Google finds 18 zero-day vulnerabilities in Samsung Exynos chipsets
Project Zero, Google's zero-day bug-hunting team, discovered and reported 18 zero-day vulnerabilities in Samsung’s Exynos chipsets used in mobile devices, wearables, and cars.
The Exynos modem security flaws were reported between late 2022 and early 2023. Four of the eighteen zero-days were identified as the most serious, enabling remote code execution from the Internet to the baseband.
These Internet-to-baseband remote code execution (RCE) bugs (including CVE-2023-24033 and three others still waiting for a CVE-ID) allow attackers to compromise vulnerable devices remotely and without any user interaction.
"The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem," Samsung says in a security advisory describing the CVE-2023-24033 vulnerability.
The only information required for the attacks to be pulled off is the victim's phone number, according to Tim Willis, the Head of Project Zero.
