|Samsung ID:||SVE-2019-16265 (Look for SVE-2019-16265)|
|Affected Products:||Samsung mobile devices running Android O(8.0) and P(9.0) with Exynos 8895 chipset (tested on S8 and Note8 firmware)|
|Class:||"Write What Where" Condition where "What" is always zero (CWE-123)|
|Discovered by:||Aristeidis Thallas|
CENSUS identified a bug in RKP, the Samsung EL2 Hypervisor implementation. The bug allows to write the zero 64-bit value to an arbitrary memory address. For the bug to be triggered, code execution is required in the context of the EL1 kernel. The bug was verified on the Samsung S8 and Note8 devices and was fixed by Samsung in the "SMR February-2020 Release 1". The bug may allow an adversary with kernel execution access to circumvent established security controls through the corruption of device memory. Users are urged to follow the latest security updates offered by Samsung for their mobile devices.
Hello, I'm Aris Thallas, a computer security researcher working at CENSUS. Back in February 2020 I had the pleasure of presenting my work on proprietary hypervisor emulation and bug discovery at the OffensiveCon 2020 conference.
Attending Recon 2019 was an amazing experience with many interesting talks. I would like to thank the organizers for the excellent event and I definitely hope to return next year.