One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8319206 |
| Date de publication | 2023-03-16 11:09:25 (vue: 2023-03-16 19:05:49) |
| Titre | Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems |
| Texte | Posted by Tim Willis, Project Zero Note: Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities. In late 2022 and early 2023, Project Zero reported eighteen 0-day vulnerabilities in Exynos Modems produced by Samsung Semiconductor. The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution. Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely. The fourteen other related vulnerabilities (CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076 and nine other vulnerabilities that are yet to be assigned CVE-IDs) were not as severe, as they require either a malicious mobile network operator or an attacker with local access to the device.Affected devices Samsung Semiconductor's advisories provide the list of Exynos chipsets that are affected by these vulnerabilities. Based on information from public websites that map chipsets to devices, affected products likely include: Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;The Pixel 6 and Pixel 7 series of devices from Google;any wearables that use the Exynos W920 chipset; andany vehicles that use the Exynos Auto T5123 chipset. Patch timelines We expect that patch timelines will vary per manufacturer (for example, affected Pixel devices have already received a fix for CVE-2023-24033 in the March 2023 security update). In the meantime, users w |
| Envoyé | Oui |
| Condensat | 2022 2023 2023 security 24033 24072 24073 24074 24075 24076 a04 a12 a13 a21 a33 a53 a71 able access add additional advisories provide affected after all allow allowed already always andany are assessed assigned attacker attackers auto available baseband based been being believe benefit both builds but calling can cases chipset chipset; chipsets code combination compromise conducted confirm continue could crafted create cve day deadline decided defenders delay delayed development device devices disclosed discloses disclosing disclosure due early eighteen either encourage end ensure example exceeded exception exceptions execution expect exploit exploitation exynos five fix four fourteen from google;any hardware have high history hit ids include: including information interaction internet issue issues know late latest level likely limited list local lte m12 m13 m33 made make malicious manufacturer map march meantime meet mentioned mobile modems more most multiple network nine not note: number off once only operational operator other over patch per phone pixel point policy possible post posted produced products project protect provide public publicly quickly rare received related reliable remaining remote remotely remove reported reporting require research risk running s15 s16 s22 samsung samsung’s security semiconductor series series;mobile series;the set settings severe sharing significantly silently skilled software some soon speed standard t5123 tests than them themselves these those three tim time timelines today tracker transparency turn turning under undisclosed unfixed until update updates use user users vary vehicles vendor very victim vivo voice volte vulnerabilities vulnerability w920 wearables websites where which who will willis wish withheld withheldof would x30 x60 x70 yet zero |
| Tags | Vulnerability Vulnerability |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.