Arm and Qualcomm Chips Hit by Multiple Zero-Day Attacks

Written by

Qualcomm and Arm have been forced to release security updates to patch several zero-day vulnerabilities exploited in recent targeted attacks against their chips.

Qualcomm said on Tuesday it was informed by the Google Threat Analysis Group (TAG) and Project Zero team that CVE-2023-33106, CVE-2023-33107, CVE-2023-33063 and CVE-2022-22071 “may be under limited, targeted exploitation.”

The first three are previously unseen vulnerabilities, while the latter was fixed in Qualcomm’s May 2022 public bulletin. Although details of the zero-day bugs won’t be shared by the chip giant until its December bulletin, updates have been issued.

“Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible,” it said. 

“Please contact your device manufacturer for more information on the patch status about specific devices.”

Qualcomm also patched three critical and 13 high-severity vulnerabilities in its October bulletin.

Of these, CVE-2023-33028 and CVE-2023-24855 are the most serious, with both given a CVSS score of 9.8. The former is a memory corruption issue in the WLAN firmware while the latter is a memory corruption issue in the modem.

Arm was also informed by Google TAG and Project Zero this week of a new zero-day vulnerability CVE-2023-4211 which it claimed is being actively exploited in targeted attacks.

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” the chip designer said in an advisory.

Users are recommended to upgrade if affected. The issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0.

The bug also affects all versions of the Midgard GPU kernel driver from r12p0 – r32p0, and Arm urged customers of those chip designs to contact its support team.

In the same bulletin, Arm revealed new vulnerabilities CVE-2023-33200 and CVE-2023-34970, which also affect various flavors of its Mali GPU kernel driver and allow “improper GPU memory processing operations.”

Read more on chip flaws: Google Exposes 18 Zero-Day Flaws in Samsung Exynos Chips 

What’s hot on Infosecurity Magazine?