CVE-2023-21458

Vulnerability

An improper privilege management vulnerability exists in PhoneStatusBarPolicy within System UI on Samsung devices running firmware prior to SMR Mar-2023 Release 1. The component exposes an unprotected intent that can be used to toggle the Do not disturb (DND) setting without requiring any special permissions [1].

Exploitation

An attacker only needs to install a malicious application on the target device. No additional permissions, user interaction, or network access is required. The app sends an unprotected intent to the PhoneStatusBarPolicy component, which silently accepts the command and disables DND [1].

Impact

By turning off Do not disturb, the attacker can cause the device to ring, vibrate, or play notification sounds at any time, potentially disrupting the user in meetings, during sleep, or in other quiet environments. This reduces user control over their device ringer settings and can lead to embarrassment or privacy leaks if audible alerts occur in sensitive contexts. The attacker does not gain access to user data or other system capabilities [1].

Mitigation

The vulnerability is fixed in SMR Mar-2023 Release 1, released in March 2023. Users should update their Samsung device firmware via the Samsung Security Update process. There is no known workaround for unpatched devices; the only mitigation is to apply the security update [1].