Unpatched Samsung Chipset Vulnerabilities Open Android Users to RCE Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Unpatched Samsung Chipset Vulnerabilities Open Android Users to RCE Attacks


Users of affected devices that want to mitigate risk from the security issues in the Exynos chipsets can turn off Wi-Fi and Voice-over-LTE settings, researchers from Googles Project Zero say.



A newly disclosed set of vulnerabilities in Samsung chipsets has exposed millions of Android mobile phone users to potential remote code execution (RCE) attacks, until their individual device vendors make patches available for the flaws.
Until then, the best bet for users who want to protect against the threat is to turn off Wi-Fi calling and Voice-over-LTE settings on their devices, according to the researchers from Googles Project Zero who discovered the flaws.
In a blog post last week, the researchers said they had reported as many as 18 vulnerabilities to Samsung in the companys Exynos chipsets, used in multiple mobile phone models from Samsung, Vivo, and Google. Affected devices include Samsung Galaxy S22, M33, M13, M12, A71, and A53, Vivo S16, S15, S6, X70, X60, and X30, and Googles Pixel 6 and Pixel 7 series of devices.
Four of the vulnerabilities in the Samsung Exynos chipsets give attackers a way to completely compromise an affected device, with no user interaction needed and requiring the attacker to only know the victims phone number, Project Zero threat researcher Tim Willis wrote.
Tests conducted by Project Zero confirm that those four vulnerabilities [CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498] allow an attacker to
remotely compromise a phone at the baseband level
, Willis said. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely. 
The security researcher identified the remaining 14 vulnerabilities in Samsung Exynos chipsets as being somewhat less severe.
In an emailed statement, Samsung said it had identified six of the vulnerabilities as potentially impacting some of its Galaxy devices. The company described the six flaws as not being severe and said it had
released patches for five of them
in a March security update. Samsung will release a patch for the sixth flaw in April. The company did not respond to a Dark Reading request seeking information on whether it will release patches for all 18 vulnerabilities that Google disclosed. Its also unclear whether, or when, all affected Samsung Galaxy devices will receive the updates.
Willis said affected Google Pixel devices had already received a fix for one of the disclosed flaws (CVE-2023-24033) with the companys
March 2023 security update
. Google did not immediately respond to a Dark Reading request for information on when patches would be available for the remaining vulnerabilities. Vivo did not respond immediately to a Dark Reading request either, so the companys plans for addressing the vulnerabilities remain unclear as well.
In the past, device vendors have taken their time addressing vulnerabilities in the Android ecosystem. So, if thats any indication, users affected by the vulnerabilities in the Samsung chipset could be in for a long wait. 
In November, Project Zero researchers reported on what they described a
significant patch gap
resulting from the delay between when a firmware patch for an Android device becomes available and when a device vendor actually makes it available for their users. As an example, Project Zero researchers pointed to several vulnerabilities they discovered in the ARM Mali GPU driver. Google reported the vulnerabilities to ARM last June and July, after which the latter issued patches for the flaws in July and August. Yet more than three months later, in November, when Google tested affected devices for the vulnerability, the researchers found every single device still vulnerable to the issues.
The easy part is fixing the hardware flaws with new software, says Ted Miracco, CEO at Approov. The harder part is getting manufacturers to push the updates to the end users and getting end users to update their devices, he says. Unfortunately, many users of the chipsets may not be quick to patch the devices and users are probably largely unaware if the vulnerabilities, he says.
Vulnerabilities like the ones Project Zero discovered in the Samsung chipsets exist not only in the Android ecosystem, but in the iOS ecosystem and any complex supply chain involving sophisticated hardware and software as well, Miracco continues. The challenge is reducing the time from detecting flaws to deploying solutions on all devices. 
This is an area where the Android ecosystem needs to put a lot attention, as updates can be few and far between with many manufacturers of mobile devices, he says. Enterprises could mandate that users who bring their own devices (BYOD) to work must utilize devices from approved suppliers that have a track record of rapidly deploying updates, Miracco adds.
Krishna Vishnubhotla, vice president of product strategy at Zimperium, says vulnerabilities like these highlight the need for enterprises to evaluate their mobile security strategies. It makes sense for enterprises to guide their employees on how to stay safe and if there are new requirements for enterprise access, he notes.
With so much original equipment manufacturer (OEM) fragmentation in the Android space, the patches might only be available after a few months for all the vulnerabilities discovered. This is why its important for enterprises to invest in security that can handle zero-day threats and can be updated over the air, Vishnubhotta adds.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Unpatched Samsung Chipset Vulnerabilities Open Android Users to RCE Attacks