Idan aka yi amfani da su, waɗannan kurakuran na iya ba wa maharan damar samun dama ga bayanai masu mahimmanci ba tare da izini ba ko kuma gabaɗaya haifar da matsala
Masu bincike daga ƙungiyar Google Project Zero, bayyana kwanan nan ta hanyar wani blog post, da gano 18 vulnerabilities gano en samsung modem Exynos 5G/LTE/GSM.
A cewar wakilan Google Project Zero, bayan wasu ƙarin bincike, ƙwararrun maharan za su iya hanzarta shirya wani aiki na aiki wanda ke ba da damar samun ikon nesa a matakin ƙirar mara waya, sanin lambar wayar wanda aka azabtar kawai. Ana iya kai harin ba tare da mai amfani ya san shi ba kuma baya buƙatar wani mataki daga mai amfani, wanda ke sa wasu daga cikin raunin da aka gano suna da mahimmanci.
da hudu mafi hatsari rauni (CVE-2023-24033) ba da izinin aiwatar da lambar a matakin guntu na band tushe ta hanyar sarrafa hanyoyin sadarwar Intanet na waje.
A ƙarshen 2022 da farkon 2023, Project Zero ya ba da rahoton lahani na kwana goma sha takwas a cikin modem Exynos wanda Samsung Semiconductor ya samar. Hudu mafi tsanani daga cikin waɗannan lahani goma sha takwas (CVE-2023-24033 da wasu lahani guda uku waɗanda ba a sanya su ba tukuna CVE-IDs) sun ba da izinin aiwatar da lambar nesa daga Intanet zuwa baseband.
Daga cikin 14 da suka rage, an ambaci hakan suna da ƙananan matakan tsanani, tunda harin yana buƙatar samun dama ga ababen more rayuwa na afaretan cibiyar sadarwar wayar hannu ko samun damar gida zuwa na'urar mai amfani. Ban da raunin CVE-2023-24033, wanda aka ba da shawarar gyarawa a cikin sabunta firmware na Maris don na'urorin Google Pixel, batutuwan sun kasance ba a warware su ba.
Ya zuwa yanzu, kawai abin da aka sani game da raunin CVE-2023-24033 shine cewa yana faruwa ta hanyar duba tsarin sifa ba daidai ba na nau'in karba da aka watsa a cikin saƙonnin Bayanin Zama (SDP).
Gwajin da Project Zero ya yi ya tabbatar da cewa waɗannan lahani guda huɗu suna ba maharin damar yin sulhu da waya a nesa ba tare da mu'amalar mai amfani ba, kuma kawai yana buƙatar maharin ya san lambar wayar wanda abin ya shafa. Tare da ƙayyadaddun ƙarin bincike da haɓakawa, mun yi imanin ƙwararrun ƙwararrun maharan za su iya yin amfani da aiki cikin sauri don lalata na'urorin da abin ya shafa cikin shiru.
Rashin lahani yana bayyana a cikin na'urori sanye take da guntun Samsung Exynos, sDangane da bayanai daga gidajen yanar gizo na jama'a waɗanda ke sanya kwakwalwan kwamfuta zuwa na'urori, samfuran da abin ya shafa suna iya haɗawa da:
- Samsung wayar hannu, ciki har da S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 da A04 jerin;
- Na'urorin hannu na Vivo, gami da S16, S15, S6, X70, X60 da X30;
- Google Pixel 6 da Pixel 7 jerin na'urori; kuma
- kowace mota ta amfani da Exynos Auto T5123 chipset.
Har sai masana'antun sun gyara lahani, ana bada shawara ga masu amfani wanda ke kashe goyon bayan VoLTE (Voice-over-LTE) da aikin kiran Wi-Fi a cikin saitunan. Kashe waɗannan saitunan zai kawar da haɗarin amfani da waɗannan raunin.
Saboda hatsarin rauni da kuma haqiqanin saurin bayyanar da amfani. Google ya yanke shawarar yin keɓe don matsalolin 4 mafi haɗari da kuma jinkirta bayyanar da bayanai game da yanayin matsalolin.
Kamar koyaushe, muna ƙarfafa masu amfani da ƙarshen su sabunta na'urorin su da wuri-wuri don tabbatar da cewa suna gudanar da sabbin gine-gine waɗanda ke gyara ɓoyayyiyar raunin tsaro da ba a bayyana ba.
Ga sauran raunin, za a bi jadawalin bayyanar da cikakkun bayanai kwanaki 90 bayan sanarwar ga masana'anta (bayani kan raunin CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075 da CVE-2023-26076 -9-90 yana samuwa yanzu a cikin tsarin bin diddigin kwaro kuma ga sauran batutuwan XNUMX, jiran kwanaki XNUMX bai ƙare ba tukuna).
Rashin raunin da aka ruwaito CVE-2023-2607* ana haifar da shi ta hanyar buffer ambaliya yayin yanke wasu zaɓuɓɓuka da jeri a cikin NrmmMsgCodec da NrSmPcoCodec codecs.
A ƙarshe, idan kuna sha'awar ƙarin sani game da shi zaka iya duba bayanan A cikin mahaɗin mai zuwa.