December 6, 2023 at 12:42AM
Qualcomm disclosed details on three high-severity security flaws with CVSS scores ranging from 7.8 to 8.4, known to be exploited in targeted attacks. These vulnerabilities, reported by researchers at Google and others, are now in the CISA’s KEV catalog, with federal agencies instructed to patch by December 26. Additionally, Android’s December updates address 85 issues, including a critical System component flaw.
From the meeting notes, the following takeaways can be summarized:
1. Qualcomm has revealed information regarding three high-severity security flaws that were subjected to “limited, targeted exploitation” in October 2023.
2. The security vulnerabilities described are:
– CVE-2023-33063 with a CVSS score of 7.8, involving memory corruption in DSP Services.
– CVE-2023-33106 with a CVSS score of 8.4, involving memory corruption in Graphics with certain commands.
– CVE-2023-33107 with a CVSS score of 8.4, involving memory corruption in Graphics Linux with virtual memory assignment.
3. These vulnerabilities, along with a fourth one from 2022 (CVE-2022-22071 with a CVSS score of 8.4), were reported to have been exploited in the wild, as identified by Google’s Threat Analysis Group and Project Zero in October 2023.
4. Contributors to reporting the vulnerabilities include a security researcher named luckyrb, the Google Android Security team, and TAG researchers Benoît Sevens and Jann Horn.
5. Details regarding the exploitation methodology and the attackers remain unknown.
6. CISA has responded by including these bugs in the Known Exploited Vulnerabilities catalog and has issued a directive for federal agencies to apply the security patches by December 26, 2023.
7. Google has also announced that its December 2023 Android security updates will address 85 issues, among which is a critical System component flaw tracked as CVE-2023-40088, capable of proximal remote code execution without user interaction or additional privileges.
8. The article suggests following the newsroom on Twitter and LinkedIn for more content.