Skip to main content

CVE-2024-20802: CWE-284: Improper Access Control in Samsung Mobile Samsung Mobile Devices

Medium
VulnerabilityCVE-2024-20802cvecve-2024-20802cwe-284
Published: Thu Jan 04 2024 (01/04/2024, 01:10:10 UTC)
Source: CVE
Vendor/Project: Samsung Mobile
Product: Samsung Mobile Devices

Description

Improper access control vulnerability in Samsung DeX prior to SMR Jan-2024 Release 1 allows owner to access other users' notification in a multi-user environment.

AI-Powered Analysis

AILast updated: 07/04/2025, 21:43:36 UTC

Technical Analysis

CVE-2024-20802 is an improper access control vulnerability identified in Samsung DeX on Samsung Mobile Devices prior to the SMR (Security Maintenance Release) January 2024 Release 1. The vulnerability arises in multi-user environments where the device owner can access notifications belonging to other users. This issue is categorized under CWE-284, which pertains to improper access control, indicating that the system fails to enforce correct permissions or restrictions on resource access. The vulnerability does not require user interaction or privileges (AV:P/AC:L/PR:N/UI:N), meaning it can be exploited remotely with low complexity and no authentication. The impact is primarily on confidentiality, as unauthorized access to notifications can expose sensitive information, but it does not affect integrity or availability. The CVSS v3.1 base score is 4.6, indicating a medium severity level. No known exploits are currently reported in the wild, and no patches are explicitly linked in the provided data, though the fix is expected in the SMR Jan-2024 Release 1. Samsung DeX is a feature that enables a desktop-like experience on Samsung mobile devices, often used in professional and enterprise contexts, making this vulnerability relevant for environments where multiple users share a device or use multi-user profiles. The improper access control flaw could lead to leakage of sensitive notifications such as emails, messages, or alerts from other users, potentially exposing confidential or personal data.

Potential Impact

For European organizations, especially those utilizing Samsung mobile devices with Samsung DeX in shared or multi-user scenarios, this vulnerability poses a confidentiality risk. Sensitive corporate or personal notifications could be accessed by unauthorized users sharing the device, leading to potential data leaks, privacy violations, or exposure of business-critical information. This is particularly concerning in sectors with strict data protection regulations such as GDPR, where unauthorized disclosure of personal or sensitive data can result in regulatory penalties and reputational damage. While the vulnerability does not affect device integrity or availability, the confidentiality breach could facilitate social engineering attacks or insider threats. Organizations relying on Samsung devices for mobile productivity or shared device use should be aware of this risk and consider it in their mobile device management and security policies.

Mitigation Recommendations

1. Apply the SMR January 2024 Release 1 update from Samsung as soon as it becomes available to ensure the vulnerability is patched. 2. Until the patch is applied, avoid using multi-user profiles on Samsung devices with Samsung DeX in sensitive environments. 3. Implement strict device usage policies that limit shared access to devices or enforce session locking and user separation. 4. Use Mobile Device Management (MDM) solutions to monitor device configurations and enforce security policies that restrict multi-user access or notifications visibility. 5. Educate users about the risks of shared device usage and encourage logging out or switching users properly to minimize exposure. 6. Consider disabling Samsung DeX in environments where multi-user access is necessary but cannot be controlled securely. 7. Regularly audit device usage and notification settings to detect any unauthorized access or anomalies.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
SamsungMobile
Date Reserved
2023-12-05T04:57:52.530Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9816c4522896dcbd6c0c

Added to database: 5/21/2025, 9:08:38 AM

Last enriched: 7/4/2025, 9:43:36 PM

Last updated: 8/15/2025, 5:47:18 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats