CISA warns of attacks targeting vulnerabilities in Qualcomm chips

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert, adding four new vulnerabilities to its Known Exploited Vulnerabilities Catalog. These vulnerabilities, found in Qualcomm chipsets, are actively being exploited, posing serious risks to digital security.

CVE-2023-33106: The Out-of-Range Pointer Offset Hazard

With a CVSS score of 8.4, this vulnerability stems from memory corruption during the submission of an overly large list of sync points in an AUX command. The IOCTL_KGSL_GPU_AUX_COMMAND, a critical component in various Qualcomm chipsets, is susceptible to this flaw, which could allow attackers to manipulate or corrupt memory, leading to potential control over the affected system.

CVE-2023-33063: The Use-After-Free Threat in DSP Services

Scored at 7.8 on the CVSS scale, this vulnerability arises from memory corruption in DSP Services during a remote call from the High-Level Operating System (HLOS) to the Digital Signal Processor (DSP). This flaw can be exploited to perform malicious activities, including data corruption and unauthorized access to sensitive information.

CVE-2023-33107: The Integer Overflow Issue in Graphics Linux

Another high-risk vulnerability with a CVSS score of 8.4, this issue is caused by memory corruption in Graphics Linux. It occurs while assigning a shared virtual memory region during an IOCTL call. An integer overflow can lead to system crashes, data manipulation, or even provide an entry point for attackers to execute arbitrary code.

CVE-2022-22071: The Use-After-Free Vulnerability in Multiple Chipsets

With the highest CVSS score among the four, at 8.8, this vulnerability affects a range of Qualcomm chipsets, including Snapdragon Auto, Compute, Connectivity, Consumer IOT, Industrial IOT, Mobile, and Voice & Music. It involves a potential use-after-free scenario during the freeing of process shell memory using an IOCTL munmap call. This vulnerability is particularly dangerous as it can lead to system instability, data leakage, or unauthorized control.

The Risks and Recommended Actions

These vulnerabilities are prime targets for cyber attackers, presenting significant risks to the federal enterprise and beyond. To mitigate these risks, CISA has strongly recommended that Federal Civilian Executive Branch (FCEB) agencies apply vendor-provided fixes by December 26, 2023.

The discovery and active exploitation of these vulnerabilities underscore the continuous need for vigilance in cybersecurity. Organizations must stay ahead by regularly updating their systems, applying patches promptly, and monitoring for any unusual activities. In the ever-evolving landscape of cybersecurity, staying informed and prepared is the key to safeguarding digital integrity.