Yakaonekwa kusazvibata kwakawanda muExynos modem

Vatsvagiri kubva kuchikwata cheGoogle Project Zero, yakavhurwa munguva pfupi yapfuura kuburikidza ne blog post, iyo kuwanikwa kwe18 vulnerabilities dzakaonekwa en Samsung modem Exynos 5G/LTE/GSM.

Sekureva kwevamiriri veGoogle Project Zero, mushure meimwe tsvakiridzo yekuwedzera, vanorwisa vane hunyanzvi vanozokwanisa kukurumidza kugadzirira kushandiswa kunobvumira kure kure kunowanikwa pane isina waya module level, vachiziva chete nhamba yefoni yemunhu akabatwa. Kurwiswa kwacho kunogona kuitwa pasina mushandisi kuzviziva uye hakudi chero chiito kubva kumushandisi, izvo zvinoita kuti humwe hurema hwakaonekwa huve hwakakosha.

ari mana ane ngozi zvikuru kusakwana (CVE-2023-24033) bvumira kodhi kuurayiwa pabhendi chip level hwaro kuburikidza nekugadzirisa kwekunze kweInternet network.

Mukupera kwa2022 uye kutanga kwa2023, Project Zero yakashuma gumi nemasere-zuva-kusagadzikana muExynos modem inogadzirwa neSamsung Semiconductor. Iwo mana akanyanya kuomarara eaya gumi nemasere kusagadzikana (CVE-2023-24033 uye humwe hutatu husina kusimba husati hwapihwa maCVE-IDs) hwakabvumidza kure kure kodhi kuuraya kubva paInternet kuenda kubhendi.

Pakati pezvimwe 14 zvasara, zvinotaurwa kuti vane mwero wakaderera wekuomarara, sezvo kurwiswa kunoda kuwana kune zvivakwa zve mobile network opareta kana yemuno kuwana kune mudziyo wemushandisi. Kunze kwekusagadzikana kweCVE-2023-24033, iyo yakanzi igadziriswe muKurume firmware update yeGoogle Pixel zvishandiso, nyaya dzinoramba dzisina kugadziriswa.

Parizvino, chinhu chega chinozivikanwa nezve CVE-2023-24033 kusagadzikana ndechekuti inokonzerwa neiyo isiriyo fomati yekutarisa-yemhando yekugamuchira hunhu hunofambiswa muSession Description Protocol (SDP) meseji.

Kuyedzwa neProjekti Zero kunosimbisa kuti kusazvibata ina uku kunobvumira anorwisa kure kure kure kure nefoni padanho rebhendi pasina kupindirana kwemushandisi, uye zvinongoda kuti anorwisa azive nhamba dzenhare dzemunhu anenge abatwa. Nekutsvagisa kushoma uye kusimudzira, tinotenda kuti vane hunyanzvi vanorwisa vanogona kukurumidza kugadzira kushandiswa kwechinyararire uye kure kure nemidziyo yakakanganisika.

Kusagadzikana kunoratidzwa mumidziyo ine Samsung Exynos chips, sZvichienderana neruzivo kubva kumawebhusaiti eruzhinji anopa chipsets kumidziyo, zvigadzirwa zvakakanganisika zvinogona kusanganisira:

• Samsung nharembozha, kusanganisira S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 uye A04 akatevedzana;
• Vivo nharembozha, zvinosanganisira S16, S15, S6, X70, X60 uye X30 dzakatevedzana;
• Google's Pixel 6 uye Pixel 7 akatevedzana emidziyo; uye
• chero mota inoshandisa Exynos Auto T5123 chipset.

Kusvikira vagadziri vagadzirisa kusasimba, zvinokurudzirwa kune vashandisi iyo inodzima tsigiro yeVoLTE (Voice-over-LTE) uye Wi-Fi yekufona basa muzvirongwa. Kudzima marongero aya kunobvisa njodzi yekushandisa kusagadzikana uku.

Nekuda kwenjodzi yekusasimba uye huchokwadi hwekuonekwa kwekukurumidza kwekushandisa, Google yakasarudza kuita kusarudzika kune 4 matambudziko ane njodzi zvakanyanya uye kumisikidza kuburitswa kweruzivo nezve mamiriro ematambudziko.

 Senguva dzose, tinokurudzira vashandisi kuti vagadzirise zvishandiso zvavo nekukurumidza sezvinobvira kuti vave nechokwadi chekuti vari kufambisa zvivakwa zvinogadzirisa zvakafumurwa uye zvisina kuburitswa kuchengetedzwa kwenjodzi.

Kune mamwe ese ekusagadzikana, iyo hurongwa hwekuburitswa huchateverwa mazuva makumi mapfumbamwe mushure mekuzivisa kumugadziri (ruzivo rwekusagadzikana CVE-90-2023, CVE-26072-2023, CVE-26073-2023, CVE-26074-2023 uye CVE-26075-2023 -26076-9 yave kuwanikwa mubug tracking system uye kune dzimwe nyaya 90 dzasara, kumirira kwemazuva makumi mapfumbamwe hakusati kwapera).

Izvo zvakashumwa kusasimba CVE-2023-2607* zvinokonzerwa nekufashukira kwebhafa paunenge uchinyora dzimwe sarudzo uye rondedzero muNrmmMsgCodec uye NrSmPcoCodec codecs.

Pakupedzisira, kana iwe uchifarira kuziva zvakawanda nezvazvo unogona kutarisa ruzivo Mune inotevera chinongedzo.