Google Project Zero team has disclosed severe zero-day security flaws in the Samsung Exynos modem. Affected Exynos modem used in various Samsung devices including the Galaxy S22 series along with the Google Pixel 6a/6/6 Pro and Galaxy wearables.
According to the information, Project Zero reported 18 vulnerabilities in Exynos modems in late 2022 and early 2023. And notably, four of the flaws, including CVE-2023-24033, involve internet-to-baseband remote code execution:
Follow our socials → Google News, Telegram, Twitter, Facebook
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.
Among 18, 14 are not considered as severe because they “require either a malicious mobile network operator or an attacker with local access to the device.” The team is making a “policy exception to delay disclosure for the four vulnerabilities that allow for internet-to-baseband remote code execution.”
Affected devices
Samsung Semiconductor (January 2023) data reveals that Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123 are affected chipsets.
Affected devices
Samsung Semiconductor (January 2023) data reveals that Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T5123 are affected chipsets.
Google compiled a list of likely affected products:
Samsung Galaxy:
- S22 series
- M33
- M13
- M12
- A71
- A53
- A33
- A21
- A13
- A12
- A04 series
- Watch 4 series
- Watch 5 series
Google:
- Pixel 6 and 6 Pro
- Pixel 6a
- Pixel 7 and 7 Pro
Vivo:
- S16
- S15
- S6
- X70
- X60
- X30 series
Wearable:
- Any wearables that use the Exynos W920 chipset
Vehicle:
- Any vehicles that use the Exynos Auto T5123 chipset
Samsung March 2023 Patch
Samsung detailed the March 2023 security patch earlier this month, which doesn’t provide fixes to the severe CVE-2023-24033 vulnerability. At the same time, Google listed the CVE in its March 2023 Android security bulletin, which started to roll out to Pixel devices on Monday.
Samsung responded
Samsung recently responded on this matter, said –
At the end of last year, we received a security issue notification for Google project zero, and Samsung has provided all customers with a patch version for this vulnerability, and the related issues have now been resolved.
