Android

[Samsung Responded] Severe Exynos modem vulnerabilities found, these models are affected

Published

2 years ago

on

Google Project Zero team found severe 0-day vulnerabilities with the Samsung Exynos modem. Affected Exynos modem used in various Samsung devices including the Galaxy S22 series along with the Google Pixel 6a/6/6 Pro and Galaxy wearables.

Follow our socials → Google News, Telegram, Twitter, Facebook

According to the information, Project Zero reported 18 vulnerabilities in Exynos modems in late 2022 and early 2023. And notably, four of the flaws, including CVE-2023-24033, involve internet-to-baseband remote code execution:

Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

Among 18, 14 are not considered as severe because they “require either a malicious mobile network operator or an attacker with local access to the device.” The team is making a “policy exception to delay disclosure for the four vulnerabilities that allow for internet-to-baseband remote code execution.”

Affected devices

Samsung Semiconductor (January 2023) data reveals that Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123 are affected chipsets.

Google compiled a list of likely affected products:

Samsung Galaxy:

  • S22 series
  • M33
  • M13
  • M12
  • A71
  • A53
  • A33
  • A21
  • A13
  • A12
  • A04 series
  • Watch 4 series
  • Watch 5 series

Google:

  • Pixel 6 and 6 Pro
  • Pixel 6a
  • Pixel 7 and 7 Pro

Vivo:

  • S16
  • S15
  • S6
  • X70
  • X60
  • X30 series

Wearable:

  • Any wearables that use the Exynos W920 chipset

Vehicle:

  • Any vehicles that use the Exynos Auto T5123 chipset

Samsung March 2023 Patch

Samsung detailed the March 2023 security patch earlier this month, which doesn’t provide fixes to the severe CVE-2023-24033 vulnerability. At the same time, Google listed the CVE in its March 2023 Android security bulletin, which started to roll out to Pixel devices on Monday.

Here’s what Samsung said:

At the end of last year, we received a security issue notification for Google project zero, and Samsung has provided all customers with a patch version for this vulnerability, and the related issues have now been resolved.

| Via |
Related Topics:
Exit mobile version