Qualcomm Vulnerabilities in Android Devices

Lookout Coverage and Recommendation for Admins

Vulnerabilities in device chipsets often seem less straight-forward than software vulnerabilities. Sometimes, they’re impossible to patch and the users of affected devices have to either get a newer model device or live with the potential risk of being attacked. Luckily, these vulnerabilities are all covered in ASPL-2023-12-05 and can be fixed as long as the user runs the software update on their Android device. 

To ensure your devices are protected, Lookout admins should log into their Lookout console and ensure that they have the “Patch Level Out-of-Date” policy enabled for their fleet. They can then choose whether to alert the user that the device is out of compliance or block access to work apps until the ASPL is updated to the latest version.

In addition, it’s always good practice to ensure that Phishing and Content Protection is enabled to protect employees from malicious webpages that could be used to deliver malware or trigger certain device functions in order to exploit these vulnerabilities. 

Overview 

Qualcomm, which has long been a leader in creating hardware for mobile devices and connectivity, released a security bulletin acknowledging three critical vulnerabilities in multiple chipsets that it produces. We will explain what each of these descriptions mean in the following section. 

Each of these vulnerabilities are due to memory corruptions and have active exploits in the wild. They have been assigned CVSS scores of 7.8, 8.4, and 8.4 respectively: 

• CVE-2023-33063 exists in the digital signal processor (DSP) services and is a use-after-free vulnerability, which could enable the attacker to execute remote code on the target device.
• CVE-2023-33106 exists in the graphics processor and results in an out-of-range pointer offset, which could enable the attacker to read or write memory outside of a memory object’s assigned boundaries. 
• CVE-2023-33107 exists in the graphics processing capabilities and is an integer overflow or wraparound vulnerability, which could enable the attacker to gain access to out-of-bounds memory locations.

Lookout Analysis

These vulnerabilities exist in processes that communicate with chips in the device. One is the DSP services, which is the SDK running on Android used to communicate with the Digital Signal Processor (DSP), which is a microprocessor used to convert signals such as audio and voice. The other vulnerability is in the graphics processing capabilities that convert information from the graphics chip into what we see on the screen of our devices. 

CVE-2023-33063 is a use-after-free (UAF) vulnerability related to incorrect use of dynamic memory on the device. Dynamic memory is used for complex programs and functions to adapt to the varying amount of memory needed.  A UAF vulnerability occurs when dynamic memory containing a data object is freed and then allocated to a new object. An attacker may be able to cause the code that still references the old object to access or overwrite all or part of the new object. This can lead to data corruption, a crash or execution of attacker-controlled code.

CVE-2023-33106 is a vulnerability that an attacker could exploit by offsetting one of the pointers in the device’s graphics processor. Pointers are used within programs to reference or access certain parts of the device’s memory, and occasionally the developer will build in an offset to access specific structured data. If the attacker can influence the offset, they could use it to read or write to memory locations that are “out of range” of the memory object and access or corrupt other data. This may allow them to execute malicious code.  

CVE-2023-33107 is an integer overflow or wraparound vulnerability, which occurs when a number is too large for its intended destination in memory to fit. An attacker could intentionally provide an excessively large number to the vulnerable code to manipulate memory allocation or pointer offsets resulting in the ability to corrupt data outside of the intended memory object. This may enable them to corrupt data and execute arbitrary code on the device.

An attacker might be able to exploit these vulnerabilities with a malicious application or maliciously crafted webpage that triggers the vulnerable functions. For that reason, it could be possible for a threat actor to build a one-click exploit similar to what many surveillanceware families rely on in order to be installed on a vulnerable device.