Project Zero, Google’s zero-day bug-hunting team, discovered and reported 18 zero-day vulnerabilities in Samsung’s Exynos chipsets used in mobile devices, wearables, and cars. The Exynos security flaws were reported between late 2022 and early 2023. Four of the eighteen zero-days were identified as the most serious, enabling remote code execution from the Internet to the baseband. These Internet-to-baseband remote code execution (RCE) bugs (including CVE-2023-24033 and three others still waiting for a CVE-ID) allow attackers to compromise vulnerable devices remotely and without any user interaction. “The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem,” Samsung says in a security advisory describing the CVE-2023-24033 vulnerability. The only information required for the attacks to be pulled off is the victim’s phone number, according to Tim Willis, the Head of Project Zero. To make things even worse, with minimal additional research, experienced attackers could easily create an exploit capable of remotely compromising vulnerable devices without triggering the targets’ attention. “Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution,” Willis said. The 14 remaining flaws (including CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076, and nine others awaiting CVE-IDs) are not as critical but still pose a risk. Successful exploitation requires local access or a malicious mobile network operator. Based on the list of affected chipsets provided by Samsung, the list of affected devices includes but is likely not limited to:
- Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
- The Pixel 6 and Pixel 7 series of devices from Google
- Any wearables that use the Exynos W920 chipset
- Any vehicles that use the Exynos Auto T5123 chipset
Device owners should install patches for these vulnerabilities as soon as they are made available by the vendor. It was also recommended to disable Wi-Fi calling and Voice-over-LTE to mitigate the impact of the vulnerabilities until patches are released.