Security News > 2023 > March > Google finds 18 baseband zero-day bugs in Samsung Exynos chipsets
Project Zero, Google's zero-day bug-hunting team, discovered and reported 18 baseband zero-day vulnerabilities in Samsung's Exynos chipsets used in mobile devices, wearables, and cars.
"The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem," Samsung says in a security advisory describing the CVE-2023-24033 vulnerability.
Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series; Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series; The Pixel 6 and Pixel 7 series of devices from Google; any wearables that use the Exynos W920 chipset; and.
While Samsung has already provided security updates addressing these vulnerabilities in impacted chipsets to other vendors, the patches are not public and can't be applied by all affected users.
Each manufacturer's patch timeline for their devices will differ but Google has already addressed CVE-2023-24033 for impacted Pixel devices in its March 2023 security updates.
Until patches are available, users can thwart baseband RCE exploitation attempts targeting Samsung's Exynos chipsets in their device by disabling Wi-Fi calling and Voice-over-LTE to remove the attack vector.
- Google Chrome emergency update fixes first zero-day of 2023 (source)
- Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day Vulnerability (source)
- Update now: Google emits emergency fix for zero-day Chrome vulnerability (source)
- Google patches another actively exploited Chrome zero-day (source)
- Google Chrome Hit by Second Zero-Day Attack - Urgent Patch Update Released (source)
|2023-03-13||CVE-2023-24033|| Unspecified vulnerability in Samsung products |
The Samsung Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T512 baseband modem chipsets do not properly check format types specified by the Session Description Protocol (SDP) module, which can lead to a denial of service.
| 9.8 |