When Samsung Shannon baseband receives message P-TMSI REALLOCATION COMMAND (9.4.7 in TS 24.008) from network, the length of the Mobile Identity IE (10.5.1.4) is not properly checked.
Mobile identity data is directly copied to a stack buffer without prior size check. This stack overflow can lead to remote code execution in the Shannon modem.
CVSS Version 3 Metrics
- Attack Vector (AV): Adjacent (A)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Overall CVSS Score: 8.8
Discovered in Shannon baseband of Galaxy S8 (SM-G950FD), it may affect other models based on Exynos chipsets.
Samsung security update of December 2018 fixes this vulnerability.
- 2018-11-19 Working proof-of-concept
- 2018-12-04 Bug fixed in Samsung security update SMR-DEC-2018
- 2018-12-05 Reconsider life choices