CVE-2018-21061

Vulnerability

CVE-2018-21061 affects Samsung mobile devices running Android N (version 7.1) and O (version 8.x). A fake charger can trigger the execution of critical functions while the device remains in a locked state. The specific code path is reachable when a malicious charger is physically connected to the device. The vulnerability was reported under Samsung ID SVE-2016-6341 and disclosed in August 2018.

Exploitation

An attacker requires physical access to the target device to plug in a crafted charger. No authentication or user interaction is needed once the charger is connected, as the device is locked. By supplying a fake charger that mimics legitimate charging signals, the attacker can execute critical functions without unlocking the screen.

Impact

Successful exploitation allows the attacker to execute pre-defined critical functions (e.g., sensitive system operations) on the locked device. This can lead to unauthorized access to device functions, potential information disclosure, or compromise of device integrity, depending on the functions triggered.

Mitigation

Samsung has not publicly disclosed a specific fix version for this vulnerability in the available references. Users should ensure their devices are updated to the latest firmware via Samsung's security update process [1]. As the vulnerability affects Android 7.1 and 8.x, users on later versions may be protected. No workaround is provided in the references.