CVE-2024-20802 is an improper access control vulnerability identified in Samsung DeX on Samsung Mobile Devices prior to the SMR (Security Maintenance Release) January 2024 Release 1. The vulnerability arises in multi-user environments where the device owner can access notifications belonging to other users. This issue is categorized under CWE-284, which pertains to improper access control, indicating that the system fails to enforce correct permissions or restrictions on resource access. The vulnerability does not require user interaction or privileges (AV:P/AC:L/PR:N/UI:N), meaning it can be exploited remotely with low complexity and no authentication. The impact is primarily on confidentiality, as unauthorized access to notifications can expose sensitive information, but it does not affect integrity or availability. The CVSS v3.1 base score is 4.6, indicating a medium severity level. No known exploits are currently reported in the wild, and no patches are explicitly linked in the provided data, though the fix is expected in the SMR Jan-2024 Release 1. Samsung DeX is a feature that enables a desktop-like experience on Samsung mobile devices, often used in professional and enterprise contexts, making this vulnerability relevant for environments where multiple users share a device or use multi-user profiles. The improper access control flaw could lead to leakage of sensitive notifications such as emails, messages, or alerts from other users, potentially exposing confidential or personal data.

For European organizations, especially those utilizing Samsung mobile devices with Samsung DeX in shared or multi-user scenarios, this vulnerability poses a confidentiality risk. Sensitive corporate or personal notifications could be accessed by unauthorized users sharing the device, leading to potential data leaks, privacy violations, or exposure of business-critical information. This is particularly concerning in sectors with strict data protection regulations such as GDPR, where unauthorized disclosure of personal or sensitive data can result in regulatory penalties and reputational damage. While the vulnerability does not affect device integrity or availability, the confidentiality breach could facilitate social engineering attacks or insider threats. Organizations relying on Samsung devices for mobile productivity or shared device use should be aware of this risk and consider it in their mobile device management and security policies.

1. Apply the SMR January 2024 Release 1 update from Samsung as soon as it becomes available to ensure the vulnerability is patched. 2. Until the patch is applied, avoid using multi-user profiles on Samsung devices with Samsung DeX in sensitive environments. 3. Implement strict device usage policies that limit shared access to devices or enforce session locking and user separation. 4. Use Mobile Device Management (MDM) solutions to monitor device configurations and enforce security policies that restrict multi-user access or notifications visibility. 5. Educate users about the risks of shared device usage and encourage logging out or switching users properly to minimize exposure. 6. Consider disabling Samsung DeX in environments where multi-user access is necessary but cannot be controlled securely. 7. Regularly audit device usage and notification settings to detect any unauthorized access or anomalies.