Table of Contents
Qualcomm Patches Multiple Vulnerabilities in its Products
Qualcomm recently announced patches for a significant number of vulnerabilities found within its suite of products. This proactive measure was taken following the detection of these flaws by Google's cybersecurity units. In total, more than two dozen vulnerabilities were patched to strengthen the security credentials of Qualcomm's product line up.
Zero-Day Vulnerabilities Patched by Qualcomm
Three zero-day vulnerabilities amongst the host of detected flaws were promptly reported to Qualcomm by Google. These vulnerabilities were tracked under the identifiers CVE-2023-33106, CVE-2023-33107, CVE-2023-33063, and CVE-2022-22071. However, CVE-2022-22071 was patched even earlier by Qualcomm in May, leaving three zero-day vulnerabilities that were subsequently addressed.
Potential Exploitation by Spyware Vendors
The vulnerabilities, deduced from the details reported by Google, suggest that commercial spyware vendors might have subjected them to exploitation. Google has been on the record investigating several exploit chains thought to be the handiwork of spyware vendors. Attackers have been observed deploying these exploits to deliver spyware to devices equipped with Android or iOS systems, both of which often feature Qualcomm chips.
Severity and Impact of the Vulnerabilities
The remaining vulnerabilities, which were not zero-days, were categorized under 'critical' and 'high' severity ratings. Interestingly, these vulnerabilities were discovered internally by Qualcomm. The security flaws majorly impacted modems, WLAN firmware, and automotive products, manifesting as memory bugs and information disclosure issues. Traditional outcomes of memory bugs could be the execution of arbitrary code or a denial of service (DoS).
Google’s Role in Eliminating Zero-Day Vulnerabilities
In tandem with Qualcomm's initiative, Google released Android security updates that patched two zero-days. One of them was a bug in the Arm Mali GPU driver, tracked as CVE-2023-4211 and is known to have been exploited in attacks deploying spyware.
Details of the Flaws
Four key vulnerabilities were flagged and subsequently patched by Qualcomm. These were tagged as CVE-2023-33106, CVE-2023-33107, CVE-2023-33063, and CVE-2022-22071. Among these, three were classified as zero-day vulnerabilities. The vulnerabilities affected Adreno GPU and Compute DSP drivers, representing significant threats to the security of Qualcomm's products.
Early Patching for CVE-2022-22071
It's noteworthy that the flaw tracked as CVE-2022-22071 had been patched even earlier, as part of Qualcomm's May 2022 public bulletin. The early resolution of this vulnerability highlights the proactive attitude of Qualcomm in ensuring the security integrity of its products.
Ambiguity Surrounding Attack Exploitation
Despite the detection and patching of these vulnerabilities, explicit details surrounding potential exploitation of the flaws by threat actors have not been shared. However, it was hinted that the vulnerabilities could have been under limited, targeted exploitation based on indications from Google's Threat Analysis Group and Google Project Zero. The details of the remaining Common Vulnerabilities and Exposures (CVEs) apart from CVE-2022-22071 will be shared publicly as part of Qualcomm's December 2023 public bulletin.
Additional Vulnerabilities and Patches
Alongside the previously mentioned vulnerabilities, Qualcomm, in their monthly security bulletin, disclosed a total of seventeen additional vulnerabilities. Notably, three of these additional flaws were given 'critical' severity ratings, showcasing their potential negative impact on product security.
Impacted Areas of Products
Most of these vulnerabilities have been identified in modems, WLAN firmware, and automotive products. A key feature of these vulnerabilities is the tendency to manifest as memory bugs and information disclosure issues. Specific examples of these critical vulnerabilities include CVE-2023-24855, a memory corruption in the modem while processing security-related configuration, and CVE-2023-33028, memory corruption in WLAN firmware due to improper memory copying.
Cryptographic Issue in Data Modem
Another critical vulnerability, numbered CVE-2023-28540, stems from a cryptographic issue in data modems. This flaw arises due to improper authentication during the Transport Layer Security (TLS) handshake, creating a potential gap in the product's security.
Google’s Involvement in Patching Vulnerabilities
In their ongoing collaborative efforts, Google also recently launched Android security updates. These updates provided patches for two zero-day vulnerabilities that were known to have been exploited in attacks delivering spyware. Google's consistent vigilance and the swift action highlight the strong security mechanisms in place to tackle vulnerabilities and patch them promptly.
Other Related Updates and News
Alongside Qualcomm's proactive approach towards patching its vulnerabilities, there have been several noteworthy updates and pieces of news linked with the tech giant's security ecosystem.
Reports of Exploitation on Qualcomm Chips
Evidence has pointed towards incidences of attacks exploiting Qualcomm chips embedded in Android or iOS devices. These threat actors have used software vulnerabilities as a means to deliver spyware to unsuspecting users and potentially compromise their data and privacy.
Google’s Role in Identifying Vulnerabilities
Google had a significant role in identifying and reporting some of the vulnerabilities. In fact, the inference that commercial spyware vendors may have exploited these security holes arises from reports by Google’s Threat Analysis Group and Google Project Zero. Google’s proactive involvement provides a safety net in the detection and correction of security flaws, demonstrating a collaborative approach to cybersecurity in the tech industry.
Qualcomm’s Internal Discoveries
Last but not least, the discovery of most 'critical' and 'high' severity rated vulnerabilities is credited to Qualcomm's internal teams. Their active role in unearthing these security flaws highlights the company's committed approach towards enhancing the safety and security of its product offerings.
