Exploitation of this vulnerability is possible by intercepting or manipulating the traffic between the UE and an Evolved HSPA/UMTS network. UE might not be able to process SIB12 (CMAS message) when it is received during a non-standalone session with Evolved HSPA/UMTS network, due to improper input validation. In addition to that, when SIB12 (CMAS message) is received during a non-standalone session, UE might fail to process it correctly, resulting in system crash. As a result, UE might be able to cause remote denial of service. Vulnerabilities in Modem RRC, UE, and Evolved HSPA/UMTS network, which could be exploited for remote denial of service, have been reported by various vendors. Exploitation of these vulnerabilities is possible by intercepting or manipulating the traffic between the UE and an Evolved HSPA/UMTS network. UE might not be able to process SIB12 (CMAS message) when it is received during a non-standalone session with Evolved HSPA/UMTS network, due to improper input validation. In addition to that, when SIB12 (CMAS message) is received during a non-standalone session, UE might fail to process it correctly, resulting in system crash. As a result, UE might be able to cause remote denial of service. Vulnerabilities in Modem RRC, UE, and Evolved HSPA

Modem RRC

, UE, and Evolved HSPA/UMTS network
The vulnerability exists in the following components:
UE - improper input validation of SIB12 (CMAS message) received during a non-standalone session.
Modem RRC - improper input validation of SIB12 (CMAS message) received during a non-standalone session.
Evolved HSPA/UMTS network - improper input validation of SIB12 (CMAS message) received during a non-standalone session.

The following table lists types of remote denial of service vulnerabilities in UE, Modem RRC and Evo

Hspa/UMTS network
Type of Remote Denial of Service Vulnerability UE, Modem RRC and EvoHspa/UMTS Network
UE is vulnerable to remote denial of service attack when the UE is unable to process SIB12 (CMAS message) during non-standalone session with Evolved HSPA/UMTS network.
Modem RRC is vulnerable to remote denial of service attack when the Modem RRC does not correctly handle SIB10 (NULL SIB), resulting in system crash.
Evolved HSPA/UMTS network is vulnerable to remote denial of service attack when it fails to properly handle SIB12 (CMAS message), resulting in system crash.

Modem RRC (Radio Resource Control)

The vulnerability is based on improper input validation from UE.
UE might not be able to process SIB12 (CMAS message) when it is received during a non-standalone session with Evolved HSPA/UMTS network, due to improper input validation. In addition to that, when SIB12 (CMAS message) is received during a non-standalone session, UE might fail to process it correctly, resulting in system crash. As a result, UE might be able to cause remote denial of service.
Vulnerabilities in Modem RRC, UE, and Evolved HSPA/UMTS network have been reported by various vendors. Exploitation of these vulnerabilities is possible by intercepting or manipulating the traffic between the UE and an Evolved HSPA/UMTS network.

Timeline

Published on: 11/08/2022 21:15:00 UTC
Last modified on: 11/09/2022 18:05:00 UTC

References