Qualcomm urges device makers to push patches after 'targeted' exploitation

Given Amnesty's involvement, it's a safe bet spyware is in play

by · The Register

Qualcomm has issued 20 patches for its chipsets' firmware, including one Digital Signal Processor (DSP) software flaw that has been exploited in the wild.

That vulnerability, CVE-2024-43047, carries a CVSS 7.8-out-of-10 severity rating, and was notably reported by both Google's Project Zero team and Amnesty International's code testers. The involvement of the latter indicates this bug has been exploited by either nation-state attackers or commercial surveillanceware vendors, or both.

"There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation," Qualcomm said in its advisory for the updates. "Patches for the issue affecting the FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible."

Ie, those device makers need to push these fixes out to people's gadgets ASAP. Look out for updates to install and apply them.

So far, the CVE-2024-43047 flaw affects Snapdragon 660 and newer models, Qualcomm's 5G modems, and FastConnect 6700, 6800, 6900, and 7800 Wi-Fi/Bluetooth kit.

Of the other 19 flaws, there's CVE-2024-33066, a critical improper input validation issue with the WLAN resource manager which has a CVSS score of 9.8. Luckily so far, to our knowledge, this hasn't been exploited yet.

Qualcomm also warned of two other high-severity vulnerabilities - CVE-2024-23369 and CVE-2024-33065. The latter, rated CVSS 8.4, involves memory corruption in the camera driver. Meanwhile, the former is a similar memory flaw, affecting the device's high-level operating system. The chipmaker also released two other patches for medium-severity bugs.

The remaining 14 patches comprise nine high-severity and five medium bugs. Seven cover WLAN operations, three fix issues in the DSP service, and there's a grab-bag of other code improvements - although some of them were noted around a year ago and are only now being fixed.

Qualcomm got its announcement out early today, and we're still waiting to see what Patch Tuesday will bring from Microsoft and others. ®

'Critical' CUPS vulnerability chain easy to use for massive DDoS attacksAlso, rooting for Russian cybercriminals, a new DDoS record, sneaky Linux server malware and moreBrandon Vigliarolo, 07 Oct 2024'Patch yesterday': Zimbra mail servers under siege through RCE vulnAttacks began the day after public disclosureConnor Jones, 02 Oct 2024Rackspace internal monitoring web servers hit by zero-dayIntruders accessed machines via tool bundled with ScienceLogic, 'limited' info taken, customers told not to worryJessica Lyons, 30 Sep 2024Extracting vendor promises won't fix cybersecurity. Extracting teeth mightOne branch of tech has learned to work together to solve the near-impossible. Now it's our turnRupert Goodwins, 30 Sep 2024