Google’s zero-day bug hunting team Project Zero has found 18 zero-day vulnerabilities in Samsung’s Exynos chipsets used across multiple devices including but not limited to smartphones, wearables and even cars. Four of these flaws allowed a remote attacker to remotely compromise the device at the baseband level with no user interaction and only require the user’s phone number to carry out the attack.
The remaining 14 flaws aren’t as critical as execution requires a malicious network carrier or local access. That said, they still pose a risk. Only six vulnerabilities, including one critical, have received CVE IDs so far, with the other 12 still waiting to be tracked. These include the aforementioned critical RCE bug tracked as CVE-2023-24033 and the other less severe flaws including CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075 and CVE-2023-24076.
Overall, based on the list of affected chipsets provided by Samsung, affected devices, the Project Zero report says affected devices likely include the following
- Samsung smartphones including S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series
- Vivo smartphones including S16, S15, S6, X70, X60 and X30 series
- Google smartphones including the Pixel 6 and 7 series
- Wearable devices using the Exynos W920 chipset
- Vehicles using the Exynos Auto T5123 chipset
Samsung has already provided security updates addressing these vulnerabilities to vendors. However, even after nearly 90 days of the disclosure, patches still aren’t public and can’t be applied by all affected users either. Most of this delay comes down to manufacturers testing and releasing patches for the affected devices. Google has already fixed CVE-2023-24033, one of the only tracked bugs out of the four critical ones found by Project Zero in its March security updates, with other manufacturers expected to follow soon.
Additionally, Project Zero has also provided workarounds to protect devices in the meantime. Users can disable WiFi calling and VoLTE to mitigate any impacts. The workarounds have been confirmed by Samsung as well.
In the News:Â Lenovo Tech World India: Foldable laptops, VR headset and more