Preface: The Out-of-Band vulnerabilities, also known as OOB, are a series of alternative ways that an attacker uses to exploit a vulnerability that can’t be detected by a traditional request-response interaction.

Background: Qualcomm Technologies offers industry leading platforms for wireless networks and products that cover the gamut of device needs. The file (wma_mgmt[.]c) contains STA/SAP/IBSS and protocol related functions.
Ref:
The Independent Basic Service Set (IBSS) is a simple and flexible wireless network configuration designed for situations where there is no centralized access point or other infrastructure in place. It operates by forming an ad hoc, self-contained network with station-to-station traffic flowing directly between devices. This makes IBSS networks effortless to set up and ideal for small groups of users who need a temporary, wireless means of communication without having to rely on any external hardware.

Vulnerability details: CVE-2023-21656 Memory corruption in WLAN HOST while receiving an WMI event from firmware.

Official Announcement: Please see the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2023-bulletin.html

Preface: The Advanced Linux Sound Architecture (ALSA) provides kernel driven sound card drivers.
Besides the sound device drivers, ALSA also bundles a user space driven library for application developers. This enables direct (kernel) interaction with sound devices through ALSA libraries.

Background: Exynos, formerly Hummingbird, is a series of ARM-based system-on-chips developed by Samsung Electronics’ System LSI division and manufactured by Samsung Foundry.

Conceptual example – SoC installation instruction

1. Install X-windows packages
   % sudo zypper install libXext6 libX11-6 libXrender1 libXtst6 libXi6 libgtk-2_0-0 tar
2. Set your DISPLAY environment variable
   % setenv DISPLAY localhost:0
3. navigate to the SoC installer file location
4. Run the installer
   % [.]/xxxx_SoC_v2023[.]2[.]bin
5. Follow on screen instructions.
6. Click Finish. It is now ready to use.

Vulnerability details: A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user.

Solution: Samsung Mobile is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
For details, please refer to link – https://security.samsungmobile.com/securityUpdate.smsb

Official announcement: For details, please refer to the following links
https://nvd.nist.gov/vuln/detail/CVE-2023-0266
https://www.hkcert.org/tc/security-bulletin/samsung-products-multiple-vulnerabilities_20230607

Preface: In technical aspect, a Socket[.]IO server can sustain 10,000 concurrent connections. Therefore you can build a chat experience and using Socket[.]IO as your realtime communication solution. But if you want chat users to receive push notifications when they’re not actively using the app, Socket[.]IO can’t help, as it relies on a persistent socket connection.

Background: Socket[.]IO is a library that enables real-time, bidirectional and event-based communication between the browser and the server.
A socket[.]io encoder and decoder written in JavaScript complying with version 4 of socket[.]io-protocol. Used by socket[.]io and socket[.]io-client.
In addition, a socket[.]io-parser has included. A socket.io encoder and decoder written in JavaScript complying with socket[.]io-protocol. Used by socket[.]io and socket[.]io-client.

Ref:socket-io[.] client is the code for the client-side implementation of socket[.]io[.] That code may be used either by a browser client or by a server process that is initiating a socket[.]io connection to some other server (thus playing the client-side role in a socket[.]io connection).

Vulnerability details: socket[.]io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket[.]io-protocol.

Potential impact: A specially crafted Socket[.]IO packet can trigger an uncaught exception on the Socket[.]IO server, thus killing the Node[.]js process.

Solution: A patch has been released in version 4.2.3.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-32695

Preface: Perhaps you feeling that it’s not follow best practice when it is a zero-day matter. Seems this CVE was late published. The fact is that the impact look serious. So before vendor resolve the problem. Vendor do not intent disclose to public. But problem resolved now.

Background: The User Identity Module may contain information such as the NAM (Number Assignment Module) and subscription feature information. Based on design, UIM can be integrated into the smartphone or it may be a R-UIM (Removable Identity Module).
Refer to vendor design mechanism, Reading a mobile subscriber identity from a memory device associated with the smartphone; determining if part or all of the mobile subscriber identity matches a data set entry within a file associated with the smartphone.
For example, a program assists find highest number in an array by the pointer. As a result, the result of high-array is the number of elements from the start of the array to the element pointed to by high, and that is the index of that element.

Ref: What is a Function Pointer? Function Pointers are pointers, i.e. variables, which point to an address of a function. The running programs get a certain space in the main memory. Both, the executable compiled program code and the used variables, are put inside this memory.

Vulnerability details: Qualcomm found that a memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length.

Official details: Please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2022-33302

Preface: A race condition vulnerability typically occurs when your application has access to the same shared data and attempts to change variables within it simultaneously. Applications can become vulnerable to race conditions if they interact with other applications that use parallel processing or multiple threads.

Background: A process describes an individual running instance of a program. It has its own memory, which it does not share with other programs. A process can run code in multiple separate threads. These threads can run code independently of each other.
In Linux, a process is an instance of executing a program or command. While these processes exist, they’ll be in one of the five possible states:

• Running or Runnable (R)
• Uninterruptible Sleep (D)
• Interruptable Sleep (S)
• Stopped (T)
• Zombie (Z)

Ref: Zombie processes are already dead, so they cannot be killed, they can only be reaped, which has to be done by their parent process via wait*(). This is usually called the child reaper idiom, in the signal handler for SIGCHLD.

When a child process stops or terminates, SIGCHLD is sent to the parent process. The default response to the signal is to ignore it. The signal can be caught and the exit status from the child process can be obtained by immediately calling wait(2) and wait3(3C). This allows zombie process entries to be removed as quickly as possible.

Vulnerability details: A race condition was addressed with improved state handling.

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to gain root privileges

Official announcement: About the security content of iOS 16.5 and iPadOS 16.5. Please refer to the link – https://support.apple.com/en-us/HT213757

Preface: In smartphone, a GPU is similar a graphic card. Meanwhile, it’s the GRAPHICS PROCESSING UNIT which is similar to the CPU processor but instead it’s specifically dedicated for rendering 3D graphics. If your phone does not have one, then you will not be able to play any 3D games.

Background: Whenever a user space application requests a memory allocation for graphics processing, existing technology will seek to allocated nearest order pages from system memory (initially) to map to the GPU.
A patent design
KGSL pool is common for all the clients or processes that are using the graphics user space driver of the device. Whenever a user space application requests a memory allocation for graphics processing, existing design will seek to allocated nearest order pages from system memory (initially) to map to the GPU. Once the application is done with its work, it releases those pages back to the KGSL pool as free for another allocation.
the KGSL pool is common for all the clients or processes that are using the graphics user space driver of the device.

Vulnerability details: Memory Corruption in Graphics while accessing a buffer allocated through the graphics pool.

Official announcement – For details, please refer to the link below
Android: https://source.android.com/docs/security/bulletin/2023-05-01
Qualcomm: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2023-bulletin.html