[CDP-development] TLP:GREEN - (Vulnerability Alert Notification) - Qualcomm Multiple Chipset vulnerabilities

[CSS Security Operations Services * DAS]

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2023-33106, CVE-2023-33063, CVE-2023-33107, & CVE-2022-22071: Qualcomm Multiple Chipset vulnerabilities. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On December 5, 2023, CISA added four vulnerabilities to the Known Exploited Vulnerabilities Catalog. The vulnerabilities all affect Qualcomm Chipsets. Details for each vulnerability will be found below.

CVE-2023-33106 - Qualcomm Multiple Chipsets Use of Out-of-Range Pointer Offset Vulnerability
CVE-2023-33063 - Qualcomm Multiple Chipsets Use-After-Free Vulnerability
CVE-2023-33107 - Qualcomm Multiple Chipsets Integer Overflow Vulnerability
CVE-2022-22071 - Qualcomm Multiple Chipsets Use-After-Free Vulnerability

Due to an extensive list of affected chipsets a link to Qualcomm's December Security Bulletin should be used to identify if there may be vulnerable chipsets in your environment. The security bulletin can be found here; https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2023-bulletin.html.

The security bulletin for CVE-2022-22071 can be found here; https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2022-bulletin.html.

Intelligence: As of December 5, 2023, the vulnerability has been confirmed as being exploited in the wild.

Workarounds: As the list of vulnerable chipsets is extensive no workaround details will be provided. Please consult Qualcomm's December Security Bulletin which can be found here; https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2023-bulletin.html.

The security bulletin for CVE-2022-22071 can be found here; https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2022-bulletin.html.

How it works: Researchers have not released details of how these vulnerabilities have been exploited.

Post-Exploit: Additional post exploit information is not available at this time.

As of December 5, 2023, Tenable has not released any plugins for the vulnerabilities and does not have any plugins in the pipeline.
Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA2776.F44D6CF0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231205/0421958b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231205/0421958b/attachment-0001.png>