Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Qualcomm urges device makers to push patches after 'targeted' exploitation

Given Amnesty's involvement, it's a safe bet spyware is in play

Iain Thomson Tue 8 Oct 2024  //  21:30 UTC

Qualcomm has issued 20 patches for its chipsets' firmware, including one Digital Signal Processor (DSP) software flaw that has been exploited in the wild.

That vulnerability, CVE-2024-43047, carries a CVSS 7.8-out-of-10 severity rating, and was notably reported by both Google's Project Zero team and Amnesty International's code testers. The involvement of the latter indicates this bug has been exploited by either nation-state attackers or commercial surveillanceware vendors, or both.

"There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation," Qualcomm said in its advisory for the updates. "Patches for the issue affecting the FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible."

Ie, those device makers need to push these fixes out to people's gadgets ASAP. Look out for updates to install and apply them.

So far, the CVE-2024-43047 flaw affects Snapdragon 660 and newer models, Qualcomm's 5G modems, and FastConnect 6700, 6800, 6900, and 7800 Wi-Fi/Bluetooth kit.

Of the other 19 flaws, there's CVE-2024-33066, a critical improper input validation issue with the WLAN resource manager which has a CVSS score of 9.8. Luckily so far, to our knowledge, this hasn't been exploited yet.

Qualcomm also warned of two other high-severity vulnerabilities - CVE-2024-23369 and CVE-2024-33065. The latter, rated CVSS 8.4, involves memory corruption in the camera driver. Meanwhile, the former is a similar memory flaw, affecting the device's high-level operating system. The chipmaker also released two other patches for medium-severity bugs.

The remaining 14 patches comprise nine high-severity and five medium bugs. Seven cover WLAN operations, three fix issues in the DSP service, and there's a grab-bag of other code improvements - although some of them were noted around a year ago and are only now being fixed.

Qualcomm got its announcement out early today, and we're still waiting to see what Patch Tuesday will bring from Microsoft and others. ®
Send us news
Post a comment

As Arm rivals cook up custom silicon, Mediatek sticks to tried-and-true Cortex recipe

Exec Chris Bergey tells us what the chip designer is doing to stay competitive

Qualcomm unveils Snapdragon 8 Elite with custom cores for Android phones

New flagship SoC drops Arm and grows its own legs with Oryon

Arm reportedly warns Qualcomm it will cancel its licenses

Qualcomm brands ploy as 'unfounded' cash grab

Arm to Qualcomm: See you in court? Oh yes, please

Doesn't quite confirm eight-week license cancellation deadline, but does strap on the gloves

Windows Themes zero-day bug exposes users to NTLM credential theft

Plus a free micropatch until Redmond fixes the flaw

Qualcomm 'pausing' X-Elite Dev Kit, offering refunds

Five months in, only 200 units reached customers, Qualy tells El Reg

Emergency patch: Cisco fixes bug under exploit in brute-force attacks

Who doesn't love abusing buggy appliances, really?

Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch

Plus, a POC to make it extra easy for attackers

Beijing claims it's found 'underwater lighthouses' that its foes use for espionage

Release the Kraken!

VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time

If the first patches don't work, try, try again

Microsoft issues 117 patches – some for flaws already under attack

Plus: SAP re-patches a failed patch for critical-rated flaw

Intel hits back at China's accusations it bakes in NSA backdoors

Chipzilla says it obeys the law wherever it is, which is nice