Security News > 2023 > March > Google finds 18 zero-day vulnerabilities in Samsung Exynos chipsets
Project Zero, Google's zero-day bug-hunting team, discovered and reported 18 zero-day vulnerabilities in Samsung's Exynos chipsets used in mobile devices, wearables, and cars.
"The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem," Samsung says in a security advisory describing the CVE-2023-24033 vulnerability.
"Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution," Willis said.
Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series; Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series; The Pixel 6 and Pixel 7 series of devices from Google; any wearables that use the Exynos W920 chipset; and.
While Samsung has already provided security updates addressing these vulnerabilities in impacted chipsets to other vendors, the patches are not public and can't be applied by all affected users.
Until patches are available, users can thwart baseband RCE exploitation attempts targeting Samsung's Exynos chipsets in their device by disabling Wi-Fi calling and Voice-over-LTE to remove the attack vector.
News URL
Related news
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- The Rise of Zero-Day Vulnerabilities: Why Traditional Security Solutions Fall Short (source)
- Google: 70% of exploited flaws disclosed in 2023 were zero-days (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- Samsung phone users under attack, Google warns (source)
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine (source)
- Google fixes two Android zero-days used in targeted attacks (source)
- Zero-days dominate top frequently exploited vulnerabilities (source)
- Most of 2023’s Top Exploited Vulnerabilities Were Zero-Days (source)
- Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-13 | CVE-2023-24033 | Unspecified vulnerability in Samsung products The Samsung Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T512 baseband modem chipsets do not properly check format types specified by the Session Description Protocol (SDP) module, which can lead to a denial of service. | 9.8 |