Massive vulnerability in Exynos modems

[Lakados]

The modems used in the Samsung Exynos package have a series of very bad 0-day vulnerabilities.
They allow a remote attacker to gain access to the device by only knowing the phone number.
Due to the severity of the flaw, the amount of time it is taking to patch it, and how quickly Google believes a malicious actor could develop an exploit for it they have forgone their normal 90-day publishing cycle for the issue, despite the fact 90 days have long since passed.

A small list of affected devices.

• Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
• Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
• The Pixel 6 and Pixel 7 series of devices from Google
• Any vehicles that use the Exynos Auto T5123 chipset

https://www.bleepingcomputer.com/news/security/google-finds-18-zero-day-vulnerabilities-in-samsung-exynos-chipsets/#:~:text=The Exynos modem security flaws,the Internet to the baseband.

Such fun times...
Samsung also confirmed Project Zero's workaround, saying that "users can disable WiFi calling and VoLTE to mitigate the impact of this vulnerability."

 

[1_rick]

A couple of things--in the US, take the S22 off the list, as they don't use Exynos. UK and Europe supposedly got the Exynos, but I don't know which other countries did. US, South Korea, and India were all supposed to get Snapdragons.

Also, "turn off VoLTE" means "voice calls go to 3G" AIUI, which makes "turn off VoLTE" mean "lose the ability to make/receive voice calls" for those carriers who shut off their 3G networks.

 

[RanceJustice]

I thought I read that (for the Pixels anyway) this was already patched with the March Security update and is no longer an issue?

Edit: Yep, this article confirms it too. Glad they're moving relatively quickly here but it still brings up some questions for how different the various Pixel components are from more common Exynos or Snapdragon based SoC if they were previously vulnerable.

 

[uOpt]

My Pixel 6 did get the March update after much delay. But I have not seen direct, clear confirmation that it fixes this vulnerability.

 

[Lakados]

I thought I read that (for the Pixels anyway) this was already patched with the March Security update and is no longer an issue?

Edit: Yep, this article confirms it too. Glad they're moving relatively quickly here but it still brings up some questions for how different the various Pixel components are from more common Exynos or Snapdragon based SoC if they were previously vulnerable.

My Pixel 6 did get the March update after much delay. But I have not seen direct, clear confirmation that it fixes this vulnerability.

The update fixes the 4 severe ones that would let them in with just a phone number but does not fix the remaining 14, this changes the nature of the attack from something that can be remotely executed to something that needs user interaction on the device though so there is at least that.
Many phones are apparently not seeing the automatic updates though, probably some sort of vendor locking I would assume, but google says you can sideload the update.

 

[Balkroth]

The update fixes the 4 severe ones that would let them in with just a phone number but does not fix the remaining 14, this changes the nature of the attack from something that can be remotely executed to something that needs user interaction on the device though so there is at least that.
Many phones are apparently not seeing the automatic updates though, probably some sort of vendor locking I would assume, but google says you can sideload the update.

One of my phones is a Pixel 6A unlocked, and it didn't automatically update, I had to go into it , search for updates and download the security update. Which is a little odd, it normally would grab the updates by itself. Wondering if google did and upgrade rotation kind of like microsoft does.

 

[ElementDave]

Adding to Lakados' reply above, Pixel owners should read the March 2023 security update bulletin for more information: https://source.android.com/docs/security/bulletin/pixel/2023-03-01

Here's a direct link to Google's Project Zero report: https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html

 

[uOpt]

Wondering if google did and upgrade rotation kind of like microsoft does.

I think they have been doing staggered updates for a while now. I always have to get the update by asking for it (on T-mobile/US).

 

[uOpt]

Adding to Lakados' reply above, Pixel owners should read the March 2023 security update bulletin for more information: https://source.android.com/docs/security/bulletin/pixel/2023-03-01

Here's a direct link to Google's Project Zero report: https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html

Good, so the 4 bad ones are definitely fixed by the March update. Now I just have to hope T-mobile doesn't want to attack me