Ukuba zixhatshaziwe, ezi ziphene zinokuvumela abahlaseli ukuba bafumane ukufikelela okungagunyaziswanga kulwazi olubuthathaka okanye ngokubanzi babangele iingxaki.
Abaphandi abasuka kwiqela likaGoogle Iprojekthi enguZero, yatyhilwa kutshanje ngeposi blog, i ukufunyanwa kobuthathaka obuli-18 ibhaqwe en iimodem zesamsung Exynos 5G/LTE/GSM.
Ngokutsho kwabameli beProjekthi ye-Google yeZero, emva kophando olongezelelweyo, abahlaseli abanezakhono baya kukwazi ukulungiselela ngokukhawuleza ukuxhaphazwa okusebenzayo okuvumela ukuba ukulawulwa kude kufunyenwe kwinqanaba lemodyuli engenazintambo, ukwazi kuphela inombolo yefowuni yexhoba. Uhlaselo lunokwenziwa ngaphandle kokuba umsebenzisi ayazi kwaye ayifuni naliphi na isenzo kumsebenzisi, eyenza ukuba ubuthathaka obufunyenweyo bubaluleke kakhulu.
Las ubuthathaka ezine eziyingozi (I-CVE-2023-24033) vumela ukwenziwa kwekhowudi kwinqanaba lechip band isiseko ngokuguqulwa kothungelwano lwe-Intanethi lwangaphandle.
Ngasekupheleni kuka-2022 nasekuqaleni kuka-2023, iProjekthi Zero yabika ukuba semngciphekweni kweentsuku ezilishumi elinesibhozo kwiimodem ze-Exynos eziveliswe yi-Samsung Semiconductor. Ezona zine zibi kakhulu kwezi zibuthathaka zilishumi elinesibhozo (CVE-2023-24033 kunye nobunye ubuthathaka obuthathu obungekabelwa ii-CVE-ID) buvumele ukwenziwa kwekhowudi ekude ukusuka kwi-Intanethi ukuya kwi-baseband.
Kwi-14 eshiyekileyo yobuthathaka, kuyakhankanywa ukuba unenqanaba elisezantsi lobunzima, ekubeni uhlaselo lufuna ukufikelela kwisiseko somqhubi wenethiwekhi yeselula okanye ukufikelela kwendawo kwisixhobo somsebenzisi. Ngaphandle kobuthathaka be-CVE-2023-24033, ecetywayo ukuba ilungiswe kuhlaziyo lwe-firmware kaMatshi kwizixhobo zePixel zeGoogle, imiba ihlala ingasonjululwa.
Ukuza kuthi ga ngoku, ekuphela kwento eyaziwayo malunga nokuba sesichengeni kwe-CVE-2023-24033 kukuba kubangelwa kukujongwa kwefomathi engalunganga yophawu lolwamkelo olugqithiselwe kwiSession Description Protocol (SDP) imiyalezo.
Uvavanyo ngeProjekthi yeZero iqinisekisa ukuba obu buthathaka bane buvumela umhlaseli ukuba abeke esichengeni ukude ifowuni kwinqanaba le-baseband ngaphandle kokusebenzisana komsebenzisi, kwaye ifuna kuphela umhlaseli ukuba azi inombolo yefowuni yexhoba. Ngophando olongezelelweyo olulinganiselweyo kunye nophuhliso, sikholelwa ukuba abahlaseli abanezakhono banokudala ngokukhawuleza ukuxhaphazwa kokusebenza ngokuthula nangokude ukuthomalalisa izixhobo ezichaphazelekayo.
Ubuthathaka bubonakala kwizixhobo ezixhotyiswe ngeetshiphusi ze-Samsung Exynos, sNgokusekwe kulwazi oluvela kwiiwebhusayithi zoluntu ezinikezela nge-chipsets kwizixhobo, iimveliso ezichaphazelekayo zinokubandakanya:
- Samsung izixhobo eziphathwayo, kuquka S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 kunye A04 series;
- Izixhobo eziphathwayo zeVivo, kuquka i-S16, i-S15, i-S6, i-X70, i-X60 kunye ne-X30 series;
- I-Google yePixel 6 kunye nePixel 7 uluhlu lwezixhobo; kwaye
- nasiphi na isithuthi usebenzisa iExynos Auto T5123 chipset.
Bade abavelisi balungise ubuthathaka, kucetyiswa kubasebenzisi ukuba khubaza inkxaso yeVoLTE (Voice-over-LTE) kunye ne-Wi-Fi yokufowuna umsebenzi kwiisetingi. Ukukhubaza olu seto kuya kuphelisa umngcipheko wokusebenzisa obu buthathaka.
Ngenxa yobungozi bobuthathaka kunye nenyani yokubonakala ngokukhawuleza kokuxhaphaza, UGoogle wagqiba ekubeni enze ngaphandle kwe-4 eyona ngxaki iyingozi kunye nokuhlehlisa ukubhengezwa kolwazi malunga nobume beengxaki.
Njengesiqhelo, sikhuthaza abasebenzisi bokugqibela ukuba bahlaziye izixhobo zabo ngokukhawuleza ukuqinisekisa ukuba baqhuba ulwakhiwo lwamva nje olulungisa ubuthathaka bokhuseleko obuchaziweyo kunye nokhuseleko olungachazwanga.
Kubo bonke ubuthathaka, ishedyuli yokuchazwa kweenkcukacha iya kulandelwa kwiintsuku ezingama-90 emva kokwaziswa kumenzi (ulwazi malunga nokuba semngciphekweni CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075 kunye I-CVE-2023-26076 -9-90 ngoku iyafumaneka kwi-bug tracking system kwaye kwimiba ye-XNUMX eseleyo, ukulinda kwe-XNUMX imini akukapheli).
Ubuthathaka obuxeliweyo be-CVE-2023-2607* bubangelwa kukuphuphuma kwesithinteli xa kusenziwa iikhowudi iinketho ezithile kunye noluhlu kwiikhowudi zeNrmmMsgCodec kunye neNrSmPcoCodec.
Ekugqibeleni, ukuba unomdla wokwazi okungakumbi ngayo ungajonga iinkcukacha Kule khonkco ilandelayo.