Four of the 18 zero-day vulnerabilities were considered the most severe because they allowed baseband Remote Controlode Execution (RCE) via the internet. The four vulnerabilities could be remotely exploited by an attacker to compromise a phone's baseband without requiring any user interaction on their part and with only the attacker knowing the victim's phone number as the only requirement, according to tests conducted by Project Zero researchers. The victim's phone number is required to carry out the attack to succeed. Additionally, skilled attackers may easily build exploits to remotely hack vulnerable devices without disclosing their identities to their targets.
List of Affected Samsung Devices:
- Samsung Galaxy S22
- Samsung Galaxy M33
- Samsung Galaxy M13
- Samsung Galaxy M12
- Samsung Galaxy A71
- Samsung Galaxy A53
- Samsung Galaxy A33
- Samsung Galaxy A21
- Samsung Galaxy A13
- Samsung Galaxy A12
- Samsung Galaxy A04
- Vivo S16
- Vivo S15
- Vivo S6
- Vivo X70
- Vivo X60
- Vivo X30
- Google Pixel 6 series
- Google Pixel 7 series
- Wearables using the Exynos W920 chipset
- Vehicles using the Exynos Auto T5123 chipset
List of Flaws Detected in Samsung's Exynos Chipsets:
The current description of these CVEs: Samsung's mobile chipsets and baseband modem chipsets for the Exynos 850, Exynos 980, Exynos 1080, Exynos 1280, Exynos 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123 have a problem. Insufficient parameter checking when decoding the Emergency number list can result in a heap-based buffer overflow in the 5G MM message codec.
The remaining security flaws, however, still need additional CVE-IDs to be assigned to them. The flaws, on the other hand, that have already passed the customary 90-day deadline established by the Project Zero team are listed below:
CVE-2023-26072
CVE-2023-26073
CVE-2023-26074
CVE-2023-26075
These issues are being publicly disclosed in the issue tracker to ensure their transparency because they do not adhere to the stringent criteria for keeping them secret from the public. It's essential to note that the remaining nine vulnerabilities in this set have not yet reached the 90-day deadline; however, if they aren't fixed by then, information about them will be made public.
Recommendation for the Users of the Affected Samsung Devices:
Users of affected devices are recommended to temporarily disable Voice-over-LTE (VoLTE) and Wi-Fi calling in their device settings in order to protect themselves from the baseband remote code execution vulnerabilities. To make sure that their devices are running the most recent builds that are capable of addressing the disclosed security vulnerabilities and those that are still to be disclosed, end users are urged to update their devices as soon as possible.
Please do not enter any spam link in the comment box.