High-severity Qualcomm zero-day vulnerability under attack
Qualcomm urges customers to patch the memory corruption vulnerability as Google researchers have observed targeted exploitation in the wild against the flaw.
Google and Amnesty International discovered a high-severity zero-day vulnerability in Qualcomm chipsets that is under targeted attacks.
Qualcomm published a security bulletin on Monday for a memory corruption vulnerability tracked as CVE-2024-43047. The digital signal processor service flaw affects many versions of Qualcomm chipsets that include the FastRPC driver.
The company credited Seth Jenkins, security researcher at Google Project Zero, and Conghui Wang from Amnesty International Security Lab for reporting the vulnerability on July 29. Qualcomm began notifying customers on Sept. 2.
Qualcomm warned that the zero-day vulnerability is being actively exploited in the wild.
"There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation. Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible," Qualcomm wrote in the security bulletin.
The use-after-free vulnerability could lead to remote code execution or let an attacker gain privilege escalation. CVE-2024-43047 received a 7.8 CVSS score. According to the patch instructions, the fix works by adding direct memory access handle references.
In a post on X, formerly Twitter, on Monday, Jenkins said patches for Android devices will "hopefully" be available soon. He also said Project Zero collaborated with Google's Threat Analysis Group (TAG) in addition to Amnesty International.
I found an issue in collaboration with Amnesty and TAG that we have indication may be used ITW, CVE-2024-43047. Seehttps://t.co/yvGrGxw5kv
— Seth Jenkins (@__sethJenkins) October 7, 2024
for the details. Hopefully the bug will be patched on Android devices very soon ....
The scope of exploitation activity is unclear. A Qualcomm spokesperson sent the following statement to TechTarget Editorial:
Developing technologies that endeavor to support robust security and privacy is a priority for Qualcomm Technologies. We commend the researchers from Google Project Zero and Amnesty International Security Lab for using coordinated disclosure practices. Regarding their FastRPC driver research, fixes have been made available to our customers as of September 2024. We encourage end users to apply security updates as they become available from device makers.
TechTarget Editorial contacted Google and Amnesty International, but had not received responses at press time.
While the exploitation activity has not been attributed to any threat actor or entity, TAG and Amnesty International have been heavily involved in spyware research in recent years. For example, in a report earlier this year, TAG warned that commercial surveillance vendors (CSVs) were driving exploitation of zero-days. In the report, Google attributed 50% of known zero-day exploits used against its own products to CSVs and urged increased government action to combat the ongoing abuse of spyware.
In 2022, Amnesty International was involved in the Pegasus Project, a collaborative effort that worked to expose NSO Group's Pegasus spyware being used against human rights activists, journalists and government leaders.
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.