CVE-2024-49413: 
NixOS vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2024-49413) was discovered in Samsung's SmartSwitch application prior to SMR Dec-2024 Release 1. The vulnerability relates to improper verification of cryptographic signatures, which was reported on October 23, 2024, by Ken Gannon of NCC Group working with Zero Day Initiative (Samsung Mobile). The vulnerability affects Android versions 13 and 14.

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L by Samsung Mobile. NIST has assigned a different CVSS score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature) (NVD).

The vulnerability allows local attackers to install malicious applications on affected devices. This could potentially lead to unauthorized code execution and compromise of device security (Samsung Mobile).

Samsung has addressed this vulnerability in the December 2024 Security Maintenance Release (SMR Dec-2024 Release 1). The patch adds proper verification to prevent the exploitation of this vulnerability. Users are advised to update their devices to the latest security patch level (Samsung Mobile).

The vulnerability was discovered and reported through coordinated disclosure by Ken Gannon of NCC Group working with Zero Day Initiative, demonstrating ongoing security research efforts in mobile device security (Samsung Mobile).