Google’s Project Zero team has found and reported 18 zero day vulnerability in Samsung’s Exynos chipsets. This chipsets are in-use various devices such as mobiles, wearables, and cars. The team reported these security flaws between late 2022 and early 2023. Among these vulnerabilities, four are critical, allowing attackers to execute remote code from the Internet to the baseband.

Critical zero day vulnerability

The four most severe vulnerabilities, including CVE-2023-24033. And three others awaiting. CVE-ID enable remote code execution from the Internet to the baseband. Attackers can compromise vulnerable devices remotely and without any user interaction, using these Internet-to-baseband remote code execution (RCE) bugs.

According to Samsung’s security advisory on the CVE-2023-24033 vulnerability, “The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem.” The only information required for the attacks is the victim’s phone number.

Furthermore, experienced attackers can easily create an exploit capable of remotely compromising vulnerable devices. It is without triggering the targets’ attention, making the situation even worse. Due to the level of access these vulnerabilities provide and the speed at which a reliable operational exploit could be crafted. Project Zero has decided to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution.

Other vulnerablities

The 14 remaining flaws, including CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076. The nine others awaiting CVE-IDs, are not as severe but still pose a risk. Successful exploitation requires local access or a malicious mobile network operator.

Affected devices under zero day vulnerability

Based on the list of affected chipsets provided by Samsung, the list of affected devices includes but is likely not limited to:

  • Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series
  • Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60, and X30 series
  • The Pixel 6 and Pixel 7 series of devices from Google
  • Wearables that use the Exynos W920 chipset
  • Vehicles that use the Exynos Auto T5123 chipset

Workaround and security updates

While Samsung has provides security updates to other vendors addressing these vulnerabilities in impacted chipsets. The patches are not public and cannot be applied by all affected users. Each manufacturer’s patch timeline for their devices will differ. For instance, Google has already addressed CVE-2023-24033 for impacted Pixel devices in its March 2023 security updates.

Until patches are available, users can thwart baseband RCE exploitation attempts targeting Samsung’s Exynos chipsets by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) to remove the attack vector. Samsung has also confirmed Project Zero’s workaround, stating that “users can disable WiFi calling and VoLTE to mitigate the impact of this vulnerability.”

As always, Project Zero encourages end-users to update their devices as soon as possible to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities.