Google Uncovers 18 Zero-Day Vulnerabilities in Samsung's Exynos Chipsets

The Carrying out Zero group at Google has no longer too long within the past realized and reported 18 zero-day vulnerabilities in Samsung’s Exynos chipsets, which would possibly maybe maybe be mainly vulnerable in:-

• Cell devices
• Wearables
• Cars

Among the 18 zero-day vulnerabilities, four vulnerabilities were categorized as doubtlessly the most serious, as they enabled some distance-off code execution (RCE) over the web to the baseband.

Carrying out Zero researchers conducted assessments that confirmed that the four vulnerabilities is probably going to be exploited remotely by an attacker in present to compromise a mobile phone’s baseband with out requiring any particular person interaction on the attacker’s section and with finest the attacker gleaming the sufferer’s mobile phone number because the staunch situation.

In present to drag off the attack, all that is wanted is the sufferer’s mobile phone number in present to salvage the job carried out. Moreover, it’s also conceivable for experienced attackers to with out agonize invent exploits to remotely breach vulnerable devices with out alerting the targets.

Affected Gadgets

Samsung Semiconductor supplied in an advisory that these vulnerabilities impact Exynos chipsets, and the affected chipsets are essentially vulnerable within the next devices:-

• Samsung Galaxy S22
• Samsung Galaxy M33
• Samsung Galaxy M13
• Samsung Galaxy M12
• Samsung Galaxy A71
• Samsung Galaxy A53
• Samsung Galaxy A33
• Samsung Galaxy A21
• Samsung Galaxy A13
• Samsung Galaxy A12
• Samsung Galaxy A04
• Vivo S16
• Vivo S15
• Vivo S6
• Vivo X70
• Vivo X60
• Vivo X30
• Google Pixel 6 series
• Google Pixel 7 series
• Wearables the utilization of the Exynos W920 chipset
• Automobiles the utilization of the Exynos Auto T5123 chipset

Patch Timelines

The patch timeline will completely differ depending on the producer. In March 2023, a patch was released for Pixel devices that were tormented by CVE-2023-24033.

Flaws Disclosed

5 of the final fourteen vulnerabilities are being disclosed as section of this disclosure. And here below, we now have talked about them:-

• CVE-2023-26072
• CVE-2023-26073
• CVE-2023-26074
• CVE-2023-26075
• CVE-2023-26076

While extra CVE-IDs haven’t any longer but been assigned to the relaxation of the safety flaws. Then again, the next are the flaws that have already exceeded the identical old 90-day lower-off date location by the Carrying out Zero group:-

• CVE-2023-26072
• CVE-2023-26073
• CVE-2023-26074
• CVE-2023-26075

As a outcomes of these points no longer assembly the strict standards for conserving them hidden from the public, they’re being publicly disclosed within the bid tracker in present to be clear their transparency.

It’s vital to present that the final nine vulnerabilities in this location haven’t but reached their 90-day lower-off date, but within the event that they gentle haven’t been mounted, they’re going to be made public.

Workaround

As a precaution, customers with affected devices are urged to disable WiFi calling as successfully as Enlighten-over-LTE (VoLTE) of their instrument settings for now, so they is perchance no longer uncovered to the baseband some distance-off code execution vulnerabilities.

The tip customers are urged to update their devices in a timely formulation to make certain their devices are working doubtlessly the most new builds which would possibly maybe maybe be capable to addressing the disclosed safety vulnerabilities and those who are but to be disclosed.