Google Project Zero experts, who specialize in searching for zero-day vulnerabilities, have identified 18 zero-day vulnerabilities in Samsung Exynos chipsets, widely used in mobile and wearable devices, as well as cars. According to their statements, attackers can remotely compromise a vulnerable phone at the baseband level without any user interaction.
Most of the problems were found in the Exynos modem, which the researchers notified the manufacturer about from late 2022 to early 2023. Four of the eighteen bugs were identified as the most serious, as they allow for arbitrary code execution at the baseband level.
It is noted that due to the rare combination of access levels provided by these vulnerabilities and the speed at which a working exploit can be created for them, researchers have decided to make an exception and postpone the detailed disclosure of information about these bugs for now.
Experts describe these RCE vulnerabilities (CVE-2023-24033 and three others that have not yet received CVE identifiers) as Internet-to-baseband bugs, allowing for remote compromise of vulnerable devices without user interaction. Essentially, the only information needed to carry out the attack is the victim's phone number.
"Baseband software does not perform proper type checking for the accept-type attribute format in SDP, which can lead to service denial or code execution in the Samsung baseband modem," Samsung said in its description of the CVE-2023-24033 issue.
The remaining 14 vulnerabilities (CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076, and nine other bugs awaiting CVE identifiers) are not as critical: exploiting them will require local access or a malicious mobile network operator.
Samsung reports that the following devices (and likely not limited to them) are affected:
- Samsung mobile devices in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series;
- Vivo mobile devices in the S16, S15, S6, X70, X60, and X30 series;
- Pixel 6 and Pixel 7 series devices from Google;
- Any wearable devices using the Exynos W920 chipset;
- Any cars using the Exynos Auto T5123 chipset.
While Samsung has already provided suppliers with the necessary patches to fix vulnerabilities in affected chipsets, these fixes are not yet publicly available and cannot be applied by all users at risk.
In fact, the timing of fixes will vary for each specific manufacturer.
