Snippet: Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems ☇

Tim Willis for Google’s Project Zero:

In late 2022 and early 2023, Project Zero reported eighteen 0-day vulnerabilities in Exynos Modems produced by Samsung Semiconductor. The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution. Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

The fourteen other related vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076 and nine other vulnerabilities that are yet to be assigned CVE-IDs) were not as severe, as they require either a malicious mobile network operator or an attacker with local access to the device.

This vulnerability affects a lot of Android devices, so be sure to see if yours is affected. Although the fix is to temporarily disable Wi-Fi calling and VoLTE, most carriers in the US require VoLTE for calls—T-Mobile is the only national carrier that still is running a small 2G network that could work if VoLTE is turned off. Nonetheless, it’s worth watching for developments in this area and applying any patch as soon as it becomes available.