According to the official information, Samsung published the details of the July 2021 security patch. The latest security update brings fixes for 3 critical and 38 high levels of CVEs.
JOIN SAMSUNG ON TELEGRAM
Samsung has not mentioned any moderate level of threat in this month’s security bulletin. It is worth noting that two exploits are already fixed last month while two viruses not applicable for Samsung devices.
Along with Google patches, Samsung Mobile provides 8 Samsung Vulnerabilities and Exposures (SVE) items described below, in order to improve our customer’s confidence on security of Samsung Mobile devices.
The company has also detailed the list of eligible devices that will get monthly/quarterly/other security updates.
Google patches include patches up to Android Security Bulletin – July 2021 package. The Bulletin (July 2021) contains the following CVE items:
Critical
CVE-2020-26558(A-179039983), CVE-2020-11176, CVE-2020-11291High
CVE-2020-26555(A-181682537, A-174626251), CVE-2020-11304, CVE-2020-11298, CVE-2020-11306, CVE-2021-1900, CVE-2021-0512, CVE-2021-0525, CVE-2021-0527, CVE-2021-0533, CVE-2021-0526, CVE-2021-0528, CVE-2021-0529, CVE-2021-0531, CVE-2021-0530, CVE-2021-0532, CVE-2020-11292, CVE-2020-11267, CVE-2020-14305, CVE-2021-1937, CVE-2020-26558(A-174886838), CVE-2021-0513, CVE-2021-0478, CVE-2021-0441, CVE-2021-0486, CVE-2021-0587, CVE-2021-0601, CVE-2020-0417, CVE-2021-0585, CVE-2021-0586, CVE-2021-0589, CVE-2021-0594, CVE-2021-0600, CVE-2021-0602, CVE-2021-0590, CVE-2021-0596, CVE-2021-0597, CVE-2021-0599, CVE-2021-0604Moderate
NoneAlready included in previous updates
CVE-2021-1925Not applicable to Samsung devices
CVE-2021-0588※ Please see Android Security Bulletin for detailed information on Google patches.
To be specific:
It Fixes Multiple Bluetooth Core Specification Vulnerabilities: Details below
- The Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack. When an attacker connects to a victim device using the address of the device and the victim initiates a Pairing, the attacker can reflect the encrypted nonce even without knowledge of the key.
- The Passkey Entry protocol used in Secure Simple Pairing (SSP), Secure Connections (SC) and LE Secure Connections (LESC) of the Bluetooth Core Specification is vulnerable to an impersonation attack where an active attacker can impersonate the initiating device without any previous knowledge.
- The authentication property of the Bluetooth LE Legacy Pairing procedures is vulnerable to a reflection attack. A remote attacker without knowledge of the token key can complete the authentication protocol.
The patch fixes exception handling for the Bluetooth core protocol.
SQL Injection in Bluetooth: Details below
- SQL injection vulnerability in Dialer Storage prior to SMR July-2021 Release 1 allows unauthorized access to paired Bluetooth information
- The patch adds proper input validation in Bluetooth.
Allow dangerous level permission without user confirmation in limited circumstances: Details below
- Improper validation check vulnerability in PackageManager prior to SMR July-2021 Release 1 allows untrusted applications to get dangerous level permission without user confirmation in limited circumstances.
- The patch adds a proper validation check in PackageManager.