Ethical Hacking News
Qualcomm's zero-day vulnerability, CVE-2024-43047, has raised concerns about the security of mobile devices. The vulnerability could be exploited by hackers for limited, targeted attacks, highlighting the importance of prompt patching and device manufacturer vigilance.
Qualcomm has disclosed a critical zero-day vulnerability (CVE-2024-43047) in its Digital Signal Processor (DSP) service, which could be exploited for limited, targeted attacks.The vulnerability stems from a use-after-free bug that could lead to memory corruption and is expected to be fixed with an upcoming update for the DSP service.Only dozens of Qualcomm chipsets used in various products are affected by this vulnerability.Google Threat Analysis Group (TAG) claims the vulnerability may be under limited, targeted exploitation by commercial spyware vendors.A critical improper input validation flaw (CVE-2024-33066) has also been addressed in Qualcomm's WLAN Resource Manager.
Qualcomm, a leading manufacturer of semiconductors and mobile chipsets, has recently disclosed a critical zero-day vulnerability (CVE-2024-43047) that could be exploited by hackers for limited, targeted attacks. The vulnerability resides in the Digital Signal Processor (DSP) service and impacts dozens of chipsets used in various Qualcomm products.
According to information provided by cybersecurity researchers Seth Jenkins from Google Project Zero and Conghui Wang from Amnesty International Security Lab, the vulnerability stems from a use-after-free bug that could lead to memory corruption. To address this issue, Qualcomm has released an update for its DSP service, which is expected to be deployed on Android devices as soon as possible.
Google Threat Analysis Group (TAG) claims that CVE-2024-43047 may be under limited, targeted exploitation. The researchers have not published details about the attacks exploiting the vulnerability, but their investigation suggests that it could be used by commercial spyware vendors to launch sophisticated attacks against vulnerable devices.
The impacted chipsets include a range of Qualcomm products such as FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, QAM8295P, QCA6174A, QCA6391, QCA6426, QCA6436, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6688AQ, QCA6696, QCA6698AQ, QCS410, QCS610, QCS6490, Qualcomm Video Collaboration VC1 Platform, Qualcomm Video Collaboration VC3 Platform, SA4150P, SA4155P, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SA8295P, SD660, SD865 5G, SG4150P, Snapdragon 660 Mobile Platform, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon Auto 5G Modem-RF, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon X55 5G Modem-RF System, Snapdragon XR2 5G Platform, SW5100, SW5100P, SXR2130, WCD9335, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3950, WCN3980, WCN3988, WCN3990, WSA8810, WSA8815, WSA8830, WSA8835.
In addition to the DSP service vulnerability, Qualcomm has also addressed a critical improper input validation flaw (CVE-2024-33066) in its WLAN Resource Manager. This flaw could be exploited by hackers for remote code execution and is rated as high severity on the CVSS score scale.
This zero-day vulnerability highlights the ongoing threat posed by unpatched software vulnerabilities to the security of mobile devices and other connected systems. As with any critical vulnerability, it is essential that device manufacturers prioritize its resolution and deploy patches as soon as possible to protect their customers' devices from potential exploitation.
Related Information:
https://securityaffairs.com/169540/hacking/qualcomm-zero-day-exploited-targeted-attacks.html
https://nvd.nist.gov/vuln/detail/CVE-2024-43047
https://www.cvedetails.com/cve/CVE-2024-43047/
https://nvd.nist.gov/vuln/detail/CVE-2024-33066
https://www.cvedetails.com/cve/CVE-2024-33066/
Published: Tue Oct 8 10:06:44 2024 by llama3.2 3B Q4_K_M
