The Google Project Zero team reported this week that they found 18 zero-day vulnerabilities in various Exynos modems produced by Samsung late last year and early this year, and the four most serious vulnerabilities would allow the remote end of the network to the baseband. Program attacks, and these 18 vulnerabilities have affected many mobile phones from Samsung, Vivo and Google, as well as wearable devices using the Exynos W920 chipset and cars using the Exynos Auto T5123.
According to the test of the Project Zero team, these four serious vulnerabilities allow hackers to remotely compromise the user’s mobile phone. The hacker only needs to know the mobile phone number to launch the attack, and does not require user interaction at all, even with limited research and development , the team also believes that sophisticated hackers will be able to easily create attack programs that can quietly compromise mobile phones from a remote location without users noticing.
Among the four serious vulnerabilities, only CVE-2023-24033 is currently assigned a number. Many chips containing this vulnerability cannot properly check the format type of the Session Description Protocol (Session Description Protocol, SDP) module, which may lead to service blocking. broken.
Among the 14 other less serious security vulnerabilities, 5 have been assigned vulnerability numbers, which are CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075 and CVE -2023-26076, these 14 vulnerabilities must meet additional conditions to be exploited, such as a malicious mobile operator, or hackers must physically access the device.
The above-mentioned 18 security vulnerabilities affect dozens of Exynos chips and affect the devices using them, covering Samsung’s Galaxy S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 mobile phones, Vivo’s S16 , S15, S6, X70, X60 and X30 mobile phones, Google’s Pixel 6 and Pixel 7, and wearable devices using Exynos W920, or any car using Exynos Auto T5123, etc.
Google has patched the CVE-2023-24033 vulnerability of the Pixel mobile phone in the March security update launched this week. Since the timing of patching the vulnerability varies from company to company, Tim Willis, senior security engineering manager of Project Zero, suggested that those with related devices Users can temporarily disable Wi-Fi calling (Wi-Fi calling) and Voice-over-LTE (VoLTE) functions in the settings to avoid being attacked.
According to Google’s vulnerability disclosure policy, these four critical vulnerabilities have exceeded the 90-day disclosure period, but the Project Zero team decided to postpone the disclosure of related vulnerabilities because the disclosure of them may bring more benefits to hackers than to defenders.
Among the other 14 vulnerabilities, the above-mentioned 5 numbered vulnerabilities have exceeded the disclosure deadline and have been made public by Google and Samsung. The other vulnerabilities will be made public when the disclosure deadline is reached.