Indonesia – SECRY – Qualcomm Zero-Days – Chipmaker Qualcomm Technologies, Inc has taken swift action to bolster the security of its products by releasing a comprehensive set of security updates.

These updates aim to address a total of 17 vulnerabilities found in various components of Qualcomm’s technology ecosystem. Alongside this critical effort, Qualcomm has issued a grave warning to its user base: three zero-day vulnerabilities are currently under active exploitation.

Within the 17 vulnerabilities identified, the severity ratings vary, with three being categorized as Critical, 13 as High, and one as Medium. This comprehensive security initiative underscores Qualcomm’s commitment to safeguarding its users against potential threats and exploits.

Qualcomm Vulnerability Zero-Days

Recent reports from the Google Threat Analysis Group and Google Project Zero have raised concerns about the exploitation of certain vulnerabilities.

CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 have shown signs of being targets for limited, targeted exploitation.

These vulnerabilities affect key components such as Adreno GPU and Compute DSP drivers, which are crucial for the optimal functioning of Qualcomm-powered devices.

“Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible. Please contact your device manufacturer for more information on the patch status about specific devices.”, Qualcomm.

How Qualcomm Mitigate

To mitigate the risk posed by these vulnerabilities, Qualcomm has diligently developed patches specifically tailored to address these issues.

Furthermore, Qualcomm has proactively engaged with Original Equipment Manufacturers (OEMs) to ensure they are well-informed about the severity of these vulnerabilities and the urgency of deploying the security updates.

For consumers seeking information about the patch status for their specific devices, it is recommended to contact their respective device manufacturers.

It is noteworthy that CVE-2022-22071, identified as a use-after-free vulnerability in the Automotive OS Platform, was previously addressed in QUALCOM’s May 2022 public bulletin.

Detailed information regarding the remaining CVEs will be disclosed in the upcoming Qualcom December 2023 public bulletin, ensuring transparency and accountability in addressing these issues.

The 3 Critical Issues in Zero-Days Patch

Among the vulnerabilities disclosed, three have garnered the highest severity ratings. These critical issues demand immediate attention:

1. CVE-2023-24855 (CVSS score: 9.8) – Use of Out-of-range Pointer Offset in Modem: This vulnerability pertains to memory corruption in the Modem component while processing security-related configurations before AS Security Exchange. Its high severity score underscores the urgency of addressing this issue promptly.
2. CVE-2023-28540 (CVSS score: 9.1) – Improper Authentication in Data Modem: This critical vulnerability is attributed to a cryptographic flaw in the Data Modem component due to improper authentication during TLS handshake. Rectifying this issue is paramount to maintaining the integrity of data transmission.
3. CVE-2023-33028 (CVSS score: 9.8) – Buffer Copy without Checking Size of Input in WLAN Firmware: This vulnerability highlights the risk of buffer copy operations without proper input size validation in WLAN Firmware. Its critical nature emphasizes the need for immediate action.

In light of these vulnerabilities, consumers are urged to take proactive measures to protect their devices. The primary course of action is to apply the available updates promptly when they are delivered through OEM channels. This proactive step will ensure that the vulnerabilities are patched, reducing the risk of exploitation.

Security Advice and Recommendations

Moreover, it is essential for Android device owners to exercise caution when downloading and installing applications. To minimize exposure to vulnerabilities, it is advisable to limit app downloads to trustworthy repositories and exercise discretion in choosing apps.

The majority of vulnerabilities in device drivers typically require local access, which can be achieved through malware infections. By adhering to these best practices, users can enhance the security posture of their devices and protect their sensitive data.

In a related development, Arm, a key player in the semiconductor industry, has issued a similar security advisory. Arm’s warning concerns an actively exploited flaw, CVE-2023-4211, which was identified and reported by Google’s Threat Analysis Group (TAG) and Project Zero.

Potential Impact of Qualcomm Zero-Days

This vulnerability has the potential to impact a wide range of Mali GPU drivers, further underscoring the need for heightened vigilance in the tech industry’s ongoing battle against vulnerabilities and exploits.

As Qualcomm takes robust measures to address these vulnerabilities and protect its user base, it is essential for users to stay informed and proactive in securing their devices.

Applying updates and following best practices for app installations are key steps in fortifying the security of Qualcomm-powered devices in an ever-evolving threat landscape.

For more information and updates regarding Qualcomm’s security efforts, users are encouraged to stay connected with their device manufacturers and monitor official channels for announcements and patches.