Qualcomm Issues Security Advisory for High-Severity Flaws
In recent developments, chipmaker Qualcomm has disclosed significant information regarding three critical security vulnerabilities that were reportedly exploited in targeted attacks as of October 2023. The company emphasized that these flaws were subjected to “limited, targeted exploitation,” raising alarms about their implications for affected users.
The vulnerabilities identified include CVE-2023-33063, which carries a CVSS score of 7.8, involving memory corruption in DSP Services during remote calls from High-Level Operating Systems (HLOS) to Digital Signal Processors (DSP). Additionally, CVE-2023-33106 and CVE-2023-33107, both rated at 8.4, represent serious memory corruption issues within the Graphics subsystem. The former arises while processing extensive lists of synchronization points in an AUX command, while the latter pertains to the handling of shared virtual memory regions during IOCTL calls.
This disclosure follows an announcement from Google’s Threat Analysis Group and Project Zero, which revealed that these vulnerabilities, along with a previously identified issue, CVE-2022-22071, have been actively exploited in the wild as part of focused attacks. Researchers such as luckyrb from the Google Android Security team, alongside Benoît Sevens and Jann Horn from Project Zero, were instrumental in identifying and reporting these security concerns.
The nature of the exploitation remains unclear, particularly regarding the methods employed and the identities of the threat actors involved. However, these vulnerabilities have warranted the attention of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has added them to its Known Exploited Vulnerabilities catalog. CISA is urging all federal agencies to apply the necessary patches by December 26, 2023, to mitigate potential risks.
This development is coupled with Google’s recent announcement about the December 2023 security updates for Android, which were designed to address 85 vulnerabilities. Among these updates is a critical issue in the System component, tracked as CVE-2023-40088, which poses a risk of remote code execution without the need for user interaction.
The vulnerabilities outlined suggest that attackers may have employed various tactics from the MITRE ATT&CK framework, including initial access through memory corruption techniques, potential privilege escalation, and execution of malicious commands via compromised software interfaces. These tactics underline the necessity for robust security measures and timely updates to safeguard against similar targeted attacks in the future.
For business owners and professionals operating within environments vulnerable to such threats, understanding the implications of these security advisories is critical. By staying informed and proactive in applying security patches, organizations can better protect themselves against evolving cyber threats.
