平台
android
组件
samsung-members
修复版本
2.4.81.13
3.8.00.13
CVE-2021-25343 describes a denial-of-service (DoS) vulnerability within the Samsung Members application. This flaw arises from the calling of a non-existent provider, allowing an attacker to potentially hijack the provider and trigger unauthorized actions. The vulnerability affects versions of Samsung Members prior to 2.4.81.13 on Android O (8.1) and below, and versions up to 3.8.00.13 on Android P (9.0) and above. A fix is available in version 3.8.00.13.
An attacker exploiting CVE-2021-25343 can induce a denial-of-service condition on a target device running the vulnerable Samsung Members application. By hijacking the provider, the attacker can potentially disrupt the normal operation of the app, preventing legitimate users from accessing its features. While the description doesn't detail specific data at risk, the ability to trigger unauthorized actions suggests potential for further exploitation and privilege escalation within the device's ecosystem. The blast radius is limited to the affected device, but widespread deployment of the Samsung Members app increases the overall potential impact.
CVE-2021-25343 was publicly disclosed on March 4, 2021. There is no indication of this vulnerability being actively exploited in the wild. The CVSS score is 4.0 (Medium), suggesting a moderate probability of exploitation. No KEV listing is currently available. Public proof-of-concept exploits are not widely available, but the vulnerability's nature suggests it could be relatively straightforward to exploit given sufficient knowledge of the Samsung Members application's internal workings.
Users of Samsung devices running Android O (8.1) and below, and those running Android P (9.0) and above with versions of the Samsung Members app prior to 3.8.00.13 are at risk. This includes users who have not enabled automatic app updates or who are using older, unsupported devices.
• android / app:
# Check for vulnerable Samsung Members versions
Get-InstalledPackage -Name "Samsung Members" | Select-Object Version | Where-Object { $_ -le "3.8.00.13" }• android / app:
# Check app permissions (may require root access)
adb shell pm list permissions -f com.samsung.android.members• android / system:
# Check system logs for errors related to provider calls
logcat -s "ActivityManager" | grep "ProviderNotFoundException"disclosure
漏洞利用状态
EPSS
0.05% (17% 百分位)
CVSS 向量
The primary mitigation for CVE-2021-25343 is to upgrade the Samsung Members application to version 3.8.00.13 or later. This version includes the necessary fix to prevent the calling of the non-existent provider. There are no immediate workarounds beyond ensuring users are running the latest available version of the app. Consider implementing mobile device management (MDM) policies to enforce app updates and prevent the installation of older, vulnerable versions. After upgrading, confirm the fix by attempting to trigger the vulnerable action (e.g., initiating a provider call) and verifying that it no longer results in an error or unauthorized behavior.
如果使用 Android O(8.1) 或更低版本,请将 Samsung Members 应用程序更新到版本 2.4.81.13 或更高版本。如果使用 Android P(9.0) 或更高版本,请更新到版本 3.8.00.13 或更高版本。这将修复允许未经授权操作,包括拒绝服务攻击的漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2021-25343 is a denial-of-service vulnerability in the Samsung Members Android app, allowing unauthorized actions via provider hijacking.
You are affected if you are using Samsung Members version 3.8.00.13 or earlier on Android O (8.1) and below, or versions up to 3.8.00.13 on Android P (9.0) and above.
Upgrade the Samsung Members app to version 3.8.00.13 or later through the Google Play Store.
There is currently no evidence of CVE-2021-25343 being actively exploited in the wild.
Refer to the Samsung Security Bulletin for details: [https://security.samsung.com/sec.php?type=notice&no=113597](https://security.samsung.com/sec.php?type=notice&no=113597)
上传你的 build.gradle 文件,立即知道是否受影响。