Qualcomm has launched security patches for a zero-day vulnerability within the Digital Sign Processor (DSP) service that impacts dozens of chipsets.
The security flaw (CVE-2024-43047) was reported by Google Venture Zero’s Seth Jenkins and Amnesty Worldwide Safety Lab’s Conghui Wang, and it’s brought on by a use-after-free weak spot that may result in reminiscence corruption when efficiently exploited by native attackers with low privileges.
“At the moment, the DSP updates header buffers with unused DMA deal with fds. Within the put_args part, if any DMA deal with FDs are current within the header buffer, the corresponding map is freed,” as defined in a DSP kernel commit.
“Nonetheless, for the reason that header buffer is uncovered to customers in unsigned PD, customers can replace invalid FDs. If this invalid FD matches with any FD that’s already in use, it might result in a use-after-free (UAF) vulnerability.”
As the corporate cautioned in a Monday security advisory, security researchers with Google’s Risk Evaluation Group and Amnesty Worldwide Safety Lab tagged the vulnerability as exploited within the wild. Each teams are identified for locating zero-day bugs exploited in spy ware assaults concentrating on the cellular gadgets of high-risk people, together with journalists, opposition politicians, and dissidents.
“There are indications from Google Risk Evaluation Group that CVE-2024-43047 could also be underneath restricted, focused exploitation,” Qualcomm warned at the moment. “Patches for the problem affecting FASTRPC driver have been made out there to OEMs along with a robust suggestion to deploy the replace on affected gadgets as quickly as doable. “
Qualcomm additionally urged customers to contact their gadget producer for extra particulars concerning their particular gadgets’ patch standing.
At present, the corporate additionally mounted an virtually most severity flaw (CVE-2024-33066) within the WLAN Useful resource Supervisor reported greater than a yr in the past and brought on by an improper enter validation weak spot that might result in reminiscence corruption.
In October final yr, Qualcomm additionally warned that attackers had been exploiting three zero-day vulnerabilities in its GPU and Compute DSP drivers within the wild.
In accordance with reviews from Google’s Risk Evaluation Group (TAG) and Venture Zero groups, it was used for restricted, focused exploitation. Google and Qualcomm are but to disclose extra info on these assaults.
Lately, Qualcomm has additionally patched chipset vulnerabilities that might enable attackers to entry customers’ media recordsdata, textual content messages, name historical past, and real-time conversations.
Qualcomm additionally mounted flaws in its Snapdragon Digital Sign Processor (DSP) chip, permitting hackers to manage smartphones with out person interplay, spy on their customers, and create unremovable malware able to evading detection.
KrØØk, one other vulnerability patched in 2020, enabled attackers to decrypt some WPA2-encrypted wi-fi community packets, whereas one more now-fixed bug allowed entry to vital information.
