SB2023050515 - Multiple vulnerabilities in MediaTek chipsets
Published: May 5, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 25 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2023-20707)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within ril. A local privileged application can execute arbitrary code.
2) Incorrect Comparison (CVE-ID: CVE-2023-20673)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to type confusion within vcu. A local privileged application can execute arbitrary code.
3) Improper input validation (CVE-ID: CVE-2023-20722)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation within m4u. A local privileged application can execute arbitrary code.
4) Improper input validation (CVE-ID: CVE-2023-20721)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation within isp. A local privileged application can execute arbitrary code.
5) Improper input validation (CVE-ID: CVE-2023-20720)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within pqframework. A local privileged application can execute arbitrary code.
6) Improper input validation (CVE-ID: CVE-2023-20719)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a missing bounds check within pqframework. A local privileged application can gain access to sensitive information.
7) Improper input validation (CVE-ID: CVE-2023-20718)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within vcu. A local privileged application can execute arbitrary code.
8) Information exposure (CVE-ID: CVE-2023-20717)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a race condition within vcu. A local privileged application can gain access to sensitive information.
9) Improper input validation (CVE-ID: CVE-2023-20711)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a missing bounds check within keyinstall. A local privileged application can gain access to sensitive information.
10) Improper input validation (CVE-ID: CVE-2023-20710)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a missing bounds check within keyinstall. A local privileged application can gain access to sensitive information.
11) Improper input validation (CVE-ID: CVE-2023-20709)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a missing bounds check within keyinstall. A local privileged application can gain access to sensitive information.
12) Improper input validation (CVE-ID: CVE-2023-20708)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within keyinstall. A local privileged application can execute arbitrary code.
13) Improper input validation (CVE-ID: CVE-2023-20706)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a missing bounds check within apu. A local application can gain access to sensitive information.
14) Improper Access Control (CVE-ID: CVE-2023-20726)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a missing permission check within mnld. A local application can gain access to sensitive information.
15) Improper input validation (CVE-ID: CVE-2023-20705)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a missing bounds check within apu. A local application can gain access to sensitive information.
16) Improper input validation (CVE-ID: CVE-2023-20704)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a missing bounds check within apu. A local application can gain access to sensitive information.
17) Improper input validation (CVE-ID: CVE-2023-20703)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to a missing bounds check within apu. A local application can gain access to sensitive information.
18) Out-of-bounds write (CVE-ID: CVE-2023-20701)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a logic error within widevine. A local privileged application can execute arbitrary code.
19) Out-of-bounds write (CVE-ID: CVE-2023-20700)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a logic error within widevine. A local privileged application can execute arbitrary code.
20) Improper input validation (CVE-ID: CVE-2023-20699)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within adsp. A local privileged application can execute arbitrary code.
21) Improper input validation (CVE-ID: CVE-2023-20698)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a missing bounds check within keyinstall. A local privileged application can gain access to sensitive information.
22) Improper input validation (CVE-ID: CVE-2023-20697)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a missing bounds check within keyinstall. A local privileged application can gain access to sensitive information.
23) Improper input validation (CVE-ID: CVE-2023-20696)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within preloader. A local privileged application can execute arbitrary code.
24) Improper input validation (CVE-ID: CVE-2023-20695)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within preloader. A local privileged application can execute arbitrary code.
25) Improper input validation (CVE-ID: CVE-2023-20694)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within preloader. A local privileged application can execute arbitrary code.
Remediation
Install update from vendor's website.