SB2024030403 - Multiple vulnerabilities in MediaTek chipsets
Published: March 4, 2024 Updated: August 30, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 21 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2024-20028)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to lack of valudation within da. A local privileged application can execute arbitrary code.
2) Out-of-bounds read (CVE-ID: CVE-2024-20038)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to an incorrect bounds check within pq. A local privileged application can gain access to sensitive information.
3) Write-what-where Condition (CVE-ID: CVE-2024-20037)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to an incorrect bounds check within pq. A local privileged application can execute arbitrary code.
4) Improper Access Control (CVE-ID: CVE-2024-20036)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a permissions bypass within vdec. A local privileged application can gain access to sensitive information.
5) Out-of-bounds write (CVE-ID: CVE-2024-20034)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within battery. A local privileged application can execute arbitrary code.
6) Out-of-bounds read (CVE-ID: CVE-2024-20033)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to a missing bounds check within nvram. A local privileged application can gain access to sensitive information.
7) Improper Privilege Management (CVE-ID: CVE-2024-20032)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing permission check within aee. A local privileged application can execute arbitrary code.
8) Improper input validation (CVE-ID: CVE-2024-20029)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation within wlan firmware. A local privileged application can execute arbitrary code.
9) Improper input validation (CVE-ID: CVE-2024-20031)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to lack of valudation within da. A local privileged application can execute arbitrary code.
10) Improper input validation (CVE-ID: CVE-2024-20030)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to improper input validation within da. A local privileged application can gain access to sensitive information.
11) Improper input validation (CVE-ID: CVE-2024-20027)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation within da. A local privileged application can execute arbitrary code.
12) Improper input validation (CVE-ID: CVE-2024-20017)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within wlan service. A local application can execute arbitrary code.
13) Out-of-bounds read (CVE-ID: CVE-2024-20026)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to improper input validation within da. A local privileged application can gain access to sensitive information.
14) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2024-20025)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to an integer overflow within da. A local privileged application can execute arbitrary code.
15) Out-of-bounds write (CVE-ID: CVE-2024-20024)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to lack of valudation within flashc. A local privileged application can execute arbitrary code.
16) Out-of-bounds write (CVE-ID: CVE-2024-20023)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to lack of valudation within flashc. A local privileged application can execute arbitrary code.
17) Improper Privilege Management (CVE-ID: CVE-2024-20022)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within lk. A local privileged application can execute arbitrary code.
18) Improper Access Control (CVE-ID: CVE-2024-20005)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing permission check within da. A local privileged application can execute arbitrary code.
19) Missing release of memory after effective lifetime (CVE-ID: CVE-2024-20019)
The vulnerability allows a local application to perform service disruption.
The vulnerability exists due to improper input handling within wlan driver. A local application can perform service disruption.
20) Improper input validation (CVE-ID: CVE-2024-20018)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within wlan driver. A local application can execute arbitrary code.
21) Out-of-bounds write (CVE-ID: CVE-2024-20020)
The vulnerability allows a local privileged application to gain access to sensitive information.
The vulnerability exists due to an incorrect bounds check within OPTEE. A local privileged application can gain access to sensitive information.
Remediation
Install update from vendor's website.