I recently wrote a diary on the SANS Internet Storm Center about revisiting the 5Ghoul vulnerabilities three months later.
Please click here to read the full diary entry, and this diary entry has been briefly mentioned in the SANS Daily Network Security Podcast (Stormcast) for Monday, March 18th, 2024 over here. Alternatively, the full diary is reposted in full below.
About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary [1]. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability.
Patch updates have been made concerning the various products listed in Table 1 [1]. However, older models tend not to receive security updates due to the end of security patch support. Additionally, some vendors do not publicly make their firmware patch information available, which poses a challenge when ascertaining if affected products were patched. The updated Table 1 below shows the current patch status as of the publication of this diary entry:
| Vendor/Product | 5G Modem | Type | Firmware/ Software Version | CVE ID | Patch Status |
|---|---|---|---|---|---|
| Quectel RM500Q-GL | Qualcomm X55 | USB Modem | Aug 03 2021 | CVE-2023-33042 | Unclear* |
| Simcom SIM8202G | Qualcomm X55 | USB Modem | SIM8202G-M2_V1.2 | CVE-2023-33042 CVE-2023-33043 | Unclear* |
| Fibocom FM150-AE | Qualcomm X55 | USB Modem | 89602.1000.00.04.07.20 | CVE-2023-33042 CVE-2023-33044 | Unclear* |
| Telit FT980m | Qualcomm X55 | USB Modem | 38.23.001-B001-P0H.000640 | CVE-2023-33042 CVE-2023-33043 CVE-2023-33044 | Unclear* |
| OnePlus Nord CE 2 5G | MediaTek Dimensity 900 5G | Smartphone | M_V3_P10 | CVE-2023-20702 CVE-2023-32841 CVE-2023-32842 CVE-2023-32843 CVE-2023-32844 CVE-2023-32845 CVE-2023-32846 | CVE-2023-20702 fixed [2] |
| Xiaomi Redmi K40 | MediaTek Dimensity 1200 5G | Smartphone | MOLY.NR15.R3.TC8.PR2.SP.V2.1.P70 | CVE-2023-20702 CVE-2023-32841 CVE-2023-32842 CVE-2023-32843 CVE-2023-32844 CVE-2023-32845 CVE-2023-32846 | Unpatched* [3] |
| Asus ROG Phone 5s | Qualcomm X60 | Smartphone | M3.13.24.73-Anakin2 | CVE-2023-33042 CVE-2023-33043 CVE-2023-33044 | End of Support – No more patches available |
For modem devices such as Telit FT980m, Simcom SIM8202G, Fibocom FM150-AE and Quectel RM500Q-GL, their patch status is unclear as firmware patch information is not publicly available. I had tried to find out more about the devices that were tested, but it appears that there were few discussions with respect to 5Ghoul from the tested device brands. Quectel did have a query in their forums (sighted previously and visible from Google search results), but unfortunately, their website was down. Interestingly, Sierra Wireless (a company that had used the affected Qualcomm chipset) released a Security Advisory on their website, although their products were not used to evaluate 5Ghoul vulnerabilities [4].
As highlighted in the previous diary, all 5Ghoul vulnerabilities have had their patches released by Qualcomm/MediaTek [1]. The Android project has also implemented the fixes for the CVEs in the following order:
November 2023: MediaTek fix for CVE-2023-20702 [5]
January 2024: Qualcomm fixes for CVE-2023-33043 and CVE-2023-33044 [6]
February 2024: MediaTek fixes CVE-2023-32842, CVE-2023-32841 and CVE-2023-32843 [7]
March 2024: Qualcomm fix for CVE-2023-33042 [8]
There is also interesting trivia about the CVEs being addressed. One might have noted that CVE-2023-32844, CVE-2023-32846 and CVE-2023-32845 were not listed. According to MediaTek and having sighted the correspondence between MediaTek and the 5Ghoul researchers, fixes for the three previously mentioned CVEs were addressed altogether in CVE-2023-32841.
Unfortunately, it appears that the most significant delay and uncertainties lie with the vendors who have yet to implement the fixes released by MediaTek and Qualcomm. Although the Android project has had all the patches nailed down (which means Google Pixel phones that are still being supported would get the fixes first), the fragmented ecosystem of various Android phone brand models could add time for patches to be implemented. Some older device models also no longer receive updates, so it is safe to presume they would be susceptible to 5Ghoul attacks. These attacks have yet to be widely prevalent, but they will surely be annoying if one gets targeted. If you are using a mobile device that will no longer have any security updates, consider whether one can accept the inconveniences of being affected by 5Ghoul attacks (note that proof-of-concept code is available [9]). In the context of organizations that depend heavily on 5G communications (such as the Industrial Internet of Things) and are using hardware listed in Table 1 or the vulnerable 5G modems that had been identified, it is highly recommended that the business owners evaluate the risks and impact of disruptions caused by 5Ghoul and the relevant mitigations that can be adopted.
References:
[1] https://poppopretn.com/2023/12/08/sans-infosec-handlers-diary-blog-5ghoul-impacts-implications-and-next-steps/
[2] https://community.oneplus.com/thread/1514600069267980292
[3] https://miuirom.org/phones/redmi-k40
[4] https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin—swi-psa-2024-001/
[5] https://source.android.com/docs/security/bulletin/2023-11-01
[6] https://source.android.com/docs/security/bulletin/2024-01-01
[7] https://source.android.com/docs/security/bulletin/2024-02-01
[8] https://source.android.com/docs/security/bulletin/2024-03-01
[9] https://github.com/asset-group/5ghoul-5g-nr-attacks