Summary: Qualcomm’s October 2024 Security Bulletin reveals critical vulnerabilities in its chipsets, particularly affecting Snapdragon mobile platforms and FastConnect solutions, posing significant risks to users. The bulletin highlights several vulnerabilities, including CVE-2024-43047 and CVE-2024-33066, which could lead to remote code execution and device takeovers.
Threat Actor: Google Threat Analysis Group | Google Threat Analysis Group
Victim: Qualcomm | Qualcomm
Key Point :
- Critical vulnerabilities include CVE-2024-43047 (CVSS 7.8) and CVE-2024-33066 (CVSS 9.8), with the latter allowing remote code execution.
- Qualcomm urges OEMs to deploy patches immediately to mitigate risks and recommends users update their devices to the latest firmware.
- Additional vulnerabilities in open-source components could lead to denial of service or information disclosure.
Qualcomm has released its October 2024 Security Bulletin, highlighting several critical vulnerabilities affecting a range of its chipsets, including the widely used Snapdragon mobile platforms and FastConnect solutions. These vulnerabilities, affecting various system components such as WLAN, DSP, and graphics processing, pose significant security risks to users worldwide.
One of the vulnerabilities, CVE-2024-43047 (CVSS 7.8), was flagged by Google’s Threat Analysis Group (TAG) as potentially under limited, targeted exploitation.
“There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation. Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible,” Qualcomm wrote in its security bulletin.
A critical vulnerability (CVE-2024-33066, CVSS 9.8) in the WLAN Resource Manager could allow attackers to remotely execute malicious code, potentially leading to a complete takeover of the device. This flaw, stemming from improper input validation, enables memory corruption by redirecting log files to arbitrary locations. This flaw affected chipsets: Immersive Home Platforms, IPQ series, QCA series, and Snapdragon X65 5G Modem-RF systems, among others.
Another high-severity vulnerability (CVE-2024-23369) resides in the HLOS (Hardware Abstraction Layer Operating System) and allows local attackers to exploit memory corruption by manipulating FRS/UDS request/response buffers. Snapdragon mobile platforms, FastConnect series, and QCA series are vulnerable.
The October bulletin also addresses several vulnerabilities in open-source software components. These include a buffer over-read flaw in WLAN Host Communication (CVE-2024-33064), potentially leading to denial of service or information disclosure.
Qualcomm has strongly recommended that OEMs implement the necessary patches as soon as possible to protect users from potential exploitation. Users are encouraged to ensure their devices are updated to the latest firmware versions and should contact their device manufacturers to verify the patch status for their specific models.