More details regarding three high-severity security vulnerabilities that the chipmaker Qualcomm claimed fell under the category of “limited, targeted exploitation” in October 2023 have been made public.
The vulnerabilities are as follows –
- CVE-2023-33063 (CVSS score: 7.8) – Memory corruption in DSP Services during a remote call from HLOS to DSP.
- CVE-2023-33106 (CVSS score: 8.4) – Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
- CVE-2023-33107 (CVSS score: 8.4) – Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.
Along with CVE-2022-22071 (CVSS score: 8.4), Google Project Zero and the Threat Analysis Group revealed in October 2023 that the three vulnerabilities have also been used in targeted, restricted attacks that have been used in the wild.
The Google Android Security team, Jann Horn of Google Project Zero, TAG researcher Benoît Sevens, and security researcher luckyrb are all credited with reporting the security flaws.
It is currently unknown who is behind the attacks and how these flaws have been turned into weapons.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), however, is requesting that federal agencies implement the patches by December 26, 2023, and has added the four bugs to its list of known exploited vulnerabilities (KEV) as a result of the development.
It also follows Google’s announcement that the December 2023 security updates for Android address 85 flaws, including a critical issue in the System component tracked as CVE-2023-40088 that “could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed” and without any user interaction.
AND DO YOU WANT TO LEARN ETHICAL HACKING ENROLL OUR COURSE VISIT ON http://www.cryptus.in
