Google have recently announced that their zero-day research team (Project zero) have discovered and reported 18 zero-day vulnerabilities in the Exynos chipsets used in Samsung devices.
This chipset is the beating heart of Samsung technologies, and is used in most Samsung devices whether they be Mobile, Automotive, Wearable, Modem, or RF.
In addition to Samsung’s own devices, the chips can also be found in other manufacturers equipment too, including Google’s own Pixel 6 and 7 mobile devices.
A full list of affected devices is not fully known, but those which are known are:
- Samsung: S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 , A04
- Vivo: S16, S15, S6, X70, X60, X30
- Google Pixel 6 and Pixel 7
- Any wearables that use the Exynos W920 chipset
- Any vehicles that use the Exynos Auto T5123 chipset
High severity
The first vulnerabilities discovered affected the mobile variant of the chips and were reported to Samsung by the Project Zero team between late 2022 and early 2023.
Four of the vulnerabilities were identified as being the most serious type and allowed a threat actor to conduct Remote Code Execution (RCE) across the Internet to the device. Note – for more info about RCE’s see my earlier post.
Only one of the vulnerabilities has been given a CVE number, but all four have the potential to allow attackers to compromise vulnerable devices remotely with no interaction from the user.
The one with a published CVE (CVE-2023-24033) currently has a status is that the vulnerability is still under analysis, but states that it is related to how the chipset handles SDP (Session Description Protocol) data which if not performed correctly can lead to a Denial of Serivce (DoS).
“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”
Tim Willis – Google Project Zero
Remaining vulns
Of the remaining fourteen vulnerabilities discovered by project zero, five have been given CVE numbers, and the last nine are still waiting for CVE values.
The five CVEs are:
- CVE-2023-26072 – Buffer overflow – Rated 9.8 Critical
- CVE-2023-26073 – Buffer overflow – Rated 9.8 Critical
- CVE-2023-26074 – Buffer overflow – Rated 9.8 Critical
- CVE-2023-26075 – Intra-object overflow – Rated 9.8 Critical
- CVE-2023-26076 – Intra-object overflow – Rated 9.8 Critical
These vulnerabilities, although rated at critical, are more difficult for a threat actor to exploit as they require either a malicious mobile network operator, or an attacker with local access to the affected device.
Patch timelines
The patches for these vulnerabilities will become available as soon as the vendors develop and test a fix, however as is always the case with mobile devices, the patches will be released only once the mobile operators themselves have tested the updates in their own networks. So whilst there may be a fix waiting for your device, you will have to wait for your mobile operator to push it out.
Google have already issued one update for their affected devices. CVE-2023-24033 was patched in the March 2023 security update.
Other affected manufacturers will issue updates as soon as they become available, but until they do become available, worried users with affected devices can protect themselves from the RCE vulnerabilities mentioned at the beginning of this blog by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings.