SVE-2019-13963 : Remote stack overflow in Samsung baseband caused by malformed IMMEDIATE ASSIGNMENT message

Posted on Mon 07 December 2020 in Advisory

Description

When Samsung Shannon baseband receives message IMMEDIATE ASSIGNMENT (9.1.18 in GSM/04.08) from network, the length of the Mobile Allocation IE (GSM/04.08 10.5.2.21) is not properly checked.

GSM/04.08 IMMEDIATE ASSIGNMENT message

Mobile allocation data is directly copied to a buffer on the stack without checking its size. This stack overflow can lead to remote arbitrary code execution in the Shannon modem.

CVSS Version 3 Metrics

  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Overall CVSS Score: 8.8

Affected Versions

Samsung smartphones based on Android N(7.x), O(8.x), Go(8.1), P(9.0), Go(9.0) with Exynos chipsets.

Solution

Samsung security update of April 2019 fixes this vulnerability.

Timeline

  • 2019-02-05 Privately reported to Samsung
  • 2019-04-02 Bug fixed in Samsung Bulletin SMR-APR-2019

vulnerability advisory samsung shannon baseband security arm