Nathanael Newton

!!! UPDATE YOUR PHONE NOW !!!

RCE exploit

Samsung Galaxy phones including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series
Vivo phones including those in the S16, S15, S6, X70, X60, and X30 series
Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro
Any wearables that use the Exynos W920 chipset
Any vehicles that use the Exynos Auto T5123 chipset

Project Zero reported 18 vulnerabilities in Exynos modems in late 2022 and early 2023. Four of the vulnerabilities, including CVE-2023-24033, involve internet-to-baseband remote code execution
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

Project Zero is making a “policy exception to delay disclosure for the four vulnerabilities that allow for internet-to-baseband remote code execution.” This is “due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted.”

https://9to5google.com/2023/03/16/google-exynos-modem-vulnerabilities/

Google: Turn off VoLTE, Wi-Fi calling due to severe Exynos modem vulnerabilities on Pixel 6, more

Google found severe vulnerabilities with Exynos modems used on the Pixel 6 and Samsung phones that warrant disabling VoLTE & Wi-Fi calling...

9to5Google
Mar 17, 2023 at 1:28pmWeb
Show threadAnthony SteeleMar 17, 2023
@igmrlm So that's why the samsung has an OS update this morning
Show threadBen AvelingMar 17, 2023
@anthony_steele Have you checked the release notes? @igmrlm
Show threadBen AvelingMar 17, 2023
@igmrlm March patch is available, release notes do not mention CVE-2023-24033. https://security.samsungmobile.com/securityUpdate.smsb @anthony_steele
Samsung Mobile Security

Show threadBen AvelingMar 17, 2023
@igmrlm It's advisable to get the update (Settings » Software update, click on Download and install.) but it won't fix this CVE.
Until an update that does fix this CVE is available, the only way to be safe appears to be: switch off Wi-Fi calling and Voice-over-LTE (VoLTE) in device settings.
Show threadBen AvelingMar 17, 2023
@igmrlm According to NIST, CVE-2023-24033 is 'only' a denial of service. They've still rated it as 9.8, make of that what you will.
https://nvd.nist.gov/vuln/detail/CVE-2023-24033
NVD - CVE-2023-24033

Show threadBen AvelingMar 17, 2023
@igmrlm On my reading, the announced CVE numbers aren't the really really bad ones. They're not releasing those yet, just telling us that they exist.
Show threadDouglas KilpatrickMar 17, 2023

@igmrlm https://mastodon.social/@kilpatds/110039008740312031

The claims that there are patches available for Pixel 6 phones are wrong. Google has released no update for the Pixel 6.

Show threadDouglas KilpatrickMar 17, 2023
@igmrlm and the article has now been updated to correctly call out the situation for Pixel 6 users
Show thread🆘Bill Cole 🇺🇦Mar 17, 2023
@igmrlm @hacks4pancakes Updating isn’t adequate. #Samsung has not (and I expect WILL NEVER) put out an update that fixes the problem. People need to disable useful functionality (VoLTE/WiFi calling) to become safe.
Show threadLesley Carhart Mar 17, 2023
@grumpybozo @igmrlm I read that as upgrade to a new device through your carrier, fwiw
Show threadkira :3Mar 17, 2023
@igmrlm one of my favorite things about android is how my pixel 6 thinks it's fully updated on the february patch. smartphones were a mistake
Show threadTim SchofieldMar 17, 2023

@igmrlm I have been trying to update my Pixel 6 since the original March update was released, and not getting anything.

Dont know why this is not happening @maddiestone or anyone else on the @Google Project Zero team...

Show threadKay Ohtie 🎈🌵🐺Mar 17, 2023
@igmrlm @hack13 Irritatingly, not all phones have it, specifically the March 2023 security updates. 6 series still waiting it seems.
Show threadSoulfire the WolfMar 17, 2023
Google is taking way to long to push out updates
Show threadKate Nyhan is changing serversMar 19, 2023
@igmrlm Hi, is it correct that the Pixel 6a is affected? The specifications at https://store.google.com/product/pixel_6a_specs?hl=en-US look like it has a Google Tensor processor instead of an Exynos one.