Samsung releases November update for Galaxy phones

Samsung Mobile has rolled out its November 2024 Security Maintenance Release (SMR) for the flagship Galaxy models, incorporating patches from both Google and Samsung to address multiple vulnerabilities.

This update includes Google’s Android Security Bulletin for November 2024 and Samsung-specific fixes. Users are advised to install this update promptly as it addresses key security concerns, some of which may already be under active exploitation.

The Google portion of this SMR includes fixes for 38 high-severity vulnerabilities across the Android framework and system, such as:

• High-Severity Vulnerabilities:
  • Privilege Escalation: CVE-2024-23369, CVE-2024-43093, and others address privilege escalation flaws that could allow unauthorized data access.
  • Memory Corruption and Denial of Service: CVE-2024-40651, CVE-2024-34733, and others that could result in memory corruption, denial of service, or unauthorized access to system data.
• Zero-Day Vulnerability Patched: Samsung has issued a patch for CVE-2024-43093, a Google Play framework vulnerability. This zero-day flaw allowed privilege escalation and could lead to unauthorized access, marking a critical fix for Samsung users.
• Pending Fixes: The CVE-2024-43047, a Qualcomm chipset vulnerability, remains unaddressed in this release. Qualcomm flagged this vulnerability in September, warning that it could be under targeted exploitation. Samsung is working with Qualcomm on a fix, but it may not be available for Samsung devices until December. This delay poses a risk for Samsung users, as Google and the U.S. cybersecurity agency have previously advised urgent mitigation.

Samsung Semiconductor Patch

Samsung has addressed CVE-2024-45185, a high-severity vulnerability specific to Samsung’s semiconductor components, which could allow unauthorized access if exploited.

In addition to Google patches, Samsung has included 13 SVEs specifically targeting vulnerabilities in Samsung Mobile's software:

• High-Severity Issues:

  • CVE-2024-49402: Improper input validation in "Dressroom" affecting Android 14 allows unauthorized data access across user profiles.
  • CVE-2024-34674: Improper access control in "Contacts" affecting Android 12, 13, and 14, enabling unauthorized cross-profile data access.
  • CVE-2024-34676: An out-of-bounds write vulnerability in libsubextractor.so affecting Android 12, 13, and 14 that could lead to memory corruption.
  • CVE-2024-34677: An out-of-bounds write in libsapeextractor.so that poses a memory corruption risk upon user interaction.

• Moderate-Severity Issues:

  • CVE-2024-34673: Improper input validation in IpcProtocol in Modem, affecting Android 12, 13, and 14, potentially causing a Denial-of-Service.
  • CVE-2024-34678: Improper access permissions in System UI that could allow malicious apps to appear as legitimate.
  • CVE-2024-34680: Issues with implicit intent usage in WlanTest, enabling attackers to retrieve sensitive information.

These vulnerabilities, if exploited, could lead to denial-of-service, unauthorized data access, or local device compromise. Samsung has patched these issues in SMR Nov-2024 Release 1.