Google Uncovers 18 Zero-Day Vulnerabilities in Samsung’s Exynos Chipsets

The Project Zero team at Google has recently found and reported 18 zero-day vulnerabilities in Samsung’s Exynos chipsets, which are mainly used in:- 

• Mobile devices
• Wearables
• Automobiles

Among the 18 zero-day vulnerabilities, four vulnerabilities were classified as the most serious, as they enabled remote code execution (RCE) over the internet to the baseband.

Project Zero researchers conducted tests that confirmed that the four vulnerabilities could be exploited remotely by an attacker in order to compromise a phone’s baseband without requiring any user interaction on the attacker’s part and with only the attacker knowing the victim’s phone number as the only condition.

In order to pull off the attack, all that is necessary is the victim’s phone number in order to get the job done. Moreover, it’s also possible for experienced attackers to effortlessly create exploits to remotely breach vulnerable devices without alerting the targets.

Affected Devices

Samsung Semiconductor announced in an advisory that these vulnerabilities affect Exynos chipsets, and the affected chipsets are primarily used in the following devices:-

• Samsung Galaxy S22
• Samsung Galaxy M33
• Samsung Galaxy M13
• Samsung Galaxy M12
• Samsung Galaxy A71
• Samsung Galaxy A53
• Samsung Galaxy A33
• Samsung Galaxy A21
• Samsung Galaxy A13
• Samsung Galaxy A12 
• Samsung Galaxy A04
• Vivo S16
• Vivo S15
• Vivo S6
• Vivo X70
• Vivo X60 
• Vivo X30
• Google Pixel 6 series
• Google Pixel 7 series
• Wearables using the Exynos W920 chipset
• Vehicles using the Exynos Auto T5123 chipset

Patch Timelines

The patch timeline will completely vary depending on the manufacturer. In March 2023, a patch was released for Pixel devices that were affected by CVE-2023-24033.

Flaws Disclosed

Five of the remaining fourteen vulnerabilities are being disclosed as part of this disclosure. And here below, we have mentioned them:-

While further CVE-IDs have not yet been assigned to the remainder of the security flaws. On the other hand, the following are the flaws that have already exceeded the usual 90-day deadline set by the Project Zero team:-

• CVE-2023-26072
• CVE-2023-26073
• CVE-2023-26074
• CVE-2023-26075

As a result of these issues not meeting the strict standards for keeping them hidden from the public, they are being publicly disclosed in the issue tracker in order to ensure their transparency.

It’s important to note that the remaining nine vulnerabilities in this set haven’t yet reached their 90-day deadline, but if they still haven’t been fixed, they will be made public.

Workaround

As a precaution, users with affected devices are advised to disable WiFi calling as well as Voice-over-LTE (VoLTE) in their device settings for now, so they will not be exposed to the baseband remote code execution vulnerabilities.

The end users are advised to update their devices in a timely manner to ensure that their devices are running the latest builds that are capable of addressing the disclosed security vulnerabilities and those that are yet to be disclosed.

Network Security Checklist – Download Free E-Book