When Samsung Shannon baseband receives message IMMEDIATE ASSIGNMENT (9.1.18 in GSM/04.08) from network, the length of the Mobile Allocation IE (GSM/04.08 10.5.2.21) is not properly checked.
Mobile allocation data is directly copied to a buffer on the stack without checking its size. This stack overflow can lead to remote arbitrary code execution in the Shannon modem.
CVSS Version 3 Metrics
- Attack Vector (AV): Adjacent (A)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Overall CVSS Score: 8.8
Samsung smartphones based on Android N(7.x), O(8.x), Go(8.1), P(9.0), Go(9.0) with Exynos chipsets.
Samsung security update of April 2019 fixes this vulnerability.
- 2019-02-05 Privately reported to Samsung
- 2019-04-02 Bug fixed in Samsung Bulletin SMR-APR-2019