Qualcomm has launched safety patches for a zero-day vulnerability within the Digital Sign Processor (DSP) service that impacts dozens of chipsets.
The safety flaw (CVE-2024-43047) was reported by Google Mission Zero’s Seth Jenkins and Amnesty Worldwide Safety Lab’s Conghui Wang, and it’s attributable to a use-after-free weak spot that may result in reminiscence corruption when efficiently exploited by native attackers with low privileges.
“At the moment, the DSP updates header buffers with unused DMA deal with fds. Within the put_args part, if any DMA deal with FDs are current within the header buffer, the corresponding map is freed,” as defined in a DSP kernel commit.
“Nevertheless, because the header buffer is uncovered to customers in unsigned PD, customers can replace invalid FDs. If this invalid FD matches with any FD that’s already in use, it may result in a use-after-free (UAF) vulnerability.”
As the corporate cautioned in a Monday safety advisory, safety researchers with Google’s Risk Evaluation Group and Amnesty Worldwide Safety Lab tagged the vulnerability as exploited within the wild. Each teams are recognized for locating zero-day bugs exploited in adware assaults focusing on the cellular gadgets of high-risk people, together with journalists, opposition politicians, and dissidents.
“There are indications from Google Risk Evaluation Group that CVE-2024-43047 could also be underneath restricted, focused exploitation,” Qualcomm warned right now. “Patches for the problem affecting FASTRPC driver have been made out there to OEMs along with a robust advice to deploy the replace on affected gadgets as quickly as attainable. “
Qualcomm additionally urged customers to contact their gadget producer for extra particulars concerning their particular gadgets’ patch standing.
At this time, the corporate additionally mounted an virtually most severity flaw (CVE-2024-33066) within the WLAN Useful resource Supervisor reported greater than a 12 months in the past and attributable to an improper enter validation weak spot that would result in reminiscence corruption.
In October final 12 months, Qualcomm additionally warned that attackers have been exploiting three zero-day vulnerabilities in its GPU and Compute DSP drivers within the wild.
In keeping with experiences from Google’s Risk Evaluation Group (TAG) and Mission Zero groups, it was used for restricted, focused exploitation. Google and Qualcomm are but to disclose further info on these assaults.
In recent times, Qualcomm has additionally patched chipset vulnerabilities that would enable attackers to entry customers’ media recordsdata, textual content messages, name historical past, and real-time conversations.
Qualcomm additionally mounted flaws in its Snapdragon Digital Sign Processor (DSP) chip, permitting hackers to regulate smartphones with out consumer interplay, spy on their customers, and create unremovable malware able to evading detection.
KrØØk, one other vulnerability patched in 2020, enabled attackers to decrypt some WPA2-encrypted wi-fi community packets, whereas yet one more now-fixed bug allowed entry to crucial knowledge.