Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Urges Federal Agencies to Patch Exploited Qualcomm Vulnerabilities

CISA has added to its Known Exploited Vulnerabilities Catalog four Qualcomm bugs, including three exploited as zero-days.

The US cybersecurity agency CISA on Tuesday added four bugs impacting multiple Qualcomm chipsets to its Known Exploited Vulnerabilities (KEV) Catalog.

All four issues were identified by Google’s Threat Analysis Group and Google Project Zero, which often report security defects exploited by commercial spyware vendors.

Three of the flaws, tracked as CVE-2023-33106, CVE-2023-33107, and CVE-2023-33063, were patched in October 2023 as zero-days, after Qualcomm learned from Google’s researchers that they were likely exploited in the wild.

All three vulnerabilities are described as memory corruption bugs. These types of flaws lead to crashes or unexpected behavior and may allow attackers to gain unauthorized access to systems and even execute arbitrary code.

The fourth vulnerability, CVE-2022-22071, was patched in May 2023, but Google revealed in October that it was likely being exploited as well. The issue is described as a use-after-free bug, which could allow attackers to execute arbitrary code.

Neither Google nor Qualcomm have shared details on the observed exploitation but, given Google’s track record of uncovering exploit chains attributed to spyware vendors, it is possible that all four vulnerabilities were targeted in surveillance campaigns.

Per Binding Operational Directive (BOD) 22-01, federal agencies have three weeks to identify vulnerable appliances and patch the bugs that CISA has added to KEV. For the Qualcomm issues, the deadline is December 26.

BOD 22-01 only applies to federal agencies, but CISA urges all organizations to take the necessary steps to address the security flaws included in its must-patch list.

Advertisement. Scroll to continue reading.

In addition to the Qualcomm bugs, CISA this week added to the KEV catalog two WebKit vulnerabilities that Apple addressed last week. Tracked as CVE-2023-42916 and CVE-2023-42917, the bugs were likely exploited against older iPhones, but Apple patched them in newer iOS and iPadOS versions too, as well as in macOS and Safari.

Related: CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks

Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative

Related: Dozens of Exploited Vulnerabilities Missing From CISA ‘Must Patch’ List

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.