Remote Code Execution Flaw in Samsung Galaxy S9 ASN.1 Parser
CVE-2019-6740

9.6CRITICAL

Key Information:

Vendor: Samsung
Status: Galaxy S9
Vendor: CVE Published:; 3 June 2019

Summary

A vulnerability in the ASN.1 parser of Samsung Galaxy S9 devices allows remote attackers to execute arbitrary code by persuading users to visit malicious web pages or open harmful files. The flaw arises from improper validation of the length of user-provided ASN.1 strings, which can lead to buffer overflow and code execution in the context of the current process. Users are advised to apply the January 2019 Security Update to mitigate this risk.

Affected Version(s)

Galaxy S9 prior to January 2019 Security Update (SMR-JAN-2019 - SVE-2018-13467)

References

https://www.zerodayinitiative.com/advisories/ZDI-19-253/

x_refsource_MISC

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 3, 2019
Vulnerability Reserved
Jan 24, 2019

Credit

fluoroacetate