search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Samsung Magician fails to update itself securely

Vulnerability Note VU#846320

Original Release Date: 2017-06-15 | Last Revised: 2017-06-15

Overview

Samsung Magician fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code with administrator privileges.

Description

Samsung Magician is a management utility for Samsung SSDs. Prior to version 5.0, Samsung Magician checks for and retrieves updates over HTTP. Prior to version 5.1, Samsung Magician uses HTTPS to perform update operations, however it does not validate SSL certificates.

Impact

An attacker on the same network as, or who can otherwise affect network traffic from, a Samsung Magician user can cause the Magician update process to execute arbitrary code with system administrator privileges.

Solution

Apply an update

This issue is addressed in Samsung Magician 5.1. Note that because the update mechanism is vulnerable, do not use the self-update mechanism for Samsung Magician to obtain the fixed version.

Avoid untrusted networks

Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a MITM attack.

Vendor Information

846320
 
Affected   Unknown   Unaffected

Samsung Memory

Notified:  April 24, 2017 Updated:  June 15, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal 6.5 E:POC/RL:OF/RC:C
Environmental 4.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2017-3218
Date Public: 2017-06-15
Date First Published: 2017-06-15
Date Last Updated: 2017-06-15 15:45 UTC
Document Revision: 11

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.