Recently, Qualcomm issued an important security warning, revealing that as many as 64 of its chipsets have serious "zero-day bug" risks. This vulnerability is identified as CVE-2024-43047, which has a wide impact, affecting multiple Android smartphones and tablets equipped with Snapdragon chips, IoT devices and other fields.
"Zero-day bug" refers to security vulnerabilities that have not yet been known to software manufacturers or operating system vendors. Attackers can exploit these vulnerabilities to attack the system without being detected, steal data, or execute malicious code.
According to Qualcomm's announcement, CVE-2024-43047 stems from a use-after-free error in the digital signal processor (DSP) service, which may cause memory corruption. The CVSS score of this vulnerability is 7.8, indicating that its severity is high. It is worth noting that this vulnerability has been exploited in a limited and targeted manner, and attackers can control the device by running malicious code.
The US cybersecurity agency CISA has included Qualcomm's vulnerability in its list of known or exploited vulnerabilities.
The discovery and disclosure of this vulnerability was jointly completed by Google's Security Analysis Group and Amnesty International Security Lab, and malicious attackers have begun to exploit this vulnerability. This puts affected users at risk of potential privacy leaks, device control, and malware installation.
The existence of this vulnerability may lead to the following serious consequences:
- Data leakage: attackers can obtain sensitive user information such as address books, photos, bank accounts, etc. through the vulnerability, resulting in privacy leakage;
- System paralysis: malicious attacks may cause the device system to crash, affecting the normal use of users;
- Remote control: attackers may even be able to remotely control the device through the vulnerability, and then carry out more complex crimes.
Qualcomm has released a security patch for the vulnerability and recommends that all users update their device firmware as soon as possible to avoid potential security threats. However, since some users have not updated their phones in time, they still need to remain vigilant.
It is reported that the vulnerability affects 64 chipset models produced by Qualcomm as follows:
FastConnect 6700, FastConnect 6800, FastConnect 6900, FastConnect 7800, QAM8295P, QCA6174A, QCA6391, QCA6426, QCA6436, QCA6574AU, QCA6584AU, QCA6595, QCA6595AU, QCA6688AQ, QCA6696, QCA6698AQ, QCS410, QCS610, QCS6490, Qualcomm® Video Collaboration VC1 Platform, Qualcomm® Video Collaboration VC3 Platform, SA4150P, SA4155P, SA6145P, SA6150P, SA6155P, SA8145P, SA8150P, SA8155P, SA8195P, SA8295P, SD660, SD865 5G, SG4150P, Snapdragon 660 Mobile Platform, Snapdragon 680 4G Mobile Platform, Snapdragon 685 4G Mobile Platform (SM6225-AD), Snapdragon 8 Gen 1 Mobile Platform, Snapdragon 865 5G Mobile Platform, Snapdragon 865+ 5G Mobile Platform (SM8250-AB), Snapdragon 870 5G Mobile Platform (SM8250-AC), Snapdragon 888 5G Mobile Platform, Snapdragon 888+ 5G Mobile Platform (SM8350-AC), Snapdragon Auto 5G Modem-RF, Snapdragon Auto 5G Modem-RF Gen 2, Snapdragon X55 5G Modem-RF System, Snapdragon XR2 5G Platform, SW5100, SW5100P, SXR2130, WCD9335, WCD9341, WCD9370, WCD9375, WCD9380, WCD9385, WCN3950, WCN3980, WCN3988, WCN3990, WSA8810, WSA8815, WSA8830, WSA8835
These chips may be used in Samsung Galaxy S22 Ultra, OnePlus 10 Pro, Sony Xperia 1 IV, OPPO Find X5 Pro, Honor Magic4 Pro, Xiaomi 12, etc. The list also includes Snapdragon modems and FastConnect modules for Bluetooth and Wi-Fi connections.
The affected Qualcomm chip models include many series from entry-level to high-end markets. Device manufacturers need to pay close attention to the latest developments from Qualcomm, follow up and apply relevant patches in a timely manner to ensure product security. Users should remain vigilant, check device system updates regularly, and follow manufacturer recommendations for security settings.