Google’s Project Zero team released a new advisory on Thursday, confirming that 18 zero-day vulnerabilities were reported in Exynos modems made by Samsung in late 2022 and early 2023.
In a blog post written by Tim Willis, head of Project Zero, four vulnerabilities (CVE-2023-24033 and three others that have not yet been assigned a CVE-ID) allow potential attackers to: It says it can now perform remote code execution from the Internet to the baseband. (RCE).
“These four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level, and the attacker only needs to know the victim’s phone number, no user interaction is required,” Willis said. explains. “With limited additional research and development, we believe skilled attackers can rapidly create operational exploits to compromise affected devices silently and remotely.”
The remaining 14 flaws are less severe as they require a malicious mobile network operator or an attacker with local access to the device to perform the RCE.
According to Samsung’s Product Security Updates webpage, the list of Exynos chipsets affected by the zero-day includes several devices. Google estimates that several Samsung smartphones, including the S22 line, may be affected. Several handheld devices by Vivo are also on the list, as are the Google Pixel 6 and Pixel 7 series, and all vehicles using the Exynos Auto T5123 chipset.
Read more about Android vulnerabilities here: Google Fixes Critical Android Bluetooth Vulnerability in August Security Bulletin
In a blog post, Willis explained that individual manufacturers are responsible for fixing the above vulnerabilities. Google has already patched vulnerabilities affecting Pixel phones
“In the meantime, users with affected devices should turn off WiFi calling and Voice-over-LTE (VoLTE) in their device settings to prevent baseband remote code execution as referenced in this post. You can protect yourself from the vulnerabilities of ,” reads the post.
“As always, we encourage end users to update their devices as soon as possible to ensure they are running the latest builds that fix both public and undisclosed security vulnerabilities. To do.”
The disclosure comes days after security researchers at Check Point Software shared information about a new Android vishing (voice phishing) malware tool targeting victims in South Korea.
