The problem was discovered back in October. What did you learn during this time?
Qualcomm, a world-renowned chip manufacturer, has released additional information about three highly critical vulnerabilities in its products. The bugs, which became known back in October 2023, affect the Adreno GPU and the DSP Services component in Snapdragon chipsets. This allows attackers to remotely execute arbitrary code on the device. It is known that the problem has already been subjected to "limited and targeted exploitation".
We are talking about the following vulnerabilities:
In October 2023, the Google Threat Analysis Group (TAG) and the Google Project Zero team reported that these three bugs, along with CVE-2022-22071 (CVSS score: 8.4), were exploited in limited targeted attacks.
Researcher Benoit Sevens and Jann Horn of Project Zero, as well as researcher luckyrb and the Android Security team, are responsible for detecting the defects.
Users of devices with Qualcomm chips are strongly advised to install security updates from manufacturers as soon as possible.
It is not yet known exactly how these flaws were exploited and who is behind the attacks. However, the US Cybersecurity Agency (CISA) added all 3 bugs to its catalog of known exploited vulnerabilities (KEV) and called on federal agencies to install patches by December 26, 2023.
Qualcomm, a world-renowned chip manufacturer, has released additional information about three highly critical vulnerabilities in its products. The bugs, which became known back in October 2023, affect the Adreno GPU and the DSP Services component in Snapdragon chipsets. This allows attackers to remotely execute arbitrary code on the device. It is known that the problem has already been subjected to "limited and targeted exploitation".
We are talking about the following vulnerabilities:
- CVE-2023-33063 (CVSS score: 7.8) - occurs when a remote call is made from the operating system to the DSP. Causes a buffer overflow and can be used by an attacker to inject malicious code.
- CVE-2023-33106 (CVSS score: 8.4) - manifests in the Snapdragon integrated Adreno GPU. The graphics system has a problem with memory management when processing an extensive list of synchronization points. This data is transmitted as part of a special auxiliary command (AUX command) via the IOCTL_KGSL_GPU_AUX_COMMAND interface.
- CVE-2023-33107 (CVSS score: 8.4) — similar issue in Linux graphics drivers for Adreno. Again, it allows an attacker to trick the processor and perform any unauthorized actions.
In October 2023, the Google Threat Analysis Group (TAG) and the Google Project Zero team reported that these three bugs, along with CVE-2022-22071 (CVSS score: 8.4), were exploited in limited targeted attacks.
Researcher Benoit Sevens and Jann Horn of Project Zero, as well as researcher luckyrb and the Android Security team, are responsible for detecting the defects.
Users of devices with Qualcomm chips are strongly advised to install security updates from manufacturers as soon as possible.
It is not yet known exactly how these flaws were exploited and who is behind the attacks. However, the US Cybersecurity Agency (CISA) added all 3 bugs to its catalog of known exploited vulnerabilities (KEV) and called on federal agencies to install patches by December 26, 2023.
