Arm has recently issued critical security patches to address a vulnerability in the Mali GPU Kernel Driver, which has been actively exploited in the field. This security flaw, designated as CVE-2023-4211, affects multiple driver versions, including the Midgard, Bifrost, and Valhall GPU Kernel Drivers across a range of versions.
The vulnerability allows a local, non-privileged user to execute improper memory handling operations that could enable gaining unauthorized access to freed memory. In an advisory released on Monday, Arm highlighted that there was evidence suggesting the vulnerability might be subjected to limited targeted exploitation. This scenario raises significant security concerns, particularly for end-users whose devices utilize the affected drivers.
The exploit was attributed to researchers Maddie Stone and Jann Horn, from Google’s Threat Analysis Group and Project Zero, respectively. Bifrost and Valhall drivers, along with the Arm 5th Gen GPU Architecture Kernel Driver, have been patched in version r43p0 to mitigate the risks associated with this vulnerability.
In the wake of this announcement, Google included reports of potential exploits associated with CVE-2023-4211 in its October 2023 Android Security Bulletin. The company noted signs that the vulnerability has indeed been utilized in targeted attacks, alongside another serious flaw impacting the WebP image format in the Chrome browser, which was patched the previous month.
While the specific details of the attacks exploiting CVE-2023-4211 remain unclear, indications suggest that these vulnerabilities may have been harnessed as part of advanced spyware campaigns aimed at high-risk individuals. This underlines the growing challenges faced by organizations in maintaining cybersecurity, particularly in the context of sophisticated threat actors.
Arm also addressed additional vulnerabilities within the Mali GPU Kernel Driver, specifically CVE-2023-33200 and CVE-2023-34970. Both flaws allow local non-privileged users to carry out improper GPU processing operations, further exposing systems to risks from unauthorized memory access.
These recent findings are not without precedent; previous vulnerabilities within the Arm Mali GPU Kernel Driver have also been exploited. Earlier in the year, Google TAG identified another critical vulnerability, CVE-2023-26083, which spyware vendors used in attacks against Samsung devices. This highlights a concerning trend where vulnerabilities in widely-used GPU drivers are becoming targets for malicious actors.
In analyzing the tactics employed during these attacks, it is likely that adversaries applied techniques from the MITRE ATT&CK framework, including initial access to devices through local user permissions, privilege escalation via improper memory access, and persistence strategies to maintain access over time. Given the potential implications for business operations, it remains crucial for organizations to stay informed about such vulnerabilities and ensure timely updates to mitigate associated risks.
As cybersecurity threats evolve, keeping pace with patch releases and understanding potential exploits is essential for business owners to protect sensitive data and maintain operational integrity.
