Not just Samsung smartphones: Exynos chips with some critical zero-day vulnerabilities

Samsung not only uses modem chips from the Exynos series in its own smartphones or smartwatches, but also other manufacturers such as Vivo or Google. Now, Google’s Project Zero has found 18 zero-day vulnerabilities in these modem chips, which are also used in vehicles. Four of these vulnerabilities are classified as particularly critical because they allow external programs from the Internet to be executed on the mobile device. All you need to do is know the phone number.

The vulnerabilities in Samsung’s Exynos series of modem chips were discovered in late 2022 and early 2023. The four critical zero-day vulnerabilities (CVE-2023-24033 and three other unclassified bugs) allow “Internet-to-Baseband Remote Code Execution” (RCE). This allows attackers to run software from the Internet on the attacked modem without the user of the device being able to intervene or noticing.

Affected Exynos modem chips and devices

Samsung describes CVE-2023-24033 in its security updates as follows: “The baseband software does not properly validate the format types of the Accept-Type attribute specified by the SDP (Session Description Protocol), resulting in a denial of service or code execution in the Samsung baseband modem.” Affected chips are Exynos Modem 5123 and 5300, Exynos 980 and 1080 and Exynos Auto T5123.

Based on this, Google’s Project Zero has identified the following devices as most likely to be vulnerable, but more could be affected:

• Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series smartphones,
• Vivo smartphones S16, S15, S6, X70, X60 and X30 series,
• Google’s Pixel 6 and 7,
• Wearables with Exynos W920 chip and
• Vehicles with Exynos T5123 chip.

Few patches but a workaround

However, patches are not yet available for all affected devices. Samsung itself provides security updates, but most of the patches are not yet publicly available and users cannot install them themselves. Google has addressed CVE-2023-24033 for affected Pixel devices in the March 2023 security update. If this update is not yet suggested by the system itself, Pixel users should manually search for this 459 MB update in the settings (as with the Pixel 7 Pro by this author).

As long as there is no patch for the affected devices, Google’s Project Zero proposes a workaround. Users should switch off WLAN telephony and Voice-over-LTE (VoLTE) in the settings. This would eliminate the risk of exploiting these vulnerabilities.

Delayed release due to high risk

Because these critical vulnerabilities are a rare combination of the vulnerability’s enhanced remote access and the speed with which an exploit could be created, Google’s Project Zero, unlike usual, made the information public after the usual timeframe. Otherwise, attackers could benefit more from the publication than users, explain Google’s employees. Google’s Project Zero actually publishes vulnerabilities 30 days after the update is available, but the company now gives manufacturers more time to fix the vulnerabilities.

In addition to the four critical vulnerabilities, Google Project Zero found fourteen other vulnerabilities that were classified as less threatening. CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076 and nine others, still without CVE IDs, could still pose a risk. However, exploitation would require manual access to the device or a malicious wireless service provider.

(fds)