MediaTek Patches Critical Vulnerabilities in Smartphone, Tablet, and IoT Chipsets

MediaTek, a leading semiconductor company, has issued an October 2024 Product Security Bulletin addressing critical vulnerabilities affecting a wide range of its chipsets, including those used in smartphones, tablets, IoT devices, and more. The vulnerabilities, if exploited, could allow attackers to gain remote code execution, escalate privileges, or cause denial-of-service conditions.

The security bulletin highlights several vulnerabilities, including:

• CVE-2024-20090 – Out-of-Bounds Write in vdec (High Severity):
  • This vulnerability could allow an attacker to exploit a missing bounds check in the vdec component of affected MediaTek chipsets, leading to a local privilege escalation. The attacker could elevate their privileges to system-level execution without requiring user interaction.
• CVE-2024-20100 – Out-of-Bounds Write in wlan Driver (High Severity):
  • Found in the wlan driver of chipsets, this vulnerability allows remote code execution due to improper input validation. The attack can be carried out without any additional execution privileges or user involvement, making it particularly dangerous for exposed devices on public networks.
• CVE-2024-20093 – Out-of-Bounds Read in vdec (High Severity):
  • A vulnerability in the vdec component that could result in local information disclosure, enabling attackers to gain access to sensitive data stored on the device without needing user interaction.

Affected chipsets include popular models such as MT6761, MT6765, MT6873, MT6893, and many more. These chipsets are widely used in Android devices running various versions of the operating system, including Android 12.0 to 15.0. Additionally, IoT platforms such as Yocto 4.0 and SDK versions are also impacted, raising concerns for businesses and individuals using smart home devices and wearables powered by these platforms.

Many of the vulnerabilities detailed in the bulletin received high severity ratings, particularly those involving remote code execution (RCE) and elevation of privilege (EoP), which pose the most significant threat to users.

The vulnerabilities, including CVE-2024-20103, which targets the wlan firmware, underscore the importance of robust input validation in preventing unauthorized code execution. If left unpatched, these issues could result in the compromise of entire systems, putting both user data and device functionality at risk.

The vulnerabilities listed affect a wide array of MediaTek’s core technologies, from mobile devices to smart platforms, which means that both individual users and businesses relying on IoT technology could be affected. Devices that use MediaTek’s MT8775, MT6985, MT8365, and others are particularly vulnerable, and users are encouraged to check for and install any available patches as soon as possible.

MediaTek has notified device manufacturers (OEMs) about these vulnerabilities and provided corresponding security patches at least two months before public disclosure. Users are strongly encouraged to check with their device manufacturers for updates and apply them as soon as possible to mitigate the risks posed by these vulnerabilities.

Related Posts:

• Over 30% of Android devices have eavesdropping vulnerabilities, MediaTek is releasing an update to fix the vulnerabilities
• CVE-2022-26447: Mediatek Chipsets code execution vulnerability
• CVE-2024-20017 (CVSS 9.8): Zero-Click Exploit Discovered in Popular Wi-Fi Chipsets, PoC Published
• EFF Discovers Corejava Malware Embedded in Dragon Touch KidzPad Y88X 10 Devices