CVE-2017-18644

Vulnerability

The vulnerability is a heap-based buffer overflow in the muic_set_reg_sel function during the reading of MUIC (Micro-USB Integrated Circuit) register values. This issue affects Samsung mobile devices running Android Lollipop (5.1), Marshmallow (6.x), and Nougat (7.x). The overflow occurs when processing specially crafted MUIC register values, potentially controlled by a connected USB device or charger. Samsung ID SVE-2017-10011 (December 2017) was assigned. The official description confirms the heap overflow but does not provide a root cause analysis [1].

Exploitation

An attacker would need physical access or the ability to connect a malicious USB accessory (e.g., a charger or OTG device) to the target device. No authentication is required as the MUIC driver is accessed at the kernel level during USB detection and charging. The sequence involves the device attempting to read a corrupted MUIC register value, which triggers the overflow in the secure memory heap, potentially leading to memory corruption and code execution in the kernel context.

Impact

Successful exploitation can lead to memory corruption, potentially allowing arbitrary kernel code execution. The attacker could gain elevated privileges (kernel level), leading to complete compromise of confidentiality, integrity, and availability of the device. Information disclosure or persistent device takeover are possible outcomes.

Mitigation

Samsung addressed this issue as part of their monthly security update program, with the fix released in December 2017. Users should ensure their device is updated to the latest security patch level. The Samsung Mobile Security website provides update details [1]. No workaround is available; users must apply the vendor-provided patch. Devices running Android 8.0 (Oreo) or later are not affected.