Remote stack overflow in Samsung baseband caused by malformed GMM ATTACH ACCEPT message

Posted on Mon 30 November 2020 in Advisory

Description

When Samsung Shannon baseband receives message GMM ATTACH ACCEPT (9.4.2 in TS 24.008) from network, the minimum length for MS Identity IE (10.5.1.4) is not properly checked.

TS 24.008 GMM ATTACH ACCEPT message

MS Identity (IEI 0x23) length is decremented without prior check. If this value is zero, a short integer underflow occurs. This invalid size is then used to copy received MS Identity data to a stack buffer. This stack overflow can lead to remote arbitrary code execution in the Shannon modem.

CVSS Version 3 Metrics

  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Overall CVSS Score: 8.8

Affected Versions

Discovered in Shannon baseband of Galaxy S8 (SM-G950FD), it may affect other models based on Exynos chipsets.

Solution

Samsung security update of December 2018 fixes this vulnerability.

Timeline

  • 2018-12-04 Bug fixed in Samsung security update SMR-DEC-2018
  • 2019-05-25 Bug discovered in old firmware
  • 2019-05-28 Bug fix discovered in latest firmware
  • 2019-05-28 Bug hunting procedures reconsidered