U.S. CISA adds Windows and Qualcomm bugs to its Known Exploited Vulnerabilities catalog
October 09, 2024
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Windows and Qualcomm bugs to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
- CVE-2024-43047 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
- CVE-2024-43572 Microsoft Windows Management Console Remote Code Execution Vulnerability
- CVE-2024-43573 Microsoft Windows MSHTML Platform Spoofing Vulnerability
Qualcomm this week addressed 20 vulnerabilities in its products, including a potential zero-day issue tracked as CVE-2024-43047 (CVSS score 7.8). The vulnerability stems from a use-after-free bug that could lead to memory corruption.
The zero-day vulnerability resides in the Digital Signal Processor (DSP) service and impacts dozens of chipsets.
“Currently, the DSP updates header buffers with unused DMA handle fds. In the put_args section, if any DMA handle FDs are present in the header buffer, the corresponding map is freed. However, since the header buffer is exposed to users in unsigned PD, users can update invalid FDs. If this invalid FD matches with any FD that is already in use, it could lead to a use-after-free (UAF) vulnerability.” reads the DSP kernel commit. “As a solution,add DMA handle references for DMA FDs, and the map for the FD will be freed only when a reference is found.”
The flaw was reported by cybersecurity researchers Seth Jenkins from Google Project Zero and Conghui Wang from Amnesty International Security Lab. Jenkins Hopefully recommends addressing the issue on Android devices as soon as possible.
Google Threat Analysis Group claims that CVE-2024-43047 may be under limited, targeted exploitation, Wang also confirms in-the-wild activity.
The researchers haven’t published details about the attacks exploiting the CVE-2024-43047, however, the reporting organizations are known for investigating cyberattacks linked to commercial spyware vendors.
Regarding the Microsoft flaws added by CISA to the KEV catalog, both issues were addressed by the IT giant in Patch Tuesday security updates for October 2024.
Microsoft confirmed that both issues are under active exploitation in the wild.
- CVE-2024-43572 (CVSS score: 7.8) – Microsoft Management Console Remote Code Execution Vulnerability: The Microsoft Management Console vulnerability, could allow a remote attacker to gain code execution if a user loads a malicious MMC snap-in. Though attacks require social engineering and are likely limited, admins should promptly apply the update to mitigate potential damage.
- CVE-2024-43573 (CVSS score: 6.5) – Windows MSHTML Platform Spoofing Vulnerability: Although rated Moderate, this actively exploited vulnerability resembles a previously patched flaw used by the APT group Void Banshee. The similarity suggests the original patch may have been inadequate, so prompt testing and deployment of this update are recommended.
CISA orders federal agencies to fix this vulnerability by October 29, 2024.
On September 13, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Ivanti another Cloud Services Appliance OS Command Injection Vulnerability, tracked as CVE-2024-8190 (CVSS score of 7.2), to its Known Exploited Vulnerabilities (KEV) catalog.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)