Venture Zero, Google’s zero-day bug-hunting staff, found and reported 18 zero-day vulnerabilities in Samsung’s Exynos chipsets utilized in cellular gadgets, wearables, and vehicles.
The Exynos modem safety flaws have been reported between late 2022 and early 2023. 4 of the eighteen zero-days have been recognized as essentially the most severe, enabling distant code execution from the Web to the baseband.
These Web-to-baseband distant code execution (RCE) bugs (together with CVE-2023-24033 and three others nonetheless ready for a CVE-ID) permit attackers to compromise weak gadgets remotely and with none consumer interplay.
“The baseband software program doesn’t correctly examine the format forms of accept-type attribute specified by the SDP, which may result in a denial of service or code execution in Samsung Baseband Modem,” Samsung says in a safety advisory describing the CVE-2023-24033 vulnerability.
The one info required for the assaults to be pulled off is the sufferer’s telephone quantity, in line with Tim Willis, the Head of Venture Zero.
To make issues even worse, with minimal further analysis, skilled attackers might simply create an exploit able to remotely compromising weak gadgets with out triggering the targets’ consideration.
“Resulting from a really uncommon mixture of degree of entry these vulnerabilities present and the velocity with which we imagine a dependable operational exploit could possibly be crafted, we now have determined to make a coverage exception to delay disclosure for the 4 vulnerabilities that permit for Web-to-baseband distant code execution,” Willis stated.
The 14 remaining flaws (together with CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076, and 9 others awaiting CVE-IDs) usually are not as vital however nonetheless pose a danger. Profitable exploitation requires native entry or a malicious cellular community operator.
Primarily based on the listing of affected chipsets offered by Samsung, the listing of affected gadgets contains however is probably going not restricted to:
- Cell gadgets from Samsung, together with these within the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 sequence;
- Cell gadgets from Vivo, together with these within the S16, S15, S6, X70, X60 and X30 sequence;
- The Pixel 6 and Pixel 7 sequence of gadgets from Google;
- any wearables that use the Exynos W920 chipset; and
- any autos that use the Exynos Auto T5123 chipset.
Workaround accessible for affected gadgets
Whereas Samsung has already offered safety updates addressing these vulnerabilities in impacted chipsets to different distributors, the patches usually are not public and cannot be utilized by all affected customers.
Every producer’s patch timeline for his or her gadgets will differ however, for example, Google has already addressed CVE-2023-24033 for impacted Pixel gadgets in its March 2023 safety updates.
Finish-users nonetheless haven’t got patches 90 days after report…. https://t.co/dkA9kuzTso
— Maddie Stone (@maddiestone) March 16, 2023
Nonetheless, till patches can be found, customers can thwart baseband RCE exploitation makes an attempt focusing on Samsung’s Exynos chipsets of their system by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) to take away the assault vector.
Samsung additionally confirmed Venture Zero’s workaround, saying that “customers can disable WiFi calling and VoLTE to mitigate the influence of this vulnerability.”
“As all the time, we encourage finish customers to replace their gadgets as quickly as attainable, to make sure that they’re working the most recent builds that repair each disclosed and undisclosed safety vulnerabilities,” Willis added.