Qualcomm fixed 22 vulnerabilities in proprietary software in total in the firmware.
Cybercriminals focus more on lower-level embedded codes, which support hardware, making firmware attacks increasingly frequent. is the most recent target.
According to reports, nearly two dozen security flaws were discovered in Snapdragon’s flagship chipset, Snapdragon.
Information on Vulnerabilities
Binarly, an AI-powered firmware security company discovered these vulnerabilities. The firmware contained 22 vulnerabilities that Qualcomm fixed in its January 2023 security bulletin.
This includes 2 automotive bugs () and , and 1 bug in powerline communication firmware (). They were classified as critical or severe and required extensive patching.
Five major flaws in the UEFI firmware of ARM were also identified. They are CVE-2022-40520 . These flaws affected the entire infrastructure of ARM-based laptops and devices.
Binarly found two kinds of vulnerability, out-of-bounds reader issued and stack-based buffer overloads. These vulnerabilities were both connected to DXE driver, and can be exploited by anyone with elevated privileges.
The company has to address the security vulnerabilities found in its most recent security advisory. These patches include patches for five connectivity issues and one for boot.
What Devices Are at Risk?
Snapdragon chipsets pose a threat to devices made by Samsung, Microsoft and Lenovo. The impact of the vulnerability on vehicles and powerline communications is diverse, however. The Snapdragon CPU is based on the ARM architecture.
The vulnerabilities also affect ARM-based Microsoft Surface computers and Windows Dev Kit 2023/Project Volterra machines. Certain vulnerabilities can allow for code execution in arbitrary ways and could be used to bypass Secure Boot. This allows an attacker to have persistence on the device, as well as write privileges to its file system.
What Flaws were Discovered
Alex Matrosov, founder of Binarly and CEO revealed nine vulnerabilities discovered while looking at the Lenovo ThinkpadX13s firmware that uses the Snapdragon system-on a chip.
Additional investigation revealed some vulnerabilities that were only applicable to Lenovo devices, and five reference codes for Qualcomm that had been affected. These vulnerabilities affected all devices with Snapdragon chips, including laptops.
Matrosov stated that it was the first disclosure of UEFI firmware flaws in the ARM architecture. Matrosov also stated that there are “massive” affected chipsets.
Good news: Lenovo addressed this issue and the advisory is .