When Samsung Shannon baseband receives message GMM ATTACH ACCEPT (9.4.2 in TS 24.008) from network, the minimum length for MS Identity IE (10.5.1.4) is not properly checked.
MS Identity (IEI 0x23) length is decremented without prior check. If this value is zero, a short integer underflow occurs. This invalid size is then used to copy received MS Identity data to a stack buffer. This stack overflow can lead to remote arbitrary code execution in the Shannon modem.
CVSS Version 3 Metrics
- Attack Vector (AV): Adjacent (A)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Overall CVSS Score: 8.8
Discovered in Shannon baseband of Galaxy S8 (SM-G950FD), it may affect other models based on Exynos chipsets.
Samsung security update of December 2018 fixes this vulnerability.
- 2018-12-04 Bug fixed in Samsung security update SMR-DEC-2018
- 2019-05-25 Bug discovered in old firmware
- 2019-05-28 Bug fix discovered in latest firmware
- 2019-05-28 Bug hunting procedures reconsidered