Security News > 2023 > March > Google finds 18 baseband zero-day bugs in Samsung Exynos chipsets

Google finds 18 baseband zero-day bugs in Samsung Exynos chipsets
2023-03-16 20:33

Project Zero, Google's zero-day bug-hunting team, discovered and reported 18 baseband zero-day vulnerabilities in Samsung's Exynos chipsets used in mobile devices, wearables, and cars.

"The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem," Samsung says in a security advisory describing the CVE-2023-24033 vulnerability.

Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series; Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series; The Pixel 6 and Pixel 7 series of devices from Google; any wearables that use the Exynos W920 chipset; and.

While Samsung has already provided security updates addressing these vulnerabilities in impacted chipsets to other vendors, the patches are not public and can't be applied by all affected users.

Each manufacturer's patch timeline for their devices will differ but Google has already addressed CVE-2023-24033 for impacted Pixel devices in its March 2023 security updates.

Until patches are available, users can thwart baseband RCE exploitation attempts targeting Samsung's Exynos chipsets in their device by disabling Wi-Fi calling and Voice-over-LTE to remove the attack vector.


News URL

https://www.bleepingcomputer.com/news/security/google-finds-18-baseband-zero-day-bugs-in-samsung-exynos-chipsets/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-03-13 CVE-2023-24033 Unspecified vulnerability in Samsung products
The Samsung Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T512 baseband modem chipsets do not properly check format types specified by the Session Description Protocol (SDP) module, which can lead to a denial of service.
network
low complexity
samsung
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 256 4320 4678 741 9995
Samsung 1618 128 354 396 74 952