In a up to date announcement, Google Safety Staff disclosed that Venture 0 had reported eighteen 0-day vulnerabilities in Exynos Modems produced through Samsung Semiconductor.
Amongst those vulnerabilities, 4 (CVE-2023-24033 and 3 different vulnerabilities that experience but to be assigned CVE-IDs), had been categorized as critical and allowed for Web-to-baseband far off code execution.
Those 4 vulnerabilities may also be exploited through an attacker to remotely compromise a telephone on the baseband degree without a person interplay, requiring best the sufferer’s telephone quantity.
The rest fourteen vulnerabilities (CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076 and 9 different vulnerabilities which might be but to be assigned CVE-IDs) weren’t as critical, as they required both a malicious cellular community operator or an attacker with native get admission to to the instrument.
The affected gadgets integrated Samsung’s S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 collection, Vivo’s S16, S15, S6, X70, X60, and X30 collection, the Pixel 6 and Pixel 7 collection of gadgets from Google, any wearables that use the Exynos W920 chipset, and any cars that use the Exynos Auto T5123 chipset. – in step with Samsung Semiconductor’s advisories.
Patch timelines for those vulnerabilities will range consistent with producer. Within the interim, customers with affected gadgets can give protection to themselves from the baseband far off code execution vulnerabilities through turning off Wi-Fi calling and Voice-over-LTE (VoLTE) of their instrument settings.
The Google Safety Staff has made an exception to their usual disclosure coverage and not on time disclosure of the 4 maximum critical vulnerabilities because of the uncommon mixture of the extent of get admission to those vulnerabilities supply and the rate with which they imagine a competent operational exploit might be crafted.
On the other hand, they are going to proceed their historical past of transparency through publicly sharing disclosure coverage exceptions and including those problems to that checklist as soon as they’re all disclosed. Of the remainder fourteen vulnerabilities, 5 vulnerabilities (CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, and CVE-2023-24076) have exceeded Venture 0’s usual 90-day closing date and feature been publicly disclosed of their factor tracker, whilst the remainder 9 vulnerabilities might be publicly disclosed at that time if they’re nonetheless unfixed.
As at all times, the Google Safety Staff encourages end-users to replace their gadgets once imaginable to be sure that they’re working the most recent builds that repair each disclosed and undisclosed safety vulnerabilities. It is vital to stay vigilant and take important precautions to offer protection to private knowledge and gadgets from doable safety threats.
https://www.cyberkendra.com/2023/03/google-disclosed-18-zero-day.html
