CISA today warned of a security vulnerability affecting Samsung devices used in attacks to circumvent Android’s Address Space Layout Randomization (ASLR) protection.

ASLR is an Android security feature that randomizes memory addresses where key application and operating system components are loaded into device memory.

This makes it harder for attackers to exploit memory-related vulnerabilities and successfully launch attacks such as buffer overflow, return-oriented programming, or other memory-based exploits.

The failure (CVE-2023-21492) affects Samsung mobile devices running Android 11, 12 and 13 and is due to the insertion of sensitive information in log files.

The exposed information can be used by local attackers with elevated privileges to perform ASLR bypass that could allow exploitation of memory management issues.

In this month’s security updates, Samsung addressed this issue by ensuring that kernel pointers are no longer printed in log files.

“Samsung has been notified that an exploit for this issue has existed in the wild,” the company said. said in the May 2023 Security Maintenance Release (SMR) advisory.

Although Samsung did not provide exploit details for CVE-2023-21492, these security vulnerabilities are often exploited as part of complex exploit chains in highly targeted attacks.

For example, in March, Google’s Threat Analysis Group (TAG) and Amnesty International revealed two recent series of attacks using Android, iOS and Chrome exploit chains to install commercial spyware, one of the campaigns targeting Samsung users in the United Arab Emirates (UAE).

Federal agencies ordered to patch by June 9

US Federal Civilian Executive Agencies (FCEB) were given a three-week deadline, until June 9, to secure their Samsung Android devices against attacks exploiting CVE-2023-21492 after CISA added the vulnerability on Friday to its catalog of known exploited vulnerabilities. .

This goes in the direction of a Binding Operational Directive (BOD 22-01) released in November 2021 requiring federal agencies to fix all vulnerabilities added to CISA’s KEV list before the deadline expires.

Although primarily intended for use by US federal agencies, private companies are strongly recommended to prioritize addressing the vulnerabilities listed in the cybersecurity agency’s list of exploited bugs in attacks.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.

A week ago, US federal agencies were also ordered to fix a critical remote code execution (RCE) bug Ruckus abused in nature to infect Wi-Fi hotspots with AndoryuBot malware.