Samsung fixes critical Android bugs in March 2021 updates

[mood]

Samsung fixes critical Android bugs in March 2021 updates

 

 

This week Samsung has started rolling out Android's March security updates to mobile devices to patch critical security vulnerabilities in the runtime, operating system, and related components.

 

This comes after Android had published their March 2021 security updates bulletin, which includes patches for critical vulnerabilities impacting the latest devices.

 

As observed by BleepingComputer, Samsung Galaxy devices are automatically pulling updates released on March 5, 2021, this week.

 

These updates mainly comprise significant security fixes with a couple of enhancements across Samsung Galaxy built-in apps like Calendar, Display, Social Platform, and SmartThings.

 

Samsung Galaxy S10 prompting users to get March 2021 updates

Source: BleepingComputer

 

Every vulnerability addressed by this update, has either a 'High' or 'Critical' severity rating, making this update a must for Android users so that their devices remain protected.

From RCE via Bluetooth to Privilege Escalation

There's the critical vulnerability, CVE-2021-0397 lurking in the Android System arising from a null pointer, which has been fixed by this update.

 

The vulnerability in Android's Bluetooth Service Discovery Protocol (SDP) implementation, called Fluoride Bluetooth stack could let an attacker perform remote code execution (RCE) attacks via a specially crafted Bluetooth transmission.

 

Fix made for CVE-2021-0397, critical RCE vulnerability

Source: Google Source for Android

 

Additionally, Google Play Protect has stepped up protections and made exploitation of Android vulnerabilities more challenging by adding security enhancements.

"Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform."

"We encourage all users to update to the latest version of Android where possible," stated this month's Android advisory.

 

Other flaws impacting components like Framework, System, and Android runtime could allow sensitive information disclosure and privilege escalation by attackers.

 

The list of vulnerabilities patched by this update includes:

 

Android runtime

CVE	References	Type	Severity	Updated AOSP versions
CVE-2021-0395	A-170315126	EoP	High	11

Framework

CVE	References	Type	Severity	Updated AOSP versions
CVE-2021-0391	A-172841550	EoP	High	8.1, 9, 10, 11
CVE-2021-0398	A-173516292	EoP	High	11

System

CVE	References	Type	Severity	Updated AOSP versions
CVE-2021-0397	A-174052148	RCE	Critical	8.1, 9, 10, 11
CVE-2017-14491	A-158221622	RCE	High	8.1, 9, 10, 11
CVE-2021-0393	A-168041375	RCE	High	8.1, 9, 10, 11
CVE-2021-0396	A-160610106	RCE	High	8.1, 9, 10, 11
CVE-2021-0390	A-174749461	EoP	High	8.1, 9, 10, 11
CVE-2021-0392	A-175124730	EoP	High	9, 10, 11
CVE-2021-0394	A-172655291 [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]	ID	High	8.1, 9, 10, 11

Google Play system updates

Component	CVE
WiFi	CVE-2021-0390

Some bugs may still be exploitable

On select Samsung Galaxy devices, the updates pushed this week have their latest "security patch level" dated "2021-03-01."

 

This implies the high and critical severity vulnerabilities yet to be fixed by the "2021-03-05 security patch" could still be exploitable.

 

Users are advised to update their Android devices immediately to safeguard against these bugs, and ensure their devices have the "auto-update" settings enabled.

 

A full description of enhancements and optimizations this update brings is provided on Samsung's website.

 

 

Source: Samsung fixes critical Android bugs in March 2021 updates