Samsung Users at Risk: 18 Zero-Day Vulnerabilities Found in Exynos Chipsets
Google’s Project Zero uncovers 18 zero-day vulnerabilities in Samsung Exynos chipsets
Google’s bug-hunting team, Project Zero, has identified 18 zero-day vulnerabilities in Samsung’s Exynos chipsets used in mobile devices, wearables, and cars. These vulnerabilities were discovered between late 2022 and early 2023, and four of them were deemed the most serious. The flaws allow remote code execution from the Internet to the baseband, enabling attackers to compromise vulnerable devices without any user interaction.
The security flaws, including CVE-2023-24033 and three others still awaiting a CVE-ID, were described as “Internet-to-baseband remote code execution (RCE) bugs.” Samsung acknowledged the vulnerability in a security advisory, stating that the baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to denial of service or code execution in Samsung Baseband Modem.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Four of the identified Exynos modem security flaws enable remote code execution
Tim Willis, the Head of Project Zero, has warned that experienced attackers could easily create an exploit that remotely compromises vulnerable devices without triggering the target’s attention. Due to the high level of access these vulnerabilities provide, Project Zero has delayed disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution.
The remaining 14 flaws, including CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076, and nine others awaiting CVE-IDs, are less critical but still pose a risk. Successful exploitation requires local access or a malicious mobile network operator.
End-users still don't have patches 90 days after report…. https://t.co/dkA9kuzTso
— Maddie Stone (@maddiestone) March 16, 2023
Samsung has already provided security updates addressing these vulnerabilities in impacted chipsets to other vendors. However, patches are not public and can’t be applied by all affected users. Each manufacturer’s patch timeline for their devices will differ. Google, for instance, has already addressed CVE-2023-24033 for impacted Pixel devices in its March 2023 security updates.
Trending: Major Cyber Attacks of 2022
Trending: Offensive Security Tool: CrackQL
Google and Samsung urge users to update devices to mitigate Exynos chipset flaws
Until patches are available, users can disable Wi-Fi calling and Voice-over-LTE (VoLTE) to remove the attack vector and thwart baseband RCE exploitation attempts targeting Samsung’s Exynos chipsets in their device. Samsung has confirmed Project Zero’s workaround and encourages end-users to update their devices as soon as possible to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
New Ghost Tap Attack: The Next-Level Credit Card Scam Exploiting Apple Pay and Google Pay
Apple Rushes to Patch Two Zero-Day Exploits Targeting Intel-Based Macs
Chinese Hackers Exploit Zero-Day in FortiClient VPN with ‘DeepData’ Toolkit
Critical Flaw in Popular WordPress Plugin Puts Millions of Websites at Risk
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
