CVE CyberSecurity Database News

CVE-2023-24033 - Format Type Vulnerability in Samsung Exynos Modems—Explained and Exploited

Poster -

Early in 2023, security researchers identified a bug tracked as CVE-2023-24033 impacting various Samsung Exynos modems, from consumer models to automotive chips. This vulnerability lets attackers use a special message to crash the device’s cellular modem, resulting in loss of network connectivity—a clear-cut, but powerful Denial of Service (DoS) attack.

We’ll break down the issue in simple terms, provide some technical details and code to help you understand, and link to original sources. This post is exclusive and written so anyone interested in security, whether hobbyist or pro, can follow along.

What Is CVE-2023-24033?

CVE-2023-24033 refers to how certain Samsung chips handle part of the code responsible for parsing Session Description Protocol (SDP) messages. For context, SDP is a standard format used in VoLTE (Voice over LTE), video calls, and other telecom features for setting up calls.

The Problem

Samsung's modem chips don’t carefully verify format type values in received SDP messages. An attacker can send a specially crafted message containing invalid or out-of-range format types, which the modem mishandles. This can crash the modem firmware or force a reset, dropping all current calls and network connections.

Exynos Auto T512

Some popular phones (like Galaxy S21 Ultra, Google Pixel 6/7 series, certain Vivo and Xiaomi devices, and dozens of cars) use these modems.

*For a full list, see the official advisory or this Google Project Zero blog.*

What is SDP?

SDP messages look like lines of text, where each line starts with a letter, like m= (media), c= (connection), a= (attribute), and so on. A sample audio session SDP might look like:

m=audio 49170 RTP/AVP  8 97
a=rtpmap: PCMU/800
a=rtpmap:8 PCMA/800
a=rtpmap:97 iLBC/800

The Vulnerability

When the modem software gets incoming SDP (over LTE/IMS), it parses the format types (for example, the , 8, 97 above). But in these vulnerable modems, the code doesn’t check if those numbers are really allowed or safe. An attacker can send a huge or negative value, or a malformed line, causing either an out-of-bound read/write or a logic error.

Here's a pseudo-example of vulnerable C code

// Parsed value from an incoming "m=" line of SDP, like '', '8', '97', etc.
int format_type = atoi(parsed_token); // no validation!

// Code expects format_type between  and 127 (valid RTP payload types)
if (some_array[format_type]) { 
    // Do something with format_type index
}

If an attacker sends m=audio 49170 RTP/AVP 99999, format_type becomes 99999. The next line tries to access some_array[99999], which is way outside what’s valid and can crash or corrupt modem memory.

Real Attack Vector

It’s not possible to send an SDP directly to the modem over the open internet. But if the attacker can send a specially crafted SIP (VoLTE) call to a device—possibly via a fake or compromised cell tower, IMSI catcher, or rooted phone—they can inject the bad SDP.

Here's a simplified Python code example to craft a malicious SDP for such an attack

sdp = """v=
o=- 12345 1 IN IP4 192.168..1
s=-
c=IN IP4 192.168..1
t= 
m=audio 49170 RTP/AVP 99999
a=rtpmap:99999 BAD/800
"""

print("Malicious SDP to trigger modem bug:")
print(sdp)

How it works:

The value 99999 is way bigger than the protocol expects.

- If this SDP gets parsed by the vulnerable Exynos modem, the code (see earlier) will try to access some_array[99999], resulting in a crash.

In-Field Exploitation

- A malicious base station or compromised network element sends a call/SMS session with the bad SDP.

Denial of Service in Action

The outcome? Your phone or car's modem loses network registration.

Symptoms: Calls drop, cellular bars vanish, “No Service” until reboot.

- Real-world impact: Attackers can target journalists, political figures, or high-value targets and cut off their cellular access temporarily—no exploit kit, no special hardware needed, just a way to get the phone to receive malformed SDP over the air.

References and Further Reading

- Samsung Official March 2023 Security Update Bulletin  
- Google Project Zero: A Modern Baseband Exploit  
- NIST NVD CVE-2023-24033  
- Session Description Protocol (RFC 4566)  

Update your phone’s firmware regularly. Samsung and Google have shipped fixes for this bug.

- If you’re at risk (journalist, activist, etc.), disable VoLTE and Wi-Fi Calling if you suspect you’re being targeted—these features increase the attack surface.

Use phones that get regular security bulletins and patch support.

- For developers: Always validate user-supplied or network-received data, especially when parsing text-based protocols.


By understanding CVE-2023-24033, you see how a small oversight—failing to validate an integer—can break a device at the chipset level. With smartphones and cars using the same chipset families, threats once limited to mobile handsets can now affect entire fleets. Patch early, stay aware, and follow quality coding practices to avoid such flaws in the future.

Timeline

Published on: 03/13/2023 12:15:00 UTC
Last modified on: 03/17/2023 13:19:00 UTC