CVE-2024-34595

Vulnerability

The vulnerability exists in the clickAdapterItem method of SystemUI on Samsung devices running Android versions prior to the SMR Jul-2024 Release 1. Due to improper access control, the method does not properly enforce permission checks when handling adapter item clicks, allowing a local attacker to invoke privileged activities that should be restricted. Affected versions include all Samsung firmware releases before the July 2024 security patch [1].

Exploitation

An attacker must have local access to the device (e.g., through a malicious app installed by the user). No additional authentication is required beyond the app's existing permissions. The attacker can craft an intent that triggers the vulnerable clickAdapterItem path, bypassing the intended access controls to launch a privileged activity.

Impact

Successful exploitation allows the attacker to launch privileged activities within SystemUI, potentially leading to elevation of privilege. This could result in unauthorized access to sensitive system functions or data, depending on the activity launched. The impact is limited to local attacks, but could compromise device security and user privacy.

Mitigation

The vulnerability is fixed in Samsung's Security Maintenance Release (SMR) for July 2024, designated as SMR Jul-2024 Release 1. Users should update their devices to the latest firmware version provided by Samsung. No workarounds are available; applying the security update is the only mitigation [1].