Cybersecurity

Qualcomm chip vulnerability enables remote attack by voice call

Qualcomm disclosed a critical vulnerability on New Year’s Day that would allow remote attacks via malicious voice calls over LTE networks.

The January 2024 security bulletin lists a total of 26 vulnerabilities, including four critical vulnerabilities, affecting Qualcomm chipsets. Patches have already been made available to original equipment manufacturers (OEMs) whose devices use Qualcomm chips, including those in the popular Snapdragon series.

Critical Qualcomm vulnerability poses risk when receiving calls over LTE

The most severe bug, tracked as CVE-2023-33025, has a CVSS score of 9.8, according to Qualcomm. This vulnerability involves a classic buffer overflow flaw causing memory corruption in the data modem, which occurs during Voice-over-LTE (VoLTE) calls when the Session Description Protocol (SDP) body is non-standard.

SDP typically helps facilitate connection between two devices for a communication session, such as a VoLTE call, by providing certain session, media, timing and network information in a standardized format. If a remote attacker can manipulate the SDP body with their own content and initiate a call in which the malicious SDP is processed by the receiving device’s data modem, memory corruption in the modem could be leveraged by the attacker for remote code execution (RCE).

A Qualcomm spokesperson told SC Media that such exploitation, while possible, would be difficult to achieve, as the attacker would need to have control over the LTE network itself for the attack to work. Thus, users are advised to only connect to secure, trusted LTE networks.

CVE-2023-33025 affects two dozen Qualcomm chipsets, including the Snapdragon 680 and Snapdragon 685 4G Mobile Platforms. These chips are used in a range of smartphones and tablets including models in the Samsung Galaxy, Motorola Moto and Huwei Enjoy and Nova product series. The newer Snapdragon X65 5G Modem and Snapdragon X70 Modem RF Systems are also affected.

OEMs were first notified about the flaw on July 7, 2023, giving them about six months prior to the disclosure to update their systems. A Qualcomm spokesperson told SC Media that CVE-2023-33025 will be included in the January 2024 Android security bulletin Tuesday.

Other critical bugs risk permanent DoS, local attacks

Three local access vulnerabilities are also labeled as critical, including one that could cause permanent DoS and two others resulting in memory corruption.

CVE-2023-33036, which was given a critical security rating by Qualcomm and high CVSS score of 7.1, causes permanent disruption of hypervisor software due to NULL pointer dereferencing. The problem occurs when an untrusted virtual machine without Power State Coordination Interface (PSCI) support makes a PSCI call (i.e. a request related to power management). This vulnerability affects more than 100 chipsets, including many in the Snapdragon series.

CVE-2023-33030, given a CVSS score of 9.3, is another buffer overflow bug that results in memory corruption in the high-level operating system (HLOS) when running a Microsoft PlayReady use-case (i.e. playing a media file protected by PlayReady’s copy prevention technology). This vulnerability impacts more than 200 chipsets ranging from smartphone and computer chips to those used in wearables and other IoT devices.

CVE-2023-33032 also has a CVSS score of 9.3 and is an integer overflow or wraparound flaw. Memory corruption in the ARM TrustZone Secure OS can occur when memory allocation is requested from the Trusted Application (TA) region. This flaw affects more than 100 Qualcomm chipsets.

Customers were notified about all these critical flaws on July 3, 2023, and all the bugs are addressed through software patches provided by Qualcomm. The company advises users of devices containing affected chips to contact the device manufacturers for information about patching status and apply all available updates.