Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Qualcomm urges device makers to push patches after 'targeted' exploitation

Given Amnesty's involvement, it's a safe bet spyware is in play

Iain Thomson Tue 8 Oct 2024  //  21:30 UTC

Qualcomm has issued 20 patches for its chipsets' firmware, including one Digital Signal Processor (DSP) software flaw that has been exploited in the wild.

That vulnerability, CVE-2024-43047, carries a CVSS 7.8-out-of-10 severity rating, and was notably reported by both Google's Project Zero team and Amnesty International's code testers. The involvement of the latter indicates this bug has been exploited by either nation-state attackers or commercial surveillanceware vendors, or both.

"There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation," Qualcomm said in its advisory for the updates. "Patches for the issue affecting the FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible."

Ie, those device makers need to push these fixes out to people's gadgets ASAP. Look out for updates to install and apply them.

So far, the CVE-2024-43047 flaw affects Snapdragon 660 and newer models, Qualcomm's 5G modems, and FastConnect 6700, 6800, 6900, and 7800 Wi-Fi/Bluetooth kit.

Of the other 19 flaws, there's CVE-2024-33066, a critical improper input validation issue with the WLAN resource manager which has a CVSS score of 9.8. Luckily so far, to our knowledge, this hasn't been exploited yet.

Qualcomm also warned of two other high-severity vulnerabilities - CVE-2024-23369 and CVE-2024-33065. The latter, rated CVSS 8.4, involves memory corruption in the camera driver. Meanwhile, the former is a similar memory flaw, affecting the device's high-level operating system. The chipmaker also released two other patches for medium-severity bugs.

The remaining 14 patches comprise nine high-severity and five medium bugs. Seven cover WLAN operations, three fix issues in the DSP service, and there's a grab-bag of other code improvements - although some of them were noted around a year ago and are only now being fixed.

Qualcomm got its announcement out early today, and we're still waiting to see what Patch Tuesday will bring from Microsoft and others. ®
Send us news
Post a comment

Qualcomm pledges 8 years of security updates for Android kit using its chips (YMMV)

Starting with Snapdragon 8 Elite and 'droid 15

Ivanti endpoint manager can become endpoint ravager, thanks to quartet of critical flaws

PoC exploit code shows why this is a patch priority

Oops, some of our customers' Power Pages-hosted sites were exploited, says Microsoft

Don't think this is SaaS and you can relax: Redmond wants a few of you to check your websites

Diversity, equity, and inclusion is not an illusion, but it soon might be

Global tech corps wrestle with policy disparity on either side of the Atlantic

Arm gives up on killing off Qualcomm's vital chip license

The British are coming, the British are coming ... to terms with their loss

Cisco patches two critical Identity Services Engine flaws

One gives root access, the other lets you steal info and reconfig nodes, in the right (or should that be wrong) circumstances

Google patches odd Android kernel security bug amid signs of targeted exploitation

Also, Netgear fixes critical router, access point vulnerabilities

VMware plugs steal-my-credentials holes in Cloud Foundation

Consider patching soon because cybercrooks love to hit vulnerable tools from Broadcom's virtualization giant

Apple plugs security hole in its iThings that's already been exploited in iOS

Cupertino kicks off the year with a zero-day

Qualcomm big cheese Cristiano Amon's pay award jumps 10%

At $25.91M, CEO is worth 261 employees

Asus lets processor security fix slip out early, AMD confirms patch in progress

Answers on a postcard to what 'Microcode Signature Verification Vulnerability' might mean

Don't want your Kubernetes Windows nodes hijacked? Patch this hole now

SYSTEM-level command injection via API parameter *chef's kiss*