Riaan Abahlaziyi bezokuphepha bakwaGoogle baxwayise abasebenzisi bedivayisi ye-Android ukuthi ubungozi bosuku oluyizero kwamanye ama-chipset e-Samsung angavumela umhlaseli ukuthi adube ngokuphelele futhi alawule ukude izingcingo zabo azi inombolo yocingo kuphela.
Phakathi ngasekupheleni kuka-2022 nasekuqaleni kwalo nyaka, i-Project Zero yakwaGoogle ithole futhi yabika eziyi-18 zalezi zimbungulu ku-Samsung’s Exynos cellular modem firmware, ngokusho kukaTim Willis, ophethe ithimba lokuzingela izimbungulu. Okune kwamaphutha ezinsuku eziyi-18 angavumela ukusetshenziswa kwekhodi ye-inthanethi-kuya-baseband yesilawuli kude. I-baseband, noma imodemu, ingxenye yedivayisi ngokuvamile inelungelo lokufinyelela kwezinga eliphansi kuyo yonke ihadiwe, ngakho-ke ukuxhaphaza iziphazamisi ngaphakathi kwekhodi yayo kunganikeza isigebengu ukulawula okugcwele kufoni noma idivayisi. Imininingwane yobuchwepheshe yalezi zimbobo igodliwe okwamanje ukuze kuvikelwe abasebenzisi begiya elisengozini.
“Ukuhlolwa okwenziwe yi-Project Zero kuqinisekisa ukuthi lokho kuba sengcupheni okune kuvumela umhlaseli ukuthi afake ucingo ebucayini ekude ezingeni le-baseband ngaphandle kokusebenzisana nabasebenzisi, futhi kudinga kuphela ukuthi umhlaseli azi inombolo yocingo yesisulu,” kubhala uWillis encwadini. ukwehlukana yamaphutha ezokuphepha.
Abahlaseli abanekhono bazokwazi ukudala ngokushesha ukuxhaphaza kokusebenza ukuze bafake engcupheni amadivayisi athintekile buthule futhi bekude.
“Ngocwaningo olwengeziwe nokuthuthukiswa okulinganiselwe, sikholelwa ukuthi abahlaseli abanamakhono bazokwazi ukudala ukuxhashazwa kokusebenza ukuze bafake engcupheni amadivayisi athintekile buthule futhi bekude,” engeza.
Enye yalezi zimbungulu ezine ezinzima inikezwe inombolo ye-CVE, futhi ilandelelwa ngokuthi I-CVE-2023-24033. Abanye abathathu balinde omazisi beziphazamisi.
Ezinye izinkinga ezingu-14 azinzima kangako futhi zidinga “u-opharetha wenethiwekhi yeselula ononya noma umhlaseli onokufinyelela kwasendaweni kudivayisi,” ngokusho kuka-Willis. Lezi zihlanganisa I-CVE-2023-26072, I-CVE-2023-26073, I-CVE-2023-26074, I-CVE-2023-26075, I-CVE-2023-26076 kanye nobunye ubungozi obuyisishiyagalolunye obungakanikezwa izihlonzi.
Amadivayisi athintekile afaka lawo asebenzisayo I-Samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 no-A04 uchungechunge lwama-chips; Amadivayisi eselula e-Vivo ahlanganisa uchungechunge lwe-S16, S15, S6, X70, X60 kanye ne-X30; uchungechunge lwe-Pixel 6 ne-Pixel 7 lwamadivayisi avela kwa-Google; nezimoto ezisebenzisa i-Exynos Auto T5123 chipset.
I-Google ikhiphe ukulungiswa kwe-CVE-2023-24033 ethinta amadivayisi wePixel kuyo Isibuyekezo sokuvikeleka sikaMashi. Kuze kube abanye abakhiqizi bavale izimbobo, u-Willis uphakamisa ukuvala ukushaya kwe-Wi-Fi kanye ne-Voice-over-LTE (VoLTE) ukuze kuvikelwe ekusetshenzisweni kwekhodi yesilawuli kude se-baseband, uma usebenzisa idivayisi esengozini exhaswe yi-silicon ye-Samsung.
Futhi, njengenjwayelo, hlanganisa amagajethi akho ngokushesha nje lapho izibuyekezo zesofthiwe sezitholakala.
Ithimba le-Google – kanye iningi labacwaningi bezokuphepha – bambelela ku-a Ukudalulwa kwezinsuku ezingama-90 umugqa wesikhathi, okusho ukuthi ngemva kokubika iphutha ku-hardware noma kumthengisi wesofthiwe, umthengisi unezinsuku ezingu-90 zokulungisa. Ngemuva kwalokho, abacwaningi badalula iphutha emphakathini.
Kodwa-ke, kwezinye izimo ezingavamile nezibucayi, lapho “abahlaseli bengazuza kakhulu kunabavikeli uma ubungozi budalulwa,” abazingeli beziphazamisi benza okuhlukile futhi babambezele ukudalulwa, kuphawula u-Willis. Kunjalo ngezinsuku ezine zero ezivumela i-inthanethi-to-baseband RCE.
Kumaphutha ayi-14 asele anganzima kangako, i-Project Zero idalule ezine ezeqe umnqamulajuqu wezinsuku ezingama-90. Abanye abangu-10 bazodedelwa emphakathini uma befinyelele izinsuku ezingu-90 ngaphandle kokulungiswa, kusho uWillis. ®
