CVE-2021-25501

Vulnerability

An improper access control vulnerability exists in the SCloudBnRReceiver component of SecTelephonyProvider on Samsung mobile devices. This affects devices running firmware versions prior to the Samsung Mobile Security (SMR) Nov-2021 Release 1 [1]. The issue allows an untrusted application to invoke protected provider functions that should only be accessible by privileged system components.

Exploitation

An attacker with a malicious app installed on the device can exploit this vulnerability. No special permissions are required beyond the ability to run an untrusted application. The attacker crafts an intent or IPC call to SCloudBnRReceiver, which improperly enforces access controls, thereby allowing the untrusted app to reach the protected SecTelephonyProvider methods.

Impact

Successful exploitation enables the attacker to invoke protected telephony provider operations. This could lead to unauthorized access to sensitive device telephony data or configuration changes, potentially violating the confidentiality or integrity of the telephony subsystem. The exact scope of CIA impact depends on the specific protected providers accessed, but the vulnerability inherently bypasses the intended privilege separation.

Mitigation

The vulnerability is patched in the SMR Nov-2021 Release 1 for Samsung devices [1]. Users should ensure their device's security updates are installed and set to automatic updates. No workaround is available; the only fix is installing the vendor-provided update. This CVE is currently not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.