[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] [CVE-2019-16253] Privilege Escalation in Samsung Mobile Android SamsungTTS Component

[CVE-2019-16253] Privilege Escalation in Samsung Mobile Android SamsungTTS 
Component


Software:
--------
Samsung Text-to-speech Engine System Component on Android


Description:
----------
The Text-to-speech Engine (aka SamsungTTS) before 3.0.02.7/3.0.00.101 for 
Android allows a local attacker to escalate privilege, e.g., to system 
privilege. This issue is reported to & confirmed and patched by Samsung Mobile 
Security Rewards Program under case ID 101755.



Patched version:
------------
- Android N,O or older : 3.0.00.101 
- Android P : 3.0.02.7



Impact:
-------
A successful local attack can obtain system privilege on vulnerable phones.


Solution:
---------
Update the TTS component via Galaxy AppStore to newest version or versions 
later than patched versions listed above.


Credit:
-------
Discovered by Qidan He (a.k.a Edward Flanker, @flanker_hqd). Detailed about 
this vulnerability will be released shortly after confirmation from Samsung 
Mobile for responsible disclosure.


------------------
Sincerely
Qidan (a.k.a Flanker)
Website: https://blog.flanker017.me

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/