The Challenge Zero staff at Google published a new advisory on Thursday, confirming it documented 18 zero-working day vulnerabilities in Exynos Modems created by Samsung amongst late 2022 and early 2023.
Penned by Challenge Zero head, Tim Willis, the blog site put up states that four of the vulnerabilities (CVE-2023-24033 and a few other people that have nonetheless to be assigned CVE-IDs) enabled prospective attackers to complete internet-to-baseband remote code execution (RCE).
“Those four vulnerabilities enable an attacker to remotely compromise a phone at the baseband stage with no person interaction and have to have only that the attacker know the victim’s phone quantity,” Willis spelled out. “With confined supplemental exploration and advancement, we believe that experienced attackers would be equipped to immediately generate an operational exploit to compromise influenced devices silently and remotely.”
The remaining fourteen flaws would be considerably less critical simply because in get to be exploited they want both a malicious mobile network operator or an attacker with community entry to the gadget to execute RCE.
In accordance to Samsung’s product security update webpage, the checklist of Exynos chipsets influenced by the zero-times consists of several equipment. Google believed that numerous Samsung smartphones, together with the S22 line, may be impacted. Quite a few handheld products by Vivo are also on the record, as are Google Pixel 6 and Pixel 7 sequence and all cars using the Exynos Vehicle T5123 chipset.
Read through more on Android vulnerabilities in this article: Google Patches Critical Android Bluetooth Flaw in August Security Bulletin
In the web site put up, Willis discussed that unique brands are accountable for repairing the vulnerabilities pointed out previously mentioned – Google has currently patched individuals affecting Pixel phones.
“In the meantime, end users with afflicted equipment can shield by themselves from the baseband remote code execution vulnerabilities outlined in this write-up by turning off WiFi contacting and Voice-above-LTE (VoLTE) in their product configurations,” reads the article.
“As constantly, we encourage conclude people to update their products as shortly as feasible to ensure that they are operating the most current builds that deal with the two disclosed and undisclosed security vulnerabilities.”
The disclosure will come times just after security researchers from Look at Position Program shared information and facts about a new Android vishing (voice phishing) malware device focusing on victims in South Korea.
Some elements of this posting are sourced from: