ISC Stormcast For Friday, March 15th, 2024 https://isc.sans.edu/podcastdetail/8896

    5Ghoul Revisited: Three Months Later

    Published: 2024-03-15
    Last Updated: 2024-03-15 00:15:54 UTC
    by Yee Ching Tok (Version: 1)
    0 comment(s)

    About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary [1]. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability.

    Patch updates have been made concerning the various products listed in Table 1 [1]. However, older models tend not to receive security updates due to the end of security patch support. Additionally, some vendors do not publicly make their firmware patch information available, which poses a challenge when ascertaining if affected products were patched. The updated Table 1 below shows the current patch status as of the publication of this diary entry:

    Table 1: Patch Status, Vulnerabilities and Firmware Version of Devices That Were Tested (*Qualcomm and MediaTek have already released security patches to the above-mentioned product vendors)
    Vendor/Product
    5G Modem
    Type

    Firmware/Software Version

    CVE ID
    Patch Status
    Quectel RM500Q-GL
    Qualcomm X55
    USB Modem
    Aug 03 2021

    CVE-2023-33042

    Unclear*

    Simcom SIM8202G
    Qualcomm X55
    USB Modem
    SIM8202G-M2_V1.2

    CVE-2023-33042
    CVE-2023-33043

    Unclear*

    Fibocom FM150-AE
    Qualcomm X55
    USB Modem
    89602.1000.00.04.07.20

    CVE-2023-33042
    CVE-2023-33044

    Unclear*

    Telit FT980m
    Qualcomm X55
    USB Modem

    38.23.001-B001-P0H.000640

    CVE-2023-33042
    CVE-2023-33043
    CVE-2023-33044

    Unclear*

    OnePlus Nord CE 2 5G
    MediaTek Dimensity 900 5G
    Smartphone

    M_V3_P10

    CVE-2023-20702
    CVE-2023-32841
    CVE-2023-32842
    CVE-2023-32843
    CVE-2023-32844
    CVE-2023-32845
    CVE-2023-32846

    CVE-2023-20702 fixed*

    Xiaomi Redmi K40
    MediaTek Dimensity 1200 5G
    Smartphone
    MOLY.NR15.R3.TC8.PR2.SP.V2.1.P70

    CVE-2023-20702
    CVE-2023-32841
    CVE-2023-32842
    CVE-2023-32843
    CVE-2023-32844
    CVE-2023-32845
    CVE-2023-32846

    Unpatched*

    Asus ROG Phone 5s

    Qualcomm X60
    Smartphone
    M3.13.24.73-Anakin2

    CVE-2023-33042
    CVE-2023-33043
    CVE-2023-33044

    End of Support - no more patches available*

    For modem devices such as Telit FT980m, Simcom SIM8202G, Fibocom FM150-AE and Quectel RM500Q-GL, their patch status is unclear as firmware patch information is not publicly available. I had tried to find out more about the devices that were tested, but it appears that there were few discussions with respect to 5Ghoul from the tested device brands. Quectel did have a query in their forums (sighted previously and visible from Google search results), but unfortunately, their website was down. Interestingly, Sierra Wireless (a company that had used the affected Qualcomm chipset) released a Security Advisory on their website, although their products were not used to evaluate 5Ghoul vulnerabilities [4].

    As highlighted in the previous diary, all 5Ghoul vulnerabilities have had their patches released by Qualcomm/MediaTek [1]. The Android project has also implemented the fixes for the CVEs in the following order:

    November 2023: MediaTek fix for CVE-2023-20702 [5]

    January 2024: Qualcomm fixes for CVE-2023-33043 and CVE-2023-33044 [6]

    February 2024: MediaTek fixes CVE-2023-32842, CVE-2023-32841 and CVE-2023-32843 [7]

    March 2024: Qualcomm fix for CVE-2023-33042 [8]

    There is also interesting trivia about the CVEs being addressed. One might have noted that CVE-2023-32844, CVE-2023-32846 and CVE-2023-32845 were not listed. According to MediaTek and having sighted the correspondence between MediaTek and the 5Ghoul researchers, fixes for the three previously mentioned CVEs were addressed altogether in CVE-2023-32841.

    Unfortunately, it appears that the most significant delay and uncertainties lie with the vendors who have yet to implement the fixes released by MediaTek and Qualcomm. Although the Android project has had all the patches nailed down (which means Google Pixel phones that are still being supported would get the fixes first), the fragmented ecosystem of various Android phone brand models could add time for patches to be implemented. Some older device models also no longer receive updates, so it is safe to presume they would be susceptible to 5Ghoul attacks. These attacks have yet to be widely prevalent, but they will surely be annoying if one gets targeted. If you are using a mobile device that will no longer have any security updates, consider whether one can accept the inconveniences of being affected by 5Ghoul attacks (note that proof-of-concept code is available [9]). In the context of organizations that depend heavily on 5G communications (such as the Industrial Internet of Things) and are using hardware listed in Table 1 or the vulnerable 5G modems that had been identified, it is highly recommended that the business owners evaluate the risks and impact of disruptions caused by 5Ghoul and the relevant mitigations that can be adopted.

    References:
    [1] https://isc.sans.edu/diary/30462
    [2] https://community.oneplus.com/thread/1514600069267980292
    [3] https://miuirom.org/phones/redmi-k40
    [4] https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2024-001/
    [5] https://source.android.com/docs/security/bulletin/2023-11-01
    [6] https://source.android.com/docs/security/bulletin/2024-01-01
    [7] https://source.android.com/docs/security/bulletin/2024-02-01
    [8] https://source.android.com/docs/security/bulletin/2024-03-01
    [9] https://github.com/asset-group/5ghoul-5g-nr-attacks

    -----------
    Yee Ching Tok, Ph.D., ISC Handler
    Personal Site
    Mastodon
    Twitter

    Keywords: 5Ghoul
    0 comment(s)

      Comments


      Diary Archives