[ad_1]

Samsung Exyno

Project Zero, Google’s zero-day bug hunting team, discovered and reported 18 baseband zero-day vulnerabilities in Samsung’s Exynos chipsets used in mobile devices, wearables, and cars.

The Exynos modem security vulnerabilities were reported between late 2022 and early 2023. Four of the eighteen zero days were identified as the most severe, allowing remote code execution from the Internet to baseband.

These Internet-to-baseband remote code execution (RCE) bugs (including CVE-2023-24033 and three others awaiting a CVE ID) allow attackers to hack phones at the baseband level remotely and without any user interaction.

“The baseband software does not properly check the accept-type attribute format types specified by the SDP, which may lead to a denial of service or code execution in Samsung Baseband Modem,” Samsung said in a security advisory describing the CVE-2023-24033 vulnerability.

The only information necessary for the attacks to be successful is the victim’s telephone number, according to Tim Willisthe zero project leader.

To make matters worse, with minimal additional research, experienced attackers could easily create an exploit capable of compromising vulnerable devices remotely without attracting the attention of targets.

“The fourteen other associated vulnerabilities (CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076 and nine other vulnerabilities that do not yet have CVE identifiers ) weren’t as bad because they require either a malicious mobile network operator or an attacker with local access to the device,” says Willis. said.

Based on the list of affected chipsets provided by Samsung, the list of affected devices includes, but is likely not limited to:

  • Samsung mobile devices, including those of the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
  • Vivo mobile devices, including those of the S16, S15, S6, X70, X60 and X30 series;
  • Google’s Pixel 6 and Pixel 7 series of devices;
  • all portable devices that use the Exynos W920 chipset; And
  • all vehicles that use the Exynos Auto T5123 chipset.

Workaround available for affected devices

Although Samsung has already provided security updates fixing these vulnerabilities in the affected chipsets to other vendors, the fixes are not public and cannot be applied by all affected users.

Each manufacturer’s patch schedule for their devices will be different, but, for example, Google has already addressed CVE-2023-24033 for affected Pixel devices in its March 2023 security updates.

However, until fixes are available, users can thwart baseband RCE exploits targeting Samsung’s Exynos chipsets in their device by disabling Wi-Fi calling and voice over LTE (VoLTE) to remove the attack vector.

Samsung also confirmed the Project Zero workaround, saying “users can disable WiFi and VoLTE calling to mitigate the impact of this vulnerability.”

“As always, we encourage end users to update their devices as soon as possible, to ensure they are running the latest versions that address disclosed and undisclosed security vulnerabilities,” Willis added.

[ad_2]

Source link