World-famous microcircuit manufacturer, Qualcomm, has released additional information about three highly critical vulnerabilities in their products. The vulnerabilities, which were first discovered in October 2023, affect the Adreno graphics processor and the DSP Services component in Snapdragon chipsets. These vulnerabilities allow attackers to remotely execute arbitrary code on the devices. Qualcomm has stated that the issues have already undergone limited and purposeful exploitation.
The following vulnerabilities have been identified:
CVE-2023-33063 (CVSS: 7.8) – This vulnerability occurs when there is a remote call from the operating system to DSP. It leads to a buffer overflow and can be exploited by attackers to introduce malicious code.
CVE-2023-33106 (CVSS: 8.4) – This vulnerability is found in the Adreno graphics processor integrated in Snapdragon. A problem with memory management occurs when processing an extensive list of synchronization points in the graphics system. These data are transmitted through a special auxiliary command, IOCTL_KGSL_GPU_AUX_Command.
CVE-2023-33107 (CVSS: 8.4) – This vulnerability is similar to the previous one but affects the Linux graphic drivers for Adreno. It allows attackers to deceive the processor and perform unauthorized actions.
In October 2023, the Google Threat Analysis Group (TAG) and the Google Project Zero team reported that these three vulnerabilities, along with CVE-2022-22071, were used in limited target attacks.
The researchers involved in identifying these vulnerabilities include Benois Sevles and Dzhann Khorn from Project Zero, Luckyrb researcher, and the Android Security team.
Users of devices with Qualcomm chips are strongly advised to install security updates from their device manufacturers as soon as possible.
The details of how these vulnerabilities were exploited and the identity of the attackers are still unknown. However, the US Cybersecurity Agency (CISA) has added all three vulnerabilities to its catalog of well-known exploited vulnerabilities (KEV) and has urged federal agencies to apply patches by December 26, 2023.