Qualcomm Calls on OEMs to Address Critical DSP and WLAN Vulnerabilities as Exploits Are Underway

Qualcomm has issued security updates responding to nearly two dozen vulnerabilities affecting both proprietary and open-source components. Among these, a particularly severe flaw has been identified, which is reportedly under active exploitation in the field.

This high-severity vulnerability, designated as CVE-2024-43047 with a CVSS score of 7.8, has been characterized as a user-after-free bug located within the Digital Signal Processor (DSP) Service. This flaw has the potential to result in memory corruption due to how memory mappings are handled in connection with High-Level Operating System (HLOS) memory.

Industry experts, including Google Project Zero researchers Seth Jenkins and Conghui Wang, have been credited with reporting this vulnerability, while the Amnesty International Security Lab confirmed its exploitation. Qualcomm noted that the Google Threat Analysis Group has indicated that CVE-2024-43047 appears to be experiencing limited, targeted exploitation.

The company has urged original equipment manufacturers (OEMs) to expedite the deployment of patches related to this particular issue within the FASTRPC driver. Qualcomm emphasized the importance of applying these updates as soon as possible to mitigate risks associated with this vulnerability.

While the full extent and the impact of exploitations utilizing this vulnerability remain uncertain, there is a distinct possibility that it has been weaponized in spyware attacks directed at members of civil society. This ongoing threat highlights the evolving landscape of cybersecurity risks faced by today’s organizations.

In addition, the October patch addresses another serious vulnerability classified under CVE-2024-33066, with an alarming CVSS score of 9.8. This flaw is attributed to inadequate input validation in the WLAN Resource Manager, which could similarly lead to memory corruption scenarios.

This development coincides with the recent release of Google’s monthly Android security bulletin, which provided fixes for 28 vulnerabilities spanning various components from companies including Imagination Technologies, MediaTek, and Qualcomm. The cumulative updates signify a proactive step by tech giants to address security shortcomings amidst the mounting threats presented by cybercriminals.

As businesses continue to navigate the complex landscape of cybersecurity, understanding the tactics suggested by the MITRE ATT&CK framework can offer valuable insights into potential adversary behaviors. Techniques linked to initial access, persistence, and privilege escalation may be leveraged in scenarios involving such vulnerabilities, underscoring the essential need for vigilant security measures across all technological platforms.

In conclusion, stakeholders must stay informed of these vulnerabilities and implement relevant security patches promptly. Doing so is crucial in safeguarding infrastructures against potential risks posed by exploiting these critical flaws.