Kutholwe ubungozi obuningi kumamodemu e-Exynos

Darkcrizt

Imizuzu ye-4

ubungozi

Uma exhashazwa, lawa maphutha angavumela abahlaseli ukuthi bathole ukufinyelela okungagunyaziwe kulwazi olubucayi noma ngokuvamile babangele izinkinga.

Abacwaningi abavela ethimbeni le-Google I-Project Zero, ivuliwe muva nje ngeposi lebhulogi, i ukutholwa kobuthakathaka obuyi-18 kutholiwe en Amamodemu e-Samsung I-Exynos 5G/LTE/GSM.

Ngokusho kwabamele i-Google Project Zero, ngemva kocwaningo olwengeziwe, abahlaseli abanekhono bazokwazi ukulungisa ngokushesha ukuxhashazwa okusebenzayo okuvumela ukulawula okukude ukuze kutholwe ezingeni lemojula engenantambo, bazi kuphela inombolo yocingo yesisulu. Ukuhlasela kungenziwa ngaphandle kokuthi umsebenzisi akwazi ngakho futhi akudingi noma yisiphi isenzo esivela kumsebenzisi, okwenza okunye ubungozi obutholakele bubaluleke kakhulu.

I-Las ubuthakathaka obune obuyingozi kakhulu (I-CVE-2023-24033) vumela ukwenziwa kwekhodi ezingeni le-band chip isisekelo ngokusebenzisa amanethiwekhi e-inthanethi angaphandle.

Ngasekupheleni kuka-2022 nasekuqaleni kuka-2023, i-Project Zero yabika ubungozi bezinsuku eziyishumi nesishiyagalombili kumamodemu e-Exynos akhiqizwe i-Samsung Semiconductor. Okune okunzima kakhulu kulobu bungozi obuyishumi nesishiyagalombili (CVE-2023-24033 kanye nobunye ubungozi obuthathu obungakanikezwa ama-CVE-ID) buvumele ukwenziwa kwekhodi yesilawuli kude kusuka ku-inthanethi kuya ku-baseband.

Kobuthakathaka obungu-14 obusele, kushiwo lokho ube nezinga lokuqina eliphansi, njengoba ukuhlasela kudinga ukufinyelela kungqalasizinda yomsebenzisi wenethiwekhi yeselula noma ukufinyelela kwasendaweni kudivayisi yomsebenzisi. Ngaphandle kokuba sengozini kwe-CVE-2023-24033, okwahlongozwa ukuthi kulungiswe kusibuyekezo se-firmware sikaMashi samadivayisi we-Google Pixel, izinkinga zihlala zingaxazululiwe.

Kuze kube manje, okuwukuphela kwento eyaziwayo mayelana nokuba sengozini kwe-CVE-2023-24033 ukuthi kubangelwa ukuhlolwa kwefomethi engalungile yohlobo lokwamukela isibaluli esidluliselwa emilayezweni Yencazelo Yeseshini (SDP).

Ukuhlolwa nge-Project Zero kuqinisekisa ukuthi lobu bungozi obune buvumela umhlaseli ukuthi afake ebucayini ifoni ekude esezingeni le-baseband ngaphandle kokusebenzisana nomsebenzisi, futhi kudinga kuphela umhlaseli ukuthi azi inombolo yocingo yesisulu. Ngocwaningo olwengeziwe nokuthuthukiswa okulinganiselwe, sikholelwa ukuthi abahlaseli abanekhono bangakha ngokushesha ukuxhashazwa kokusebenza ukuze bafake engozini buthule nangokude amadivayisi athintekile.

Ubungozi bubonakala kumadivayisi afakelwe ama-Samsung Exynos chips, sNgokusekelwe olwazini olusuka kumawebhusayithi omphakathi anikeza ama-chipset kumadivayisi, imikhiqizo ethintekile ingase ihlanganise:

  • Amadivayisi eselula e-Samsung, okuhlanganisa i-S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 kanye nochungechunge lwe-A04;
  • Amadivayisi eselula e-Vivo, okuhlanganisa i-S16, S15, S6, X70, X60 kanye nochungechunge lwe-X30;
  • I-Google's Pixel 6 ne-Pixel 7 uchungechunge lwamadivayisi; futhi
  • noma iyiphi imoto esebenzisa i-Exynos Auto T5123 chipset.

Kuze kube abakhiqizi balungisa ubungozi, kuyanconywa kubasebenzisi lokho kukhubaza ukwesekwa kwe-VoLTE (I-Voice-over-LTE) nomsebenzi wokushaya we-Wi-Fi kuzilungiselelo. Ukukhubaza lezi zilungiselelo kuzosusa ubungozi bokusebenzisa lobu bungozi.

Ngenxa yengozi yokuba sengozini kanye neqiniso lokubukeka okusheshayo kokuxhaphaza, I-Google inqume ukwenza okuhlukile ezinkingeni ezi-4 eziyingozi kakhulu kanye nokuhlehlisa ukudalulwa kolwazi mayelana nohlobo lwezinkinga.

 Njengokuvamile, sikhuthaza abasebenzisi bokugcina ukuthi babuyekeze amadivayisi abo ngokushesha ngangokunokwenzeka ukuze baqinisekise ukuthi basebenzisa izakhiwo zakamuva ezilungisa ubungozi bokuphepha obudaluliwe nobungadalulwanga.

Kubo bonke abanye ubungozi, ishejuli yokudalulwa kwemininingwane izolandelwa ezinsukwini ezingama-90 ngemuva kwesaziso kumkhiqizi (ulwazi ngobungozi CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075 kanye I-CVE-2023-26076 -9-90 manje isiyatholakala ohlelweni lokulandelela iziphazamisi futhi ezindabeni ezingu-XNUMX ezisele, ukulinda kwezinsuku ezingu-XNUMX akukakaphelelwa yisikhathi).

Ubungozi obubikiwe CVE-2023-2607* bubangelwa ukuchichima kwebhafa lapho kukhishwa ikhodi izinketho ezithile nohlu kumakhodekhi e-NrmmMsgCodec kanye ne-NrSmPcoCodec.

Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho ungabheka imininingwane Kulesi sixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.