18 Zero-day Vulnerabilities Found In Samsung Exynos chipsets.

Samsung’s Exynos chipsets are used in their mobile devices, wearables and even cars.

The zero days were discovered by Googles Zero-day bug hunting team.

When it come to Exynos modems, there were security flaws reported between late 2022 and early 2023.

Four Internet-to-baseband remote code execution (RCE) bugs (including CVE-2023-24033 ) and three others, still waiting for an CVE-ID allows attackers to compromise vulnerable devices remotely and without any user interaction.

The only information required for attacks to be pulled off is the victim's phone number, according to Tim Willis, the Head of Project Zero.

Now I do not want to make you worry more than you need to, but with minimal additional research, an experienced attacker can easily create an exploit capable of remotely compromising these vulnerable devices without even triggering your attention.

For a very good reason, the security researchers are witholding information as it would be easy for anyone, with some basic coding experience to create a PoC exploit.

A rare exception to the rules:

"Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution," Willis says.

However this won't deterr anyone already aware of one or more of these flaws.

Besides these flaws, that they are trying to hide away, there are still 14 remaining. (including CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076).

Others that has not been assigned an CVE-ID are not critical, but still poses a risk to the user.

A list provided by SAMSUNG™ of affected devices:

You should assume more devices using Samsung’s Exynos chipsets are affected !!!!

• Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series.
• Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series.
• The Pixel 6 and Pixel 7 series of devices from Google.
• Wearables that use the Exynos W920 chipset and any vehicles that use the Exynos Auto T5123 chipset.

Check if you smartphone has Samsung’s Exynos chipsets here at GSM ARENA.

SAMSUNG HAS PUBLISHED UPDATES, BUT....

Each manufacturer's patch timeline for their devices will differ and it is unlikely that the oldest models using this chipset will reveive any security update.

It all depends on your country and provider.

Samsung Semiconductor's advisories provides the list of Exynos chipsets that are affected by these vulnerabilities.

A temporary fix:

You can still thwart baseband RCE exploitation attempts targeting Samsung's Exynos chipsets in your device by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) to remove the attack vector.

Read more at Project Zero.

►SAMSUNG Website