U.S. CISA adds Windows and Qualcomm bugs to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini October 09, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Windows and Qualcomm bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

  • CVE-2024-43047 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
  • CVE-2024-43572 Microsoft Windows Management Console Remote Code Execution Vulnerability
  • CVE-2024-43573 Microsoft Windows MSHTML Platform Spoofing Vulnerability

Qualcomm this week addressed 20 vulnerabilities in its products, including a potential zero-day issue tracked as CVE-2024-43047 (CVSS score 7.8). The vulnerability stems from a use-after-free bug that could lead to memory corruption.

The zero-day vulnerability resides in the Digital Signal Processor (DSP) service and impacts dozens of chipsets.

“Currently, the DSP updates header buffers with unused DMA handle fds. In the put_args section, if any DMA handle FDs are present in the header buffer, the corresponding map is freed. However, since the header buffer is exposed to users in unsigned PD, users can update invalid FDs. If this invalid FD matches with any FD that is already in use, it could lead to a use-after-free (UAF) vulnerability.” reads the DSP kernel commit. “As a solution,add DMA handle references for DMA FDs, and the map for the FD will be freed only when a reference is found.”

The flaw was reported by cybersecurity researchers Seth Jenkins from Google Project Zero and Conghui Wang from Amnesty International Security Lab. Jenkins Hopefully recommends addressing the issue on Android devices as soon as possible.

Google Threat Analysis Group claims that CVE-2024-43047 may be under limited, targeted exploitation, Wang also confirms in-the-wild activity. 

The researchers haven’t published details about the attacks exploiting the CVE-2024-43047, however, the reporting organizations are known for investigating cyberattacks linked to commercial spyware vendors.

Regarding the Microsoft flaws added by CISA to the KEV catalog, both issues were addressed by the IT giant in Patch Tuesday security updates for October 2024.

Microsoft confirmed that both issues are under active exploitation in the wild.

  • CVE-2024-43572 (CVSS score: 7.8) – Microsoft Management Console Remote Code Execution Vulnerability: The Microsoft Management Console vulnerability, could allow a remote attacker to gain code execution if a user loads a malicious MMC snap-in. Though attacks require social engineering and are likely limited, admins should promptly apply the update to mitigate potential damage.
  • CVE-2024-43573 (CVSS score: 6.5) – Windows MSHTML Platform Spoofing Vulnerability: Although rated Moderate, this actively exploited vulnerability resembles a previously patched flaw used by the APT group Void Banshee. The similarity suggests the original patch may have been inadequate, so prompt testing and deployment of this update are recommended.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by October 29, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)



you might also like

leave a comment