CVE-2023-42533

Vulnerability

An improper input validation vulnerability exists in the USB Gadget Interface of Samsung mobile devices running Android. The issue affects all versions prior to the SMR Nov-2023 Release 1 security update. The vulnerability is triggered when a physical attacker connects a malicious USB device or manipulates the USB gadget interface, leading to a kernel-level memory corruption.

Exploitation

To exploit this vulnerability, an attacker must have physical access to the target device and connect a specially crafted USB device or utilize the USB gadget interface. No authentication or user interaction is required beyond the physical connection. The attacker sends malformed input that bypasses validation checks, causing a buffer overflow or similar condition in the kernel driver.

Impact

Successful exploitation allows the attacker to execute arbitrary code in the kernel context. This results in full compromise of the device, including the ability to install persistent malware, access sensitive data, and bypass security controls. The attacker gains the highest privilege level on the device.

Mitigation

Samsung has addressed this vulnerability in the SMR Nov-2023 Release 1 security update, released on November 7, 2023 [1]. Users should ensure their device is updated to the latest security patch level. No workaround is available for unpatched devices.