Samsung Exynos modems were found to have a vulnerability made by Samsung Semiconductor Google Project Zero reported eighteen 0-day vulnerabilities in modems.
Four of the most serious ones allowed for Internet-to-baseband remote code execution. Only knowledge of the victim’s phone number is required, attackers can remotely compromise the phone at the baseband level with no user interaction.
The 14 other vulnerabilities require either a malicious mobile network operator or an attacker with local access to the device. Vulnerabilities affected:
- Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series devices;
- Vivo S16, S15, S6, X70, X60, and X30 series devices;
- Google Pixel 6 and Pixel 7 series devices;
- Any wearable devices that use the Exynos W920 chipset;
- Any vehicles that use the Exynos Auto T5123 chipset.
Affected Pixel devices have already received a fix for CVE-2023-24033 in the March 2023 security update (https://t.me/google_nws/3192) (The Pixel 6 series should receive an update on March 20).
Users are advised to disable Wi-Fi and VoLTE calls in their device settings to protect themselves from the vulnerabilities until said devices receive the patch.
Samsung responded in the matter “At the end of last year, we received a security issue notification for Google project zero, and Samsung has provided all customers with a patch version for this vulnerability, and the related issues have now been resolved.”