Project Zero, Google’s zero-day bug hunting team, discovered and reported 18 zero-day vulnerabilities in Samsung’s Exynos chipsets used in mobile devices, wearables, and cars.
The Exynos modem security vulnerabilities were reported between late 2022 and early 2023. Four of the eighteen zero days were identified as the most severe, allowing remote code execution from the Internet to baseband.
These Internet-to-Baseband Remote Code Execution (RCE) bugs (including CVE-2023-24033 and three others awaiting a CVE-ID) allow attackers to compromise vulnerable devices remotely and without any user interaction.
“The baseband software does not properly check the accept-type attribute format types specified by the SDP, which may lead to a denial of service or code execution in Samsung Baseband Modem,” Samsung said in a security advisory describing the CVE-2023-24033 vulnerability.
The only information necessary for the attacks to be successful is the victim’s telephone number, according to Tim Willisthe zero project leader.
To make matters worse, with minimal additional research, experienced attackers could easily create an exploit capable of compromising vulnerable devices remotely without attracting the attention of targets.
“Due to a very rare combination of the level of access provided by these vulnerabilities and the speed with which we believe a reliable operational exploit could be engineered, we have decided to make an exception to the policy to delay disclosure. of the four vulnerabilities that allow Internet-to-baseband remote code execution,” Willis said.
The remaining 14 flaws (including CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076 and nine others awaiting CVE IDs) are not as critical but still presents a risk. Successful exploitation requires local access or a malicious mobile network operator.
Based on the list of affected chipsets provided by Samsung, the list of affected devices includes, but is likely not limited to:
- Samsung mobile devices, including those of the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
- Vivo mobile devices, including those of the S16, S15, S6, X70, X60 and X30 series;
- Google’s Pixel 6 and Pixel 7 series of devices;
- all portable devices that use the Exynos W920 chipset; And
- all vehicles that use the Exynos Auto T5123 chipset.
Workaround available for affected devices
Although Samsung has already provided security updates fixing these vulnerabilities in the affected chipsets to other vendors, the fixes are not public and cannot be applied by all affected users.
Each manufacturer’s patch schedule for their devices will be different, but, for example, Google has already addressed CVE-2023-24033 for affected Pixel devices in its March 2023 security updates.
End users still have no fixes 90 days after reporting… https://t.co/dkA9kuzTso
— Maddie Stone (@maddiestone) March 16, 2023
However, until fixes are available, users can thwart baseband RCE exploits targeting Samsung’s Exynos chipsets in their device by disabling Wi-Fi calling and voice over LTE (VoLTE) to remove the attack vector.
Samsung also confirmed the Project Zero workaround, saying “users can disable WiFi and VoLTE calling to mitigate the impact of this vulnerability.”
“As always, we encourage end users to update their devices as soon as possible, to ensure they are running the latest versions that address disclosed and undisclosed security vulnerabilities,” Willis added.