
SVE-2021-19830 (CVE-2021-25380): Bixby
Resolved Version: 3.0.53.02
Reported on: December 5, 2020
Description: Improper handling of exceptional conditions in Bixby prior to version 3.0.53.02 allows attacker to execute the actions registered by the user.
Acknowledgement: Gregory DRAPERI
SVE-2021-19503 (CVE-2021-25381): Samsung Account
Resolved Version: 10.8.0.4 in Android P(9.0) and below, and 188.8.131.52 in Android Q(10.0) and above
Reported on: November 2, 2020
Description: Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 184.108.40.206 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.
April updates are crucial as the vulnerabilities patched by this update lurk in the system applications and services that are typically shipped with the device out of the box.
Users are encouraged to apply the latest updates to keep themselves protected.