"CISA Urges Federal Agencies to Patch Exploited Qualcomm Vulnerabilities"

The US cybersecurity agency CISA recently added four bugs impacting multiple Qualcomm chipsets to its Known Exploited Vulnerabilities (KEV) Catalog.  All four issues were identified by Google’s Threat Analysis Group and Google Project Zero, which often report security defects exploited by commercial spyware vendors.  CISA noted that three of the flaws tracked as CVE-2023-33106, CVE-2023-33107, and CVE-2023-33063 were patched in October 2023 as zero days after Qualcomm learned from Google’s researchers that they were likely exploited in the wild.  All three vulnerabilities are described as memory corruption bugs.  These types of flaws lead to crashes or unexpected behavior and may allow attackers to gain unauthorized access to systems and even execute arbitrary code.  The fourth vulnerability, CVE-2022-22071, was patched in May 2023, but Google revealed in October that it was likely being exploited as well.  The issue is described as a use-after-free bug, which could allow attackers to execute arbitrary code.  Per Binding Operational Directive (BOD) 22-01, federal agencies have three weeks to identify vulnerable appliances and patch the bugs that CISA has added to KEV.  For the Qualcomm issues, the deadline is December 26.  BOD 22-01 only applies to federal agencies, but CISA urges all organizations to take the necessary steps to address the security flaws included in its must-patch list.  In addition to the Qualcomm bugs, CISA recently added two WebKit vulnerabilities to the KEV catalog that Apple addressed last week.  Tracked as CVE-2023-42916 and CVE-2023-42917, the bugs were likely exploited against older iPhones, but Apple patched them in newer iOS and iPadOS versions as well as in macOS and Safari.

SecurityWeek reports: "CISA Urges Federal Agencies to Patch Exploited Qualcomm Vulnerabilities"