Tweet
Researchers from Google's Project Zero team reported identifying 18 vulnerabilities in Samsung Exynos 5G/LTE/GSM modems. The four most dangerous vulnerabilities (CVE-2023-24033) allow for code execution at the baseband chip level through manipulation from external internet networks. According to Google Project Zero, with a little extra research, a skilled attacker could quickly develop a working exploit that would allow remote control of a wireless module, knowing only the victim's phone number. The attack can be carried out unnoticed by the user and does not require any action on the part of the user.
The remaining 14 vulnerabilities have a lower risk level, as the attack requires access to the mobile network operator's infrastructure or local access to the user's device. With the exception of CVE-2023-24033, a fix for which was suggested in the March firmware update for Google Pixel devices, the issues remain unresolved. The only thing known about the CVE-2023-24033 vulnerability so far is that it is caused by incorrect validation of the "accept-type" attribute format transmitted in SDP (Session Description Protocol) messages.
Until the vulnerability is fixed, it is recommended that users disable VoLTE (Voice-over-LTE) support and Wi-Fi calling in their settings. Devices equipped with Exynos chips, such as Samsung smartphones (S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04), Vivo (S16, S15, S6, X70, X60 and X30), Google Pixel (6 and 7), and also Exynos W920-based wearable devices and car systems with Exynos Auto T5123 chipset.
Due to the danger of the vulnerabilities and the realistic likelihood of an exploit appearing quickly, Google has decided to make an exception for the 4 most dangerous problems and postpone disclosure of the nature of the problems. For the remaining vulnerabilities, the disclosure schedule will be respected after 90 days of vendor notification (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075 and CVE-2023-26076 vulnerabilities are already in the bug tracking system, while the remaining 9 have 90 days to expire). Marked vulnerabilities CVE-2023-2607* are caused by buffer overflow during decoding of certain options and lists in NrmmMsgCodec and NrSmPcoCodec.
The remaining 14 vulnerabilities have a lower risk level, as the attack requires access to the mobile network operator's infrastructure or local access to the user's device. With the exception of CVE-2023-24033, a fix for which was suggested in the March firmware update for Google Pixel devices, the issues remain unresolved. The only thing known about the CVE-2023-24033 vulnerability so far is that it is caused by incorrect validation of the "accept-type" attribute format transmitted in SDP (Session Description Protocol) messages.
Until the vulnerability is fixed, it is recommended that users disable VoLTE (Voice-over-LTE) support and Wi-Fi calling in their settings. Devices equipped with Exynos chips, such as Samsung smartphones (S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04), Vivo (S16, S15, S6, X70, X60 and X30), Google Pixel (6 and 7), and also Exynos W920-based wearable devices and car systems with Exynos Auto T5123 chipset.
Due to the danger of the vulnerabilities and the realistic likelihood of an exploit appearing quickly, Google has decided to make an exception for the 4 most dangerous problems and postpone disclosure of the nature of the problems. For the remaining vulnerabilities, the disclosure schedule will be respected after 90 days of vendor notification (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075 and CVE-2023-26076 vulnerabilities are already in the bug tracking system, while the remaining 9 have 90 days to expire). Marked vulnerabilities CVE-2023-2607* are caused by buffer overflow during decoding of certain options and lists in NrmmMsgCodec and NrSmPcoCodec.
Comment