Unpatched Samsung Chipset Vulnerabilities Open Android Users to RCE Attacks

A newly disclosed set of vulnerabilities in Samsung chipsets has exposed millions of Android mobile phone users to potential remote code execution (RCE) attacks, until their individual device vendors make patches available for the flaws.

Until then, the best bet for users who want to protect against the threat is to turn off Wi-Fi calling and Voice-over-LTE settings on their devices, according to the researchers from Google’s Project Zero who discovered the flaws.

In a blog post last week, the researchers said they had reported as many as 18 vulnerabilities to Samsung in the company’s Exynos chipsets, used in multiple mobile phone models from Samsung, Vivo, and Google. Affected devices include Samsung Galaxy S22, M33, M13, M12, A71, and A53, Vivo S16, S15, S6, X70, X60, and X30, and Google’s Pixel 6 and Pixel 7 series of devices.

Android Users Face Complete Compromise

Four of the vulnerabilities in the Samsung Exynos chipsets give attackers a way to completely compromise an affected device, with no user interaction needed and requiring the attacker to only know the victim’s phone number, Project Zero threat researcher Tim Willis wrote.

“Tests conducted by Project Zero confirm that those four vulnerabilities [CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498] allow an attacker to remotely compromise a phone at the baseband level,” Willis said. “With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”

The security researcher identified the remaining 14 vulnerabilities in Samsung Exynos chipsets as being somewhat less severe.

In an emailed statement, Samsung said it had identified six of the vulnerabilities as potentially impacting some of its Galaxy devices. The company described the six flaws as not being “severe” and said it had released patches for five of them in a March security update. Samsung will release a patch for the sixth flaw in April. The company did not respond to a Dark Reading request seeking information on whether it will release patches for all 18 vulnerabilities that Google disclosed. It’s also unclear whether, or when, all affected Samsung Galaxy devices will receive the updates.

Willis said affected Google Pixel devices had already received a fix for one of the disclosed flaws (CVE-2023-24033) with the company’s March 2023 security update. Google did not immediately respond to a Dark Reading request for information on when patches would be available for the remaining vulnerabilities. Vivo did not respond immediately to a Dark Reading request either, so the company’s plans for addressing the vulnerabilities remain unclear as well.

The Android Patch Gap Problem

In the past, device vendors have taken their time addressing vulnerabilities in the Android ecosystem. So, if that’s any indication, users affected by the vulnerabilities in the Samsung chipset could be in for a long wait.

In November, Project Zero researchers reported on what they described a significant patch gap resulting from the delay between when a firmware patch for an Android device becomes available and when a device vendor actually makes it available for their users. As an example, Project Zero researchers pointed to several vulnerabilities they discovered in the ARM Mali GPU driver. Google reported the vulnerabilities to ARM last June and July, after which the latter issued patches for the flaws in July and August. Yet more than three months later, in November, when Google tested affected devices for the vulnerability, the researchers found every single device still vulnerable to the issues.

“The easy part is fixing the hardware flaws with new software,” says Ted Miracco, CEO at Approov. “The harder part is getting manufacturers to push the updates to the end users and getting end users to update their devices,” he says. Unfortunately, many users of the chipsets may not be quick to patch the devices and users are probably largely unaware if the vulnerabilities, he says.

Vulnerabilities like the ones Project Zero discovered in the Samsung chipsets exist not only in the Android ecosystem, but in the iOS ecosystem and any complex supply chain involving sophisticated hardware and software as well, Miracco continues. The challenge is reducing the time from detecting flaws to deploying solutions on all devices.

“This is an area where the Android ecosystem needs to put a lot attention, as updates can be few and far between with many manufacturers of mobile devices,” he says. Enterprises could mandate that users who bring their own devices (BYOD) to work must utilize devices from approved suppliers that have a track record of rapidly deploying updates, Miracco adds.

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says vulnerabilities like these highlight the need for enterprises to evaluate their mobile security strategies. “It makes sense for enterprises to guide their employees on how to stay safe and if there are new requirements for enterprise access,” he notes.

With so much original equipment manufacturer (OEM) fragmentation in the Android space, the patches might only be available after a few months for all the vulnerabilities discovered. “This is why it’s important for enterprises to invest in security that can handle zero-day threats and can be updated over the air,” Vishnubhotta adds.