Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems

https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html

Article Kaspersky Lab (en français) : https://www.kaspersky.fr/blog/samsung-exynos-vulnerabilities/20344/

1 Like

Samsung have released the fixes, will e/OS next version include these fixes?

It’s not a software fix, but a firmware fix.
As they are software-independent, they may come from manufacturer.

1 Like

So in that case, if there is an update in the firmware for S9 for this problem (not too likely) from Samsung, the only way I could get it would be to restore my phone back to stock Android, accept update, then reinstall e/OS?

Not going to happen.

your S9 doesn’t have the Exynos Chip that was deemed affected

  • Samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
  • Vivo S16, S15, S6, X70, X60 and X30 series;
  • Pixel 6 and Pixel 7
  • any vehicles that use the Exynos Auto T5123 chipset

not to say there don’t exist issues, but not that one in particular. Though it is likely it speaks to a common issue in the exynos modem stack, I don’t think researchers will look again into the S9 era line of phones.

S9 is also outside the time window it receives firmware updates - https://security.samsungmobile.com/workScope.smsb

2 Likes

So does this mean that running a secure mobile phone, on e/OS longer than it is supported by the manufacturer is a fallacy?

If so, to stay on e/OS we need current devices running e/OS.

At this point is there any advantage to being on e/OS as opposed to CalyxOS?

With CalyxOS I could have the latest phone running the current version of Android, with monthly OTA updates and the device (Pixel) will be supported for many years by the manufacturer.

the answer has always been “buy a Pixel” if device security is tantamount, few other manufacturers release their firmware fixes as quickly. As to the fallacy - it never was one. Outside manufacturer support is “going commando”.

1 Like

/e/OS does not claim to be a secure phone OS. It is however noticeably more secure than running vendor’s out-of-date, unsupported stock ROM, because it includes regular security updates from LineageOS and from AOSP upstream.

It also has the advantage of keeping older phones functioning - and reasonably secure - well beyond their ‘supported’ lifespan, meaning it is possible to get off the unsustainable carousel of constantly buying new devices to replace older devices which are still functional.

2 Likes

because it includes regular security updates from LineageOS and from AOSP upstream.

But then goes 5 months without updating the browser for some asinine reasons and additionally completely ignores any sort of kernel backports.

longer than it is supported by the manufacturer is a fallacy?

I explain what can and is handled by systems here: https://divestos.org/pages/patch_levels#osSecurity

1 Like

threads like these devolve quickly into “/e/ vs security” topics. I guess due to user education and a bit of psychology.

The vulnerability in the volte stack is interesting (xml parsing in the sip component) and I guess it’s out there manifold if people go looking. There’s an argument for disabling prop. stacks - you can’t inspect and can’t update them on your own.

The more juicy issue comes with asb april with 2 RCEs on system component, so everyone is on their toes, not elite exynos device owners only :slight_smile:

Two issues is meh: the March PSB had over 145 security fixes in it that anyone not running Android 13 QPR2 is completely missing.

It is the same story every month, it sadly never ends.

so you finally agree, ultimate security is not buying into smartphones altogether? :slight_smile:

2 Likes

‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌🫠‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌

1 Like

petefoth, I will give you a car analogy from what I hear you say - Samsung car firmware has an issue so brakes do not work, it also has a software issue where the headlights do not work, but its OK with e/OS as with e/OS the headlights work.

I do not care I do not want to be driving a car without brakes.

Any security is only as good as the weakest link, if e/OS does not patch major vulnerabilities, who cares if it patches minor ones.

If you believe that the vulnerabilities described in the linked article are comparable to having a car without brakes, then there is really no point to this discussion. Goodbye :slight_smile:

1 Like

This topic was automatically closed after 15 days. New replies are no longer allowed.