SVE-2019-15435 is one of 21 vulnerabilities in Samsung devices which affect Galaxy S8, S9, S10, S10e, S10 Plus, S10 5G, Note 9, Note 10 and Note 10 Plus users.
SVE-2019-15435 in particular is a critical issue, which is described as the following: “Enhancement in IMEI security mechanism is required for improved protection against potential IMEI manipulation.” Not enough information is currently available about this critical vulnerability.
Of the 21 flaws, one is critical, three are rated as “high” in severity, 17 are related to Samsung’s One user interface, and four are Android-related.
SVE-2019-15435, Samsung Galaxy Issues
The October 2019 Samsung security maintenance release, shortly known as SMR, is rolling out to users of the various Galaxy devices. The SMR contains patches from Google for Galaxy 10 and prior releases. There are also vulnerabilities affecting Galaxy 8 and Galaxy 9 users, such as the critical SVE-2019-15435.
Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release(SMR) process. This SMR package includes patches from Google and Samsung.
Unfortunately, not enough information is currently available about this critical issue which also impacts Galaxy S9 and Note 9. What is known is that the vulnerability has been disclosed privately, Forbes reported. The potential number of impacted users is 40 million – there are approximately 30 million Galaxy 9 smartphones sold to users, and 10 million Galaxy Note 9.
As already mentioned, SVE-2019-15435 is described as needed enhancement in IMEI (International Mobile Equipment Identity) security mechanism for improved protection against IMEI manipulation. There’s the possibility that the vulnerability related to a technique that circumvents the IMEI blacklist which prevents stolen devices from being resold, Forbes noted. A clean IMEI number is quite luring to criminals dealing with stolen items.
Just a couple of days ago we warned owners of Huawei, Xiaomi, Samsung, LG and Google devices about a security flaw in Android.
The vulnerability is described as a use-after-free memory condition in the Android Binder component, which can result in escalation of privileges. In fact, the issue was patched in Linux 4.14 LTS kernel, Android Open Source Project’s (AOSP) 3.18 kernel, AOSP 4.4 kernel and AOSP 4.9 kernel in December 2017 without receiving a CVE identifier.
However, since AOSP (Android Open Source Project) takes care of the reference Android code, individual device manufacturers don’t implement it directly. These manufacturers maintain separate firmware trees for their devices, which often run different kernel versions.
In other words, every time a vulnerability is fixed in AOSP, manufacturers need to import the patch and apply it to their customized firmware code. The problem is that this process hasn’t been done for this particular issue, leaving the vulnerability unpatched.
As for the Samsung issues, “note that in some cases regular OS upgrades may cause delays to planned security updates. However, users can be rest assured the OS upgrades will include up-to-date security patches when delivered“, the company said in the security advisory.