Project Zero, Google’s zero-day bug-hunting team, discovered and reported 18 zero-day vulnerabilities in Samsung’s Exynos chipsets used in mobile devices, wearables, and cars.
The Exynos modem security flaws were reported between late 2022 and early 2023. Four of the eighteen zero-days were identified as the most serious, enabling remote code execution from the Internet to the baseband.
These Internet-to-baseband remote code execution (RCE) bugs (including CVE-2023-24033 and three others still waiting for a CVE-ID) allow attackers to compromise vulnerable devices remotely and without any user interaction.
“The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem,” Samsung says in a security advisory describing the CVE-2023-24033 vulnerability.
The only information required for the attacks to be pulled off is the victim’s phone number, according to Tim Willis, the Head of Project Zero.
To make things even worse, with minimal additional research, experienced attackers could easily create an exploit capable of remotely compromising vulnerable devices without triggering the targets’ attention.
“Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution,” Willis said.
The 14 remaining flaws (including CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076, and nine others awaiting CVE-IDs) are not as critical but still pose a risk. Successful exploitation requires local access or a malicious mobile network operator.
Based on the list of affected chipsets provided by Samsung, the list of affected devices includes but is likely not limited to:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
- The Pixel 6 and Pixel 7 series of devices from Google;
- any wearables that use the Exynos W920 chipset; and
- any vehicles that use the Exynos Auto T5123 chipset.
Workaround available for affected devices
While Samsung has already provided security updates addressing these vulnerabilities in impacted chipsets to other vendors, the patches are not public and can’t be applied by all affected users.
Each manufacturer’s patch timeline for their devices will differ but, for instance, Google has already addressed CVE-2023-24033 for impacted Pixel devices in its March 2023 security updates.
However, until patches are available, users can thwart baseband RCE exploitation attempts targeting Samsung’s Exynos chipsets in their device by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) to remove the attack vector.
Samsung also confirmed Project Zero’s workaround, saying that “users can disable WiFi calling and VoLTE to mitigate the impact of this vulnerability.”
“As always, we encourage end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities,” Willis added.