Security News > 2023 > March > Google finds 18 baseband zero-day bugs in Samsung Exynos chipsets
Project Zero, Google's zero-day bug-hunting team, discovered and reported 18 baseband zero-day vulnerabilities in Samsung's Exynos chipsets used in mobile devices, wearables, and cars.
"The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem," Samsung says in a security advisory describing the CVE-2023-24033 vulnerability.
Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series; Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series; The Pixel 6 and Pixel 7 series of devices from Google; any wearables that use the Exynos W920 chipset; and.
While Samsung has already provided security updates addressing these vulnerabilities in impacted chipsets to other vendors, the patches are not public and can't be applied by all affected users.
Each manufacturer's patch timeline for their devices will differ but Google has already addressed CVE-2023-24033 for impacted Pixel devices in its March 2023 security updates.
Until patches are available, users can thwart baseband RCE exploitation attempts targeting Samsung's Exynos chipsets in their device by disabling Wi-Fi calling and Voice-over-LTE to remove the attack vector.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-13 | CVE-2023-24033 | Unspecified vulnerability in Samsung products The Samsung Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T512 baseband modem chipsets do not properly check format types specified by the Session Description Protocol (SDP) module, which can lead to a denial of service. | 9.8 |