CVE-2022-39881 In-bound SIB12 PDU can be read out of bounds memory in Exynos modems prior to SMR Sep-2022 release.

The flaw is present in SIB12 PDU handling and can be exploited by changing SIB12 PDU length. Exynos modem firmware is developed by Samsung Electronics, and most of their modems are using Exynos Modem. The most common models are the Exynos Modem (eMMC) version, or the Exynos Modem (eMMC) Pro version. The Exynos Modem (eMMC) version is found in most of the recent Samsung laptops, and the Exynos Modem (eMMC) Pro version is found in most of the recent Samsung tablets. It is possible to exploit the SIB12 PDU length flaw even in other modems that use different chipset vendor, but it is limited to the Samsung modems. SIB12 PDU length is a critical variable because it directly controls the amount of data that can be sent to the application. The default SIB12 PDU length is defined in the Exynos Modem (eMMC) firmware, and the length can be changed through software, but the default value is set to 4096 (4KB). In case SIB12 PDU length is modified, it can be exploited to manipulate the SIB12 PDU length, allowing to read out of bounds memory. In order to exploit the SIB12 PDU length, it is necessary to change the SIB12 PDU length to a value that is larger than the default value

Vulnerability Discovery and Discussion

The vulnerability was found during fuzzing. SIB12 PDU length is a critical variable because it directly controls the amount of data that can be sent to the application. In order to exploit the SIB12 PDU length, it is necessary to change the SIB12 PDU length to a value that is larger than the default value.

Vulnerability Characteristic

The vulnerability characteristic is that the SIB12 PDU length is a critical variable because it directly controls the amount of data that can be sent to the application.

Timeline

Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 15:16:00 UTC

References