Samsung Email bug could let attackers access your attachments

This month, Samsung has fixed multiple high severity vulnerabilities across multiple Samsung apps that come pre-installed on Samsung mobile devices.

These vulnerabilities impact apps and services including, Samsung Email, Samsung Members, SmartThings, Samsung Experience Service, Samsung Account, Gallery and Bixby.

Remote attackers could tap into your email attachments

One of these vulnerabilities, CVE-2021-25375 in particular, exists in the Samsung Email app prior to version 6.1.41.0.

By exploiting this vulnerability, a remote attacker could access email attachments from your Samsung Email app.

While the exact mechanism of the exploitation is yet to be fully known, the security advisory for the vulnerability explains:

Using predictable index for attachments in Samsung Email prior to version 6.1.41.0 allows remote attackers to get attachments of another emails when users open the malicious attachment.

This implies, a remote attacker would typically need to send a Samsung Email app user an email with a malicious attachment.

But because of the predictable way attachment IDs are generated on the Samsung Email app, should the user open the attacker’s malicious attachment, the remote attacker would now be able to access more email attachments from the user’s other received emails.

This severe flaw was discovered by Juno Im and reported to Samsung on March 18, 2020.

A fix for the vulnerability went into version 6.1.41.0 of the app.

More severe vulnerabilities patched

Other vulnerabilities patched by Samsung in its mobile apps are as follows:

SVE-2021-19144 (CVE-2021-25374): Samsung Members

Severity: High
Resolved Version: 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above
Reported on: October 4, 2020
Description: An improper authorization vulnerability in Samsung Members “samsungrewards” scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account.
Acknowledgement: Ken Gannon

SVE-2021-18085 (CVE-2021-25376): Samsung Email

Severity: Moderate
Resolved Version: 6.1.41.0
Reported on: June 17, 2020
Description: An improper synchronization logic in Samsung Email prior to version 6.1.41.0 can leak messages in certain mailbox in plain text when STARTTLS negotiation is failed.
Acknowledgement: Damian Poddebniak, Fabian Ising

SVE-2021-20637 (CVE-2021-25377): Samsung Experience Service

Severity: Moderate
Resolved Version: 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above
Reported on: February 9, 2021
Description: Intent redirection in Samsung Experience Service versions 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin 

SVE-2021-20386 (CVE-2021-25378): SmartThings

Severity: Low
Resolved Version: 1.7.63.6
Reported on: January 19, 2021
Description: Improper access control of certain port in SmartThings prior to version 1.7.63.6 allows remote temporary denial of service.
Acknowledgement: Zhongquan Li ( CytQ) of Xiaomi AIoT Security Lab

SVE-2021-20601 (CVE-2021-25379): Gallery

Severity: Moderate
Resolved Version: 5.4.16.1
Reported on: February 5, 2021
Description: Intent redirection vulnerability in Gallery prior to version 5.4.16.1 allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin

SVE-2021-19830 (CVE-2021-25380): Bixby

Severity: Moderate
Resolved Version: 3.0.53.02
Reported on: December 5, 2020
Description: Improper handling of exceptional conditions in Bixby prior to version 3.0.53.02 allows attacker to execute the actions registered by the user.
Acknowledgement: Gregory DRAPERI

SVE-2021-19503 (CVE-2021-25381): Samsung Account

Severity: Moderate
Resolved Version: 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above
Reported on: November 2, 2020
Description: Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.
Acknowledgement: hard_______

April updates are crucial as the vulnerabilities patched by this update lurk in the system applications and services that are typically shipped with the device out of the box.

Users are encouraged to apply the latest updates to keep themselves protected.