SB2023110715 - Multiple vulnerabilities in Qualcomm chipsets
Published: November 7, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 23 secuirty vulnerabilities.
1) Memory corruption (CVE-ID: CVE-2023-21671)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Core. A local application can execute arbitrary code.
2) Use After Free (CVE-ID: CVE-2023-33074)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.
3) Buffer over-read (CVE-ID: CVE-2023-33061)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
4) NULL Pointer Dereference (CVE-ID: CVE-2023-33056)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
5) Buffer over-read (CVE-ID: CVE-2023-33048)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
6) Buffer over-read (CVE-ID: CVE-2023-33047)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
7) Improper Authorization (CVE-ID: CVE-2023-28556)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in HLOS. A local application can read and manipulate data.
8) Memory corruption (CVE-ID: CVE-2023-28545)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in TZ Secure OS. A local privileged application can execute arbitrary code.
9) Buffer overflow (CVE-ID: CVE-2023-33045)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can execute arbitrary code.
10) Memory corruption (CVE-ID: CVE-2023-28574)
The vulnerability allows a local application to damange or delete data.
The vulnerability exists due to improper input validation in Core. A local application can damange or delete data.
11) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2023-22388)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in Multi-mode Call Processor. A remote attacker can execute arbitrary code.
12) Buffer overflow (CVE-ID: CVE-2023-28570)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local privileged application can execute arbitrary code.
13) Improper Authentication (CVE-ID: CVE-2023-24852)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Core. A local application can execute arbitrary code.
14) Buffer over-read (CVE-ID: CVE-2023-28569)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can read and manipulate data.
15) Buffer over-read (CVE-ID: CVE-2023-28568)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can read and manipulate data.
16) Buffer over-read (CVE-ID: CVE-2023-28566)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can read and manipulate data.
17) Buffer over-read (CVE-ID: CVE-2023-28563)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in IOE Firmware. A local application can read and manipulate data.
18) Buffer over-read (CVE-ID: CVE-2023-28554)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in Qualcomm IPC. A local application can read and manipulate data.
19) Buffer over-read (CVE-ID: CVE-2023-28572)
The vulnerability allows a remote privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HOST. A remote privileged application can execute arbitrary code.
20) Buffer over-read (CVE-ID: CVE-2023-28553)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in WLAN Host. A local application can read and manipulate data.
21) Integer underflow (CVE-ID: CVE-2023-33059)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.
22) Buffer overflow (CVE-ID: CVE-2023-33055)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.
23) Buffer overflow (CVE-ID: CVE-2023-33031)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Automotive Audio. A local application can execute arbitrary code.
Remediation
Install update from vendor's website.