Two RCE (CVE-2023-28562 and CVE-2023-28581) Bugs in Qualcomm Chips Expose Billions of Devices to Attacks
In the ever-evolving landscape of technological advancements, ensuring the cybersecurity of widely-used products remains paramount. Qualcomm, a global semiconductor giant, recently rose to this challenge by swiftly addressing over 20 vulnerabilities in its September 2023 security advisories, reinforcing its commitment to ensuring the safety of its vast user base.
The spotlight, however, shines brightest on two critical vulnerabilities: CVE-2023-28562 and CVE-2023-28581. Both are remote code execution flaws that have been exposed in Qualcomm’s ESL and WLAN Firmware.
CVE-2023-28562: Buffer Copy Without Checking Size of Input in QESL
Boasting a CVSS score of 9.8, this vulnerability poses a substantial risk. By exploiting a loophole in how payloads from remote ESL are managed, malicious actors could execute arbitrary code on a staggering range of Qualcomm chipsets, from the Snapdragon 460 Mobile Platform to the Vision Intelligence 400 Platform. While the comprehensive list of affected chipsets reads like a who’s-who of the tech world, users of these systems should not delay in ensuring their devices have been updated with the latest security patches.
CVE-2023-28581: Improper Restriction of Operations within the Bounds of a Memory Buffer in WLAN Firmware
Matching its counterpart with an identical CVSS score of 9.8, this flaw stems from memory corruption in WLAN Firmware. Any attacker with a finely crafted request utilizing GTK Keys in GTK KDE could exploit this vulnerability, further emphasizing the need for users to be ever-vigilant and update their devices. The affected chipsets for this vulnerability include but are not limited to, the Snapdragon 870 5G Mobile Platform and the Snapdragon XR2 5G Platform.
Beyond these two focal points, Qualcomm has tackled an additional three dozen vulnerabilities, each assigned a ‘high severity’ rating. These range from potential code executions, privilege escalations, and information disclosures to possible denial-of-service (DoS) attacks. Fortunately, as of this writing, there’s no evidence that these vulnerabilities are being exploited in active cyber-attacks.
However, it’s essential to grasp the sheer scale of this issue. With Qualcomm chips embedded in an estimated 40% of the world’s smartphones, including flagship devices from Google, LG, OnePlus, Samsung, Xiaomi, and many others, the number of potentially affected users surpasses the 1 billion mark.
Qualcomm has released security updates to address the vulnerabilities. These updates are available for a wide range of Qualcomm chipsets.
Users of devices that are affected by the vulnerabilities are advised to update their devices to the latest security patches as soon as possible.
