5Ghoul Revisited: Three Months Later, (Fri, Mar 15th)
2024-3-15 08:15:54 Author: isc.sans.edu(查看原文) 阅读量:24 收藏

About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary [1]. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability.

Patch updates have been made concerning the various products listed in Table 1 [1]. However, older models tend not to receive security updates due to the end of security patch support. Additionally, some vendors do not publicly make their firmware patch information available, which poses a challenge when ascertaining if affected products were patched. The updated Table 1 below shows the current patch status as of the publication of this diary entry:

Table 1: Patch Status, Vulnerabilities and Firmware Version of Devices That Were Tested (*Qualcomm and MediaTek have already released security patches to the above-mentioned product vendors)
Vendor/Product

5G Modem

Type

Firmware/Software Version

CVE ID

Patch Status

Quectel RM500Q-GL

Qualcomm X55

USB Modem

Aug 03 2021

CVE-2023-33042

Unclear*

Simcom SIM8202G

Qualcomm X55

USB Modem

SIM8202G-M2_V1.2

CVE-2023-33042
CVE-2023-33043

Unclear*

Fibocom FM150-AE

Qualcomm X55

USB Modem

89602.1000.00.04.07.20

CVE-2023-33042
CVE-2023-33044

Unclear*

Telit FT980m

Qualcomm X55

USB Modem

38.23.001-B001-P0H.000640

CVE-2023-33042
CVE-2023-33043
CVE-2023-33044

Unclear*

OnePlus Nord CE 2 5G

MediaTek Dimensity 900 5G

Smartphone

M_V3_P10

CVE-2023-20702
CVE-2023-32841
CVE-2023-32842
CVE-2023-32843
CVE-2023-32844
CVE-2023-32845
CVE-2023-32846

CVE-2023-20702 fixed*

Xiaomi Redmi K40

MediaTek Dimensity 1200 5G

Smartphone

MOLY.NR15.R3.TC8.PR2.SP.V2.1.P70

CVE-2023-20702
CVE-2023-32841
CVE-2023-32842
CVE-2023-32843
CVE-2023-32844
CVE-2023-32845
CVE-2023-32846

Unpatched*

Asus ROG Phone 5s

Qualcomm X60

Smartphone

M3.13.24.73-Anakin2

CVE-2023-33042
CVE-2023-33043
CVE-2023-33044

End of Support - no more patches available*

For modem devices such as Telit FT980m, Simcom SIM8202G, Fibocom FM150-AE and Quectel RM500Q-GL, their patch status is unclear as firmware patch information is not publicly available. I had tried to find out more about the devices that were tested, but it appears that there were few discussions with respect to 5Ghoul from the tested device brands. Quectel did have a query in their forums (sighted previously and visible from Google search results), but unfortunately, their website was down. Interestingly, Sierra Wireless (a company that had used the affected Qualcomm chipset) released a Security Advisory on their website, although their products were not used to evaluate 5Ghoul vulnerabilities [4].

As highlighted in the previous diary, all 5Ghoul vulnerabilities have had their patches released by Qualcomm/MediaTek [1]. The Android project has also implemented the fixes for the CVEs in the following order:

November 2023: MediaTek fix for CVE-2023-20702 [5]

January 2024: Qualcomm fixes for CVE-2023-33043 and CVE-2023-33044 [6]

February 2024: MediaTek fixes CVE-2023-32842, CVE-2023-32841 and CVE-2023-32843 [7]

March 2024: Qualcomm fix for CVE-2023-33042 [8]

There is also interesting trivia about the CVEs being addressed. One might have noted that CVE-2023-32844, CVE-2023-32846 and CVE-2023-32845 were not listed. According to MediaTek and having sighted the correspondence between MediaTek and the 5Ghoul researchers, fixes for the three previously mentioned CVEs were addressed altogether in CVE-2023-32841.

Unfortunately, it appears that the most significant delay and uncertainties lie with the vendors who have yet to implement the fixes released by MediaTek and Qualcomm. Although the Android project has had all the patches nailed down (which means Google Pixel phones that are still being supported would get the fixes first), the fragmented ecosystem of various Android phone brand models could add time for patches to be implemented. Some older device models also no longer receive updates, so it is safe to presume they would be susceptible to 5Ghoul attacks. These attacks have yet to be widely prevalent, but they will surely be annoying if one gets targeted. If you are using a mobile device that will no longer have any security updates, consider whether one can accept the inconveniences of being affected by 5Ghoul attacks (note that proof-of-concept code is available [9]). In the context of organizations that depend heavily on 5G communications (such as the Industrial Internet of Things) and are using hardware listed in Table 1 or the vulnerable 5G modems that had been identified, it is highly recommended that the business owners evaluate the risks and impact of disruptions caused by 5Ghoul and the relevant mitigations that can be adopted.

References:
[1] https://isc.sans.edu/diary/30462
[2] https://community.oneplus.com/thread/1514600069267980292
[3] https://miuirom.org/phones/redmi-k40
[4] https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2024-001/
[5] https://source.android.com/docs/security/bulletin/2023-11-01
[6] https://source.android.com/docs/security/bulletin/2024-01-01
[7] https://source.android.com/docs/security/bulletin/2024-02-01
[8] https://source.android.com/docs/security/bulletin/2024-03-01
[9] https://github.com/asset-group/5ghoul-5g-nr-attacks

-----------
Yee Ching Tok, Ph.D., ISC Handler
Personal Site
Mastodon
Twitter


文章来源: https://isc.sans.edu/diary/rss/30746
如有侵权请联系:admin#unsafe.sh