Google Disclosed 18 Zero-day in Samsung Exynos Chipsets

Among these vulnerabilities, four (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs), were classified as severe and allowed for Internet-to-baseband remote code execution. 

These four vulnerabilities can be exploited by an attacker to remotely compromise a phone at the baseband level with no user interaction, requiring only the victim's phone number.

The remaining fourteen vulnerabilities (CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076 and nine other vulnerabilities that are yet to be assigned CVE-IDs)  were not as severe, as they required either a malicious mobile network operator or an attacker with local access to the device. 

The affected devices included Samsung's S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, Vivo's S16, S15, S6, X70, X60, and X30 series, the Pixel 6 and Pixel 7 series of devices from Google, and any vehicles that use the Exynos Auto T5123 chipset. - according to Samsung Semiconductor's advisories.

Patch timelines for these vulnerabilities will vary per manufacturer. In the meantime, users with affected devices can protect themselves from the baseband remote code execution vulnerabilities by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. 

The Google Security Team has made an exception to their standard disclosure policy and delayed disclosure of the four most severe vulnerabilities due to the rare combination of the level of access these vulnerabilities provide and the speed with which they believe a reliable operational exploit could be crafted. 

However, they will continue their history of transparency by publicly sharing disclosure policy exceptions and adding these issues to that list once they are all disclosed. Of the remaining fourteen vulnerabilities, five vulnerabilities (CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, and CVE-2023-24076) have exceeded Project Zero's standard 90-day deadline and have been publicly disclosed in their issue tracker, while the remaining nine vulnerabilities will be publicly disclosed at that point if they are still unfixed.

As always, the Google Security Team encourages end-users to update their devices as soon as possible to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities. It is crucial to remain vigilant and take necessary precautions to protect personal information and devices from potential security threats.

Update: 

2023-03-20: Google Pixel updated their March 2023 Security Bulletin to now show that all four Internet-to-baseband remote code execution vulnerabilities were fixed for Pixel 6 and Pixel 7 in the March 2023 update, not just one of the vulnerabilities, as originally stated.

2023-03-20: Samsung Semiconductor updated their advisories to include three new CVE-IDs, that correspond to the three other Internet-to-baseband remote code execution issues (CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498). The blog post text was updated to reflect these new CVE-IDs.