Security News > 2023 > March > Google finds 18 zero-day vulnerabilities in Samsung Exynos chipsets
Project Zero, Google's zero-day bug-hunting team, discovered and reported 18 zero-day vulnerabilities in Samsung's Exynos chipsets used in mobile devices, wearables, and cars.
"The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem," Samsung says in a security advisory describing the CVE-2023-24033 vulnerability.
"Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution," Willis said.
Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series; Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series; The Pixel 6 and Pixel 7 series of devices from Google; any wearables that use the Exynos W920 chipset; and.
While Samsung has already provided security updates addressing these vulnerabilities in impacted chipsets to other vendors, the patches are not public and can't be applied by all affected users.
Until patches are available, users can thwart baseband RCE exploitation attempts targeting Samsung's Exynos chipsets in their device by disabling Wi-Fi calling and Voice-over-LTE to remove the attack vector.
- Google finds 18 baseband zero-day bugs in Samsung Exynos chipsets (source)
- Google Uncovers 18 Severe Security Vulnerabilities in Samsung Exynos Chips (source)
- Samsung, Vivo, Google phones open to remote compromise without user interaction (source)
- Google: Turn off Wi-Fi calling, VoLTE to protect your Android from Samsung hijack bugs (source)
- Hackers mostly targeted Microsoft, Google, Apple zero-days in 2022 (source)
|2023-03-13||CVE-2023-24033|| Unspecified vulnerability in Samsung products |
The Samsung Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T512 baseband modem chipsets do not properly check format types specified by the Session Description Protocol (SDP) module, which can lead to a denial of service.
| 9.8 |