CVE-2023-28578 & CVE-2023-28582: Qualcomm Patches Critical Flaws in Popular Chips

CVE-2023-28578 and CVE-2023-28582

US chipmaking giant Qualcomm has released a crucial security bulletin this month, patching 16 vulnerabilities – including two critical flaws (CVE-2023-28578 and CVE-2023-28582)– that leave billions of devices exposed to potential attacks. Two severe security flaws patched by Qualcomm could lead to memory corruption and potential device hijacking. These vulnerabilities affect a vast range of smartphones, IoT devices, and automotive systems.

CVE-2023-28578 and CVE-2023-28582

Let’s break down the two most severe issues:

  • CVE-2023-28578 (CVSS 9.3): This bug lurks within Qualcomm’s Core Services. Attackers could exploit this flaw to corrupt memory while executing commands, opening a dangerous doorway for further attacks on devices using affected chips. This flaw arises during the command execution for removing a single event listener, affecting a wide range of chipsets from the 315 5G IoT Modem to the Snapdragon XR2+ Gen 1 Platform.

  • CVE-2023-28582 (CVSS 9.8): This critical vulnerability exists in Qualcomm’s Data Modem. Attackers could potentially corrupt memory while devices are performing security handshakes, leading to malicious code execution and device control. This issue involves memory corruption in the Data Modem during the verification of the hello-verify message throughout the DTLS handshake process. Affecting numerous chipsets, including the Snapdragon 8 Gen series and various FastConnect models, this vulnerability could compromise the integrity of secure communications.

Massive Impact

The potential impact of these flaws is huge. Qualcomm chips reside in around 40% of smartphones globally, including premium devices from Samsung, Google, Xiaomi, and countless others. Additionally, Qualcomm’s silicon powers a wide range of IoT devices, automobiles, and more. This means billions of devices are at risk until users and manufacturers act.

Beyond These Critical Flaws

In addition to the critical vulnerabilities, Qualcomm’s bulletin outlines 12 high-severity flaws and two medium-severity vulnerabilities. These security holes span across various components such as multi-mode call processors, modems, Bluetooth HOST, and WLAN firmware, among others. Described primarily as memory bugs and information disclosure issues, these vulnerabilities could lead to arbitrary code execution or denial of service (DoS) attacks, posing significant risks to system stability and user privacy.

What Can You Do?

  1. Patch and Update Vigilance: Qualcomm has taken the crucial step of releasing security updates to address these vulnerabilities and has notified impacted Original Equipment Manufacturers (OEMs). However, the delivery of these updates to end-users will depend on the responsiveness of OEMs and the efficiency of their distribution channels.

  2. Awareness is Key: Understand that these flaws highlight the risks inherent in widely-used technology. Stay informed about new cyber threats and adopt a security-first approach to device use.