Qualcomm has disclosed a critical vulnerability (CVE-2023-33025) with a CVSS score of 9.8 that exposes devices to remote attacks via malicious voice calls over LTE networks. This vulnerability involves a buffer overflow flaw during Voice-over-LTE (VoLTE) calls, specifically when the Session Description Protocol (SDP) body is non-standard. If a remote attacker manipulates the SDP body with their content and initiates a call where the malicious SDP is processed, it could lead to memory corruption in the data modem, potentially allowing for remote code execution. Although the difficulty of exploitation is acknowledged, users are advised to connect only to secure and trusted LTE networks to reduce potential risks.
The critical vulnerability affects two dozen Qualcomm chipsets, including popular models like Snapdragon 680 and Snapdragon 685 4G Mobile Platforms, used in smartphones and tablets from various manufacturers. Qualcomm has already provided patches to original equipment manufacturers (OEMs) that use these chipsets. Alongside this critical flaw, the January 2024 security bulletin lists a total of 26 vulnerabilities, including three other critical ones, impacting Qualcomm chipsets.
Three local access vulnerabilities labeled critical are also detailed, including one (CVE-2023-33036) causing permanent disruption of hypervisor software due to NULL pointer dereferencing, affecting more than 100 chipsets. Two others (CVE-2023-33030 and CVE-2023-33032) result in memory corruption—one during a Microsoft PlayReady use-case and the other involving an integer overflow or wraparound flaw in the ARM TrustZone Secure OS. These critical vulnerabilities emphasize the importance of prompt updates from OEMs to mitigate potential security risks across a broad range of devices using Qualcomm chipsets.
