MediaTek Security Bulletin Highlights High Severity Vulnerabilities in Mobile Chipsets

MediaTek, a leading global fabless semiconductor company, has issued a security bulletin disclosing multiple vulnerabilities across its chipset product line. These vulnerabilities impact a range of devices, including smartphones, tablets, AIoT devices, smart displays, and more. The severity of these vulnerabilities ranges from medium to high, with the potential for escalated privileges, arbitrary code execution, and information disclosure.

High-Severity Vulnerabilities Pose Significant Risk

Of particular concern are two high-severity vulnerabilities:

• CVE-2024-20104 (Out-of-Bounds Write in DA): This vulnerability, present in chipsets such as the MT6781, MT6789, MT6835, and others, could allow attackers to escalate privileges by exploiting an out-of-bounds write flaw in the DA component. While this vulnerability requires user interaction for successful exploitation, it underscores the importance of user vigilance in avoiding potentially malicious links or downloads. Affected operating systems include Android 12-15, openWRT 19.07, Yocto 4.0, and RDK-B 22Q3.

• CVE-2024-20106 (Type Confusion in m4u): This vulnerability poses a greater risk due to its ability to be exploited without user interaction. A type confusion flaw in the m4u component could enable attackers to execute arbitrary code with system privileges, potentially leading to complete device compromise. Chipsets including the MT6739, MT6761, MT6765, and others are affected, specifically on devices running Android 12-15.

Medium-Severity Vulnerabilities Also Require Attention

In addition to the high-severity vulnerabilities, the bulletin details numerous medium-severity flaws. These primarily involve out-of-bounds read and write vulnerabilities in various components, including DA, atci, ccu, isp, mms, and KeyInstall. These vulnerabilities could lead to information disclosure, privilege escalation, or denial-of-service conditions.

Mitigation and Remediation

MediaTek has already provided the necessary patches to device manufacturers. Users are strongly advised to install the latest security updates as soon as they become available from their device vendors. Manufacturers are urged to expedite the patching process to protect their customers.

Further Information

Detailed information regarding each vulnerability, including affected chipsets and operating system versions, can be found in the official MediaTek Product Security Bulletin.

Related Posts:

• Over 30% of Android devices have eavesdropping vulnerabilities, MediaTek is releasing an update to fix the vulnerabilities
• CVE-2024-20017 (CVSS 9.8): Zero-Click Exploit Discovered in Popular Wi-Fi Chipsets, PoC Published
• MediaTek Patches Critical Vulnerabilities in Smartphone, Tablet, and IoT Chipsets
• CVE-2022-26447: Mediatek Chipsets code execution vulnerability