Remote stack overflow in Samsung baseband caused by malformed P-TMSI REALLOCATION COMMAND

Posted on Mon 23 November 2020 in Advisory

Description

When Samsung Shannon baseband receives message P-TMSI REALLOCATION COMMAND (9.4.7 in TS 24.008) from network, the length of the Mobile Identity IE (10.5.1.4) is not properly checked.

TS 24.008 P-TMSI REALLOCATION COMMAND message

Mobile identity data is directly copied to a stack buffer without prior size check. This stack overflow can lead to remote code execution in the Shannon modem.

CVSS Version 3 Metrics

  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Overall CVSS Score: 8.8

Affected Versions

Discovered in Shannon baseband of Galaxy S8 (SM-G950FD), it may affect other models based on Exynos chipsets.

Solution

Samsung security update of December 2018 fixes this vulnerability.

Timeline

  • 2018-11-19 Working proof-of-concept
  • 2018-12-04 Bug fixed in Samsung security update SMR-DEC-2018
  • 2018-12-05 Reconsider life choices

vulnerability advisory samsung shannon baseband security arm