Oct 03, 2023THNZero Day / Vulnerability
Chipmaker Qualcomm has launched safety updates to deal with 17 vulnerabilities in numerous elements, whereas warning that three different zero-days have come underneath lively exploitation.
Of the 17 flaws, three are rated Vital, 13 are rated Excessive, and one is rated Medium in severity.
“There are indications from Google Risk Evaluation Group and Google Mission Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 could also be underneath restricted, focused exploitation,” the semiconductor firm mentioned in an advisory.
“Patches for the problems affecting Adreno GPU and Compute DSP drivers have been made obtainable, and OEMs have been notified with a robust suggestion to deploy safety updates as quickly as attainable.”
CVE-2022-22071 (CVSS rating: 8.4), described as a use-after-free in Automotive OS Platform, was initially patched by the corporate as a part of its Could 2022 updates.
Whereas further specifics in regards to the remaining different flaws are anticipated to be made public in December 2023, the disclosure comes the identical day Arm shipped patches for a safety flaw within the Mali GPU Kernel Driver (CVE-2023-4211) that has additionally come underneath restricted, focused exploitation.
Qualcomm’s October 2023 updates additionally deal with three crucial points, though there isn’t a proof that they’ve been abused within the wild –
CVE-2023-24855 (CVSS rating: 9.8) – Reminiscence corruption in Modem whereas processing safety associated configuration earlier than AS Safety Trade.
CVE-2023-28540 (CVSS rating: 9.1) – Cryptographic problem in Data Modem because of improper authentication throughout TLS handshake.
CVE-2023-33028 (CVSS rating: 9.8) – Reminiscence corruption in WLAN Firmware whereas doing a reminiscence copy of pmk cache.
Customers are suggested to use updates from unique gear producers (OEMs) as quickly as they grow to be obtainable.