CISA Adds 4 Qualcomm Chipsets Vulnerabilities to KEV Catalog Due to Active Exploitation

In recent times, cybersecurity has become a paramount concern for organizations of all sizes, including government agencies. With the increasing sophistication of cyber threats, federal agencies must take proactive measures to protect their systems and data. In line with this, the Cybersecurity and Infrastructure Security Agency (CISA) has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the need for immediate attention and remediation.

The Vulnerabilities at Hand

These four vulnerabilities, affecting Qualcomm Multiple Chipsets, pose significant risks to federal enterprise systems. Let’s delve into each vulnerability:

1. CVE-2023-33106 (CVSS score of 8.4): This vulnerability stems from a memory corruption issue arising from the submission of a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.

2. CVE-2023-33063 (CVSS score of 7.8): This vulnerability stems from a memory corruption issue that occurs in DSP Services during a remote call from HLOS to DSP.

3. CVE-2023-33107 (CVSS score of 8.4): This vulnerability stems from a memory corruption issue that occurs in Graphics Linux while assigning a shared virtual memory region during an IOCTL call.

4. CVE-2022-22071 (CVSS score of 8.8): This vulnerability stems from a potential use-after-free scenario when process shell memory is freed using the IOCTL munmap call while process initialization is in progress.

Mitigating the Risks

To safeguard federal enterprise systems from these vulnerabilities, CISA has recommended that Federal Civilian Executive Branch (FCEB) agencies apply vendor-provided fixes by December 26, 2023. Additionally, agencies should implement a comprehensive vulnerability management program that encompasses regular scanning, prioritization, and remediation of vulnerabilities.

Enhancing Cybersecurity Posture

Beyond addressing these specific vulnerabilities, federal agencies should adopt a holistic approach to cybersecurity, encompassing the following measures:

1. Employee Education: Regularly train employees on cybersecurity best practices, including password hygiene, phishing awareness, and social engineering tactics.

2. Data Encryption: Encrypt sensitive data both at rest and in transit to safeguard it from unauthorized access.

3. Access Controls: Implement strong access controls to restrict access to sensitive systems and data based on the principle of least privilege.

4. Incident Response Plan: Establish a comprehensive incident response plan to effectively handle and recover from cybersecurity breaches.

5. Regular Patching: Regularly apply software patches and updates to address newly discovered vulnerabilities.

By implementing these measures, federal agencies can significantly enhance their cybersecurity posture and protect their critical systems and data from evolving cyber threats.