CVE-2023-37367

Vulnerability

An improperly implemented security check in the NAS (Non-Access Stratum) Task of Samsung Exynos Mobile Processor, Automotive Processor, and Modem firmware allows a denial-of-service condition. The affected chipsets include Exynos 9820, Exynos 980, Exynos 850, Exynos 1080, Exynos 2100, Exynos 2200, Exynos 1280, Exynos 1380, Exynos 1330, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123 [1]. The vulnerability is triggered when the device receives a sequence of consecutive NAS messages that bypass the intended security validation.

Exploitation

An attacker with network access to the device's cellular interface can send a series of specially crafted NAS messages. No authentication or user interaction is required beyond the ability to communicate with the modem over the air. The consecutive messages cause the NAS task to enter a state where it incorrectly processes subsequent legitimate requests, effectively blocking desired services.

Impact

Successful exploitation results in a temporary denial of service, preventing the device from establishing or maintaining certain network services (e.g., voice calls, data sessions). The impact is limited to service disruption; no data exfiltration or code execution is indicated in the available description.

Mitigation

Samsung has not published a specific patch for this issue in the referenced advisory [1]. Affected users should monitor Samsung's product security update page for future firmware releases. As of the publication date (2023-09-08), no workaround is documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.