Critical security vulnerabilities expose Samsung’s Exynos chipset “Internet-to-baseband remote code execution” to attacks with no user interaction. Project Zero says an attacker only needs the victim’s phone number.
Project Zero team lead Tim Willis says his researchers reported at least 18 zero-day vulnerabilities in the Exynos modems produced by Samsung Semiconductor and used in the company’s flagship Galaxy devices.
He said in some cases, an attacker would only need to know the victim’s phone number to exploit the bugs in what is being described as “Internet-to-baseband remote code execution” attack vectors.
During the period spanning from late 2022 to early 2023, Google’s Project Zero discovered and reported 18 bugs in Samsung’s Exynos cellular modem firmware, “says Tim Willis, head of the team responsible for uncovering these vulnerabilities.
Of the 18 zero-day flaws, four have the potential to allow remote code execution from the internet to the baseband. The baseband, also known as the modem, typically possesses privileged, low-level access to all of the hardware, which means that exploiting flaws within its code could give an attacker complete control over the device or phone.
Currently, technical information regarding these vulnerabilities has been withheld to protect users of affected devices.
In a breakdown of the security flaws Willis said, “Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number.
“With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely,”
Assigned CVE numbers
One of these four severe bugs has been assigned a CVE number, and it’s tracked as CVE-2023-24033. The other three are awaiting bug IDs.
According to Willis Google would withhold details on four of the 18 vulnerabilities because of the severity of the issue and the risk that malicious actors could quickly reproduce the findings and create in-the-wild exploits.
These include CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and nine other vulnerabilities that haven’t yet been assigned identifiers.
Affected phones Include
Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 mobiles; Vivo S16, S15, S6, X70, X60 and X30 series mobiles; Google’s Pixel 6 and Pixel 7 series; along with any wearables that use the Exynos W920 chipset; and any vehicles that use the Exynos Auto T5123 chipset.
Samsung has released a series of advisories outlining the Exynos chipsets impacted by these devastating vulnerabilities, which include mobile devices from Samsung, Vivo, and even Google’s prestigious Pixel 6/7 handsets.
The vulnerabilities have been identified as heap buffer overflows in the 5G MM message codec while decoding extended emergency lists, service area lists, and reserved options.
