New 5Ghoul Attack Impacts 5G Phones with Qualcomm, MediaTek Chips

Cyber Security Threat Summary:
University researchers from Singapore have discovered a set of vulnerabilities in 5G modems produced by Qualcomm and MediaTek, which they are collectively calling 5Ghoul. These vulnerabilities impact 710 5G smartphone models from Android, Apple, various routers, and USB modems. The 14 vulnerabilities reside in mobile communication systems, 10 of which have been publicly disclosed and four withheld for security reasons. The 5Ghoul attacks range from temporary service disruptions to network downgrades, which may be more severe from a security standpoint.

The ten 5Ghoul vulnerabilities that have been publicly disclosed to Qualcomm and MediaTek as of December 7, 2023, are:

  • CVE-2023-33043: Invalid MAC/RLC PDU causing Denial of Service (DoS) in Qualcomm X55/X60 modems. Attackers can send an invalid downlink MAC frame to the target 5G UE from a nearby malicious gNB, leading to a temporary hang and modem reboot.
  • CVE-2023-33044: NAS Unknown PDU causing DoS in Qualcomm X55/X60 modems. This vulnerability allows attackers to send an invalid NAS PDU to the target UE, resulting in modem failure and reboot.
  • CVE-2023-33042: Disabling 5G/Downgrade via Invalid RRC pdcch-Config in Qualcomm X55/X60 modems, leading to either downgrade or denial of service. An attacker can send a malformed RRC frame during the RRC Attach Procedure, disabling 5G connectivity and requiring a manual reboot for restoration.
  • CVE-2023-32842: Invalid RRC Setup spCellConfig causing DoS in MediaTek Dimensity 900/1200 modems. The vulnerability involves sending a malformed RRC Connection Setup, leading to modem failure and reboot in affected devices.
  • CVE-2023-32844: Invalid RRC pucch CSIReportConfig causing DoS in MediaTek Dimensity 900/1200 modems. Attackers can send a malformed RRC Connection Setup, causing the modem to fail and reboot.
  • CVE-2023-20702: Invalid RLC Data Sequence causing DoS (null pointer dereference) in MediaTek Dimensity 900/1200 modems. An attacker can exploit this by sending a malformed RLC Status PDU, leading to a modem crash and reboot.
  • CVE-2023-32846: Truncated RRC physicalCellGroupConfig causing DoS (null pointer dereference) in MediaTek Dimensity 900/1200 modems. Malformed RRC Connection Setup can cause memory access errors, leading to a modem crash.
  • CVE-2023-32841: Invalid RRC searchSpacesToAddModList causing DoS in MediaTek Dimensity 900/1200 modems. This involves sending a malformed RRC Connection Setup, causing a modem crash in affected devices.
  • CVE-2023-32843: Invalid RRC Uplink Config Element causing DoS in MediaTek Dimensity 900/1200 modems. Sending a malformed RRC Connection Setup can result in modem failure and reboot in affected devices.
  • CVE-2023-32845: Null RRC Uplink Config Element causing DoS in MediaTek Dimensity 900/1200 modems. Malformed RRC Connection Setup can trigger a modem crash by setting certain RRC payload fields to null.
  • CVE-2023-33042 is particularly concerning because it can force a device to disconnect from a 5G network and fall back to 4G, exposing it to potential vulnerabilities in the 4G domain that expose it to a broader range of attacks.
Security Officer Comments:
The researchers found the flaws during 5G modem firmware analysis, and report that the flaws are easy to exploit over-the-air by impersonating a legitimate 5G base station. This applies even when attackers lack information about the target's SIM card, as the attack occurs before the NAS authentication step. "The attacker only needs to impersonate the legitimate gNB using the known Cell Tower connection parameters (e.g., SSB ARFCN, Tracking Area Code, Physical Cell ID, Point A Frequency)."

According to the researchers, the DoS flaws in these vulnerabilities cause the devices to lose all connectivity until they are rebooted. This isn't as critical, although it can still have significant implications in mission-critical environments that rely on cellular service.

Suggested Correction(s):
Identifying all impacted models is ongoing, but the researchers have already confirmed that 714 smartphones from 24 brands are impacted. Some vulnerable brands include phones from POCO, Black, Lenovo, AGM, Google, TCL, Redmi, HTC, Microsoft, and Gigaset, with the complete list in the image below.

To learn more about the 5Ghoul flaws, their exploitation potential and ramifications, and technical information can be found in the researchers' whitepaper. A proof-of-concept (PoC) exploit kit can also be found in their GitHub repository.

Both Qualcomm and MediaTek released security bulletins on Monday for the disclosed 5Ghoul vulnerabilities,

The security updates were made available to device vendors two months ago. Still, given the complexity of the software supply, especially on Android, it will be a while before the fixes reach the end users via security updates.

Signs of a 5Ghoul attack include loss of 5G connections, inability to re-connect until the device is rebooted, and consistent drop to 4G despite the availability of a 5G network in the area.

Link(s):
https://www.bleepingcomputer.com/ne...pacts-5g-phones-with-qualcomm-mediatek-chips/ PDF(s):
https://asset-group.github.io/disclosures/5ghoul/5ghoul.pdf