Chipmaker Qualcomm warns of three actively exploited zero-days

7 months ago AndyC

Chipmaker Qualcomm warns of three actively exploited zero-days

Pierluigi Paganini
October 04, 2023

Chipmaker Qualcomm addressed 17 vulnerabilities in various components and warns of three other actively exploited zero-day flaws.

Chipmaker Qualcomm warns of three actively exploited zero-days

Chipmaker Qualcomm warns of three actively exploited zero-days

Pierluigi Paganini
October 04, 2023

Chipmaker Qualcomm addressed 17 vulnerabilities in various components and warns of three other actively exploited zero-day flaws.

Chipmaker Qualcomm released security updates to address 17 vulnerabilities in several components.

Three out of 17 flaws are rated Critical, 13 are rated High, and one is rated Medium in severity.

The company is also warning that three other zero-day vulnerabilities are actively exploited in attacks in the wild. Google Threat Analysis Group and Google Project Zero first reported that the CVE-2023-33106, CVE-2023-33107, CVE-2022-22071 and CVE-2023-33063 are actively exploited in targeted attacks.

The company plans to disclose the technical details of the actively exploited vulnerabilities in the forthcoming months.

Google Threat Analysis Group and Google Project Zero experts focus on attacks carried out by nation-state actors or surveillance firms, this means that one of these threat actors may be behind the exploitation of the Qualcomm flaws.

“There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071 and CVE-2023-33063 may be under limited, targeted exploitation. Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible. Please contact your device manufacturer for more information on the patch status about specific devices.” reads the advisory. “CVE-2022-22071 was included in our May 2022 public bulletin. The details of the remaining CVEs will be shared in our December 2023 public bulletin.”

The three critical issues fixed by the chipmaker are:

Public ID Security Rating CVSS Rating Technology Area Date Reported
CVE-2023-24855 Critical Critical (CVSS Score 9.8) Modem Internal
CVE-2023-28540 Critical Critical (CVSS Score 9.1) Data Modem Internal
CVE-2023-33028 Critical Critical (CVSS Score 9.8) WLAN Firmware Internal
  • CVE-2023-24855: Use of Out-of-range Pointer Offset in Modem. The issue is a memory corruption in Modem while processing security related configuration before AS Security Exchange.
  • CVE-2023-28540: Improper Authentication in Data Modem. The flaw is a cryptographic issue in the Data Modem caused by the improper authentication during TLS handshake.
  • CVE-2023-33028: Buffer Copy without Checking Size of Input in WLAN Firmware. The flaw is a memory corruption in WLAN Firmware that occurs while doing a memory copy of pmk cache.

There is no evidence that the above flaws have been exploited in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Qualcomm)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , ,

More Stories

Hackers may have accessed thousands of accounts on California state welfare platform

Hackers may have accessed thousands of accounts on California state welfare platform

8 hours ago AndyC
Brokewell supports an extensive set of Device Takeover capabilities

Brokewell supports an extensive set of Device Takeover capabilities

14 hours ago AndyC

Friday Squid Blogging: Searching for the Colossal Squid

1 day ago AndyC
Experts warn of malware campaign targeting WP-Automatic plugin

Experts warn of malware campaign targeting WP-Automatic plugin

1 day ago AndyC
Cryptocurrencies and cybercrime: A critical intermingling

Cryptocurrencies and cybercrime: A critical intermingling

2 days ago AndyC
Kaiser Permanente data breach may have impacted 13.4 million patients

Kaiser Permanente data breach may have impacted 13.4 million patients

2 days ago AndyC

You may have missed

Hackers may have accessed thousands of accounts on California state welfare platform

Hackers may have accessed thousands of accounts on California state welfare platform

8 hours ago AndyC

Major phishing-as-a-service platform disrupted – Week in security with Tony Anscombe

11 hours ago AndyC
Brokewell supports an extensive set of Device Takeover capabilities

Brokewell supports an extensive set of Device Takeover capabilities

14 hours ago AndyC
Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

14 hours ago AndyC
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

20 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.