CVE-2023-29091 – Memory Corruption Vulnerability Found in Samsung Exynos Mobile and Automotive Processors Due to Insufficient Parameter Validation

Recently, a vulnerability has been discovered in Samsung Exynos Mobile and Automotive Processors, including Exynos Modem 5123, Exynos Modem 530, Exynos 980, Exynos 108, Exynos 911, and Exynos Auto T5123. This discovery falls under the Common Vulnerabilities and Exposures (CVE) ID: CVE-2023-29091.

This vulnerability can lead to memory corruption due to insufficient parameter validation when decoding an SIP (Session Initiation Protocol) URI. The attacker can potentially exploit this vulnerability by crafting network packets and sending them to the vulnerable device, potentially leading to information leakage, system crashes, or even remote execution of arbitrary code.

In this post, we will go through the details of this vulnerability, including the code snippet where the issue occurs, official references, and potential ways to exploit and mitigate the problem.

The code snippet where the vulnerability lies is in the function responsible for decoding an SIP URI

void sip_uri_decode(char *input_str, int input_len, char *output_str) {
    int i, j = ;
    for (i = ; i < input_len; i++) {
        if (input_str[i] == '%') {
            int nib1 = input_str[i + 1];
            int nib2 = input_str[i + 2];
            if (isxdigit(nib1) && isxdigit(nib2)) {
                int byte = (hex2int(nib1) << 4) + hex2int(nib2);
                output_str[j++] = byte;
                i += 2;
            }
        } else {
            output_str[j++] = input_str[i];
        }
    }
    output_str[j] = '\';
}

In the code above, there is no proper validation of input_str's length, which can lead to an out-of-bounds write attempt when decoding the '%' character followed by hexadecimal digits.

Original References

The vulnerability was responsibly disclosed to Samsung, and they have categorically acknowledged it. Following are the links to their official security bulletin and relevant CVE database:

1. Samsung Security Bulletin - link (https://security.samsungmobile.com/smrupdate.html)
2. CVE Record for CVE-2023-29091 - link (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29091)

Send this crafted SIP URI to the target device in a network packet.

3. When the device processes the packet and attempts to decode the URI, the memory buffer containing the output may be overflowed.
4. Depending on the position and data of the memory corruption, an attacker can potentially modify sensitive data and cause crashes, information leakage, or even remote code execution.

Mitigation

Currently, there is no official patch from Samsung for this vulnerability. However, users can protect themselves by following best security practices, such as:

1. Update your device firmware to the latest available version, as newer versions may include fixes for vulnerabilities.

Make sure your Applications and Operating System are also up-to-date.

3. Use a strong, updated security solution (such as a reputable antivirus) that monitors network traffic and blocks any potential malicious packets.

Conclusion

CVE-2023-29091 is a serious vulnerability that can lead to memory corruption in specific Samsung Exynos Mobile and Automotive Processors. Samsung has acknowledged this issue, and users should follow the best security practices mentioned in mitigation to protect their devices until a proper patch is released.

Timeline

Published on: 04/14/2023 21:15:00 UTC
Last modified on: 04/24/2023 16:49:00 UTC