Vulnerability in several Qualcomm chipsets allows for remote code execution during the phone call. This and other vulnerabilities were uncovered in the latest security bulletin released by the chipmaker. The optimistic part here is that the company uncovered the flaws half a year ago, and arranged the fixes with the OEMs.
RCE Vulnerability In Qualcomm Chips
The recent discovery of a critical RCE vulnerability in Qualcomm chips has raised serious concerns in the tech and cybersecurity communities. This is a severe vulnerability, CVE-2023-33025, with a CVSS score of 9.8. The vulnerability resides in a flaw in the modem component of the Qualcomm chip. This component manages wireless communication functions like voice calls and data transmission.
The flaw involves a buffer overflow within the chip’s firmware, occurring while setting up a voice call. This buffer overflow is triggered by a specially crafted packet sent during the call setup phase, which the modem fails to handle correctly. By sending a specifically crafted packet during the VoLTE call, it is possible to overflow the buffer and force the code execution.
Peculiar thing here is that Qualcomm was aware of the vulnerability back in July 2023. Back in the days, the company notified OEMs, in order for them to update their systems. Moreover, this is not the first incident involving Qualcomm and buffer overflow.
Qualcomm RCE Vulnerability Impacts Millions of Users
This vulnerability in one of the most commonly used chipsets in the smartphone industry poses a significant threat to many mobile users worldwide. The flaw exposes a critical part of the phone’s firmware, the software embedded in the device’s hardware components. This issue is not confined to any specific device or operating system; rather, it is inherent in the hardware component itself. And that is the danger – the fix for the issue is much, much harder to implement, considering the variety of devices using the vulnerable chipset.
Affected Chipsets | AR8035, FastConnect 6700, FastConnect 6900, QCA8081, QCA8337, QCM4490, QCN6024, QCN9024, QCS4490, SM4450, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon X65 5G Modem-RF System, Snapdragon X70 Modem-RF System, WCD9370, WCD9375, WCD9380, WCN3950, WCN3988, WSA8810, WSA8815, WSA8830, WSA8832, WSA8835 |
As for the potential danger, the CVSS 9.8 rating says for itself. It is not common for RCEs to receive 8+ ratings and “critical” status, but this one is higher than usual, and for a good reason. A one specific packet allows executing any code, and typically, hackers use such an opportunity to download, install and run malware. In short, using this vulnerability, it is possible to infect a phone or any other device that uses a vulnerable chipset with a phone call.
Response From Qualcomm And Security Experts
The company disclosed this vulnerability, among 26 others, in its January 2024 security bulletin. They provided patches for these vulnerabilities to the original equipment manufacturers (OEMs) using Qualcomm chips, including the popular Snapdragon series. Qualcomm notified customers about the critical flaws on July 3, 2023, to address these vulnerabilities and provided software patches. They advised users of devices with affected chips to contact their manufacturers for information about the patching status and to apply all available updates. Moreover, users are advised only to connect to secure, trusted LTE networks.
When it Rains, It Pours CVEs
Among the vulnerabilities disclosed by Qualcomm, two others stand out due to their 9+ rating. Let’s have a look.
CVE-2023-33030 vulnerability (CVSS 9.3) is a memory corruption issue. It occurs in the High-Level Operating System (HLOS), particularly during the Microsoft PlayReady use. This flaw impacts an even bigger list of Qualcomm products across various platforms. They include IoT modems, automotive and audio products. Vulnerability itself is similar to the CVE-2023-33025, as it leads to buffer overflow and the ability to execute arbitrary code.
CVE-2023-33032 is a critical flaw that involves memory corruption within the TrustZone (TZ) Secure OS while requesting memory allocation from the Trusted Application (TA) region. Same as 33030, this one is present in an enormously wide range of chipsets. There, by using a specific input, it is possible to reach integer overflow or wraparound, which is rather useful for lateral movement.
However, as I mentioned above, the company claims to have fixed all these vulnerabilities in software patches. As a result, users need to install the updates as soon as possible.