Samsung Windows Laptop Owners Urged To Download Fix To MitM Vulnerability
Samsung laptop owners are being urged to update their Windows PCs after the discovery of a vulnerability that can allow remote attackers to download files onto a targeted system and gain complete control over the laptop.
The flaw is tied to a feature called “Samsung SW Update Tool 18.104.22.168” designed keep Samsung laptop users’ drivers and software up to date. Security researchers at Core Security discovered the vulnerability in November 2015 and disclosed the flaw March 4 after Samsung issued the patch to fix the problem.
“This vulnerability could be considered as a medium or low threat to most Samsung laptop users,” said Joaquín Varela, senior security researcher from Core Security CoreLabs Team, who discovered the Samsung vulnerability.
Affected Samsung laptops include all models running Windows 7, 8 and 10, Varela said. He said all earlier versions of the Samsung SW Update Tool also may contain the vulnerability. Varela said Core Security did not test earlier versions of the software, but suspects they also contain the flaw.
Samsung did not return a request for comment. Samsung laptop owners can download Samsung’s most recent version of its Software Update Tool (SWUpdate_22.214.171.124) to apply the patch.
“This flaw gives attackers the ability to perform a textbook man-in-the-middle attack,” Varela said in an interview with Threatpost. “Samsung made no attempt to encrypt or authenticate traffic between the software update tool and Samsung servers,” he said.
Varela said the attack would need to be carried out on a shared Wi-Fi or LAN network with the targeted PC. Next, a DNS Spoofing attack would be put in place that routes web traffic from the targeted machine though the attacker’s own system. This type of man-in-the-middle attack would allow a hacker to redirect webpage requests and return spoofed Samsung files that appeared to be drivers or software updates to the victim’s laptops.
In some cases, according to Varela, the Samsung software update tool was configured to automatically request driver updates, allowing the attacker to install files on the targeted PC without the users consent or knowledge.
“The (MitM) attack could result in integrity corruption of the transferred data, information leak and consequently code execution,” according to Varela’s research.
The vulnerabilities include Cleartext Transmission of Sensitive Information and Insufficient Verification of Data Authenticity, according Code Security.
According to Varela’s research, the MitM attack is able to monitor the communication between the Samsung PC and Samsung servers allowing the attacker to intercept a request for an XML file that contains the model ID for which the drivers are being requested.
“In the XML file that is received from the server, there’s a tag called ‘FURL’ that has the URL of the file that is going to be downloaded and executed by the application… There is no verification at all performed by the software itself over the downloaded files… An attacker can easily modify the returning XML file in order to achieve code execution on the victim’s machine,” Varela wrote.
On March 4, Samsung released an update to its software update tool correcting the problem. According to Varela, Samsung now encrypts the HTTP traffic between the software tool and Samsung servers, it also authenticates the communication and has put in safeguards that will not allow any files not specifically requested by the software to be installed on a Samsung customer’s machine, Varela said.
“After our report, Samsung implemented a ciphered communication between the tool and its servers and also a verification mechanism of the downloaded drivers,” Varela said.
Samsung users might want to use caution when seeking the most recent version of this software patch online. When Threatpost searched Google for an update for Samsung’s Software Update Tool a top search link pointed us to a Samsung website offering “troubleshooting” support for Samsung PC owners running Windows 8. Instead of offering the patched SWUpdate 126.96.36.199 version of the software, what appears to be an older version of the software (SWUpdate_188.8.131.52) was only available. A Samsung Windows 10 support page did offer the up-to-date version of the software.
Source | ThreatPost