This Qualcomm security bulletin was originally published on 1st January 2024.

Preface: One method of conducting these PDoS attacks is commonly referred to as phlashing. During such an attack, an attacker bricks a device or destroys firmware, rendering the device or an entire system useless. This is one method to exploit vulnerabilities and replace a device’s basic software with a corrupt firmware image.

Background: The ARM Trusted Firmware implements a subset of the Trusted Board Boot Requirements (TBBR) Platform Design Document (PDD) for ARM reference platforms. The TBB sequence starts when the platform is powered on and runs up to the stage where it hands-off control to firmware running in the normal world in DRAM. This is the cold boot path.

The ARM Trusted Firmware also implements the Power State Coordination Interface (PSCI) PDD as a runtime service. PSCI is the interface from normal world software to firmware implementing power management use-cases (for example, secondary CPU boot, hotplug and idle). Normal world software can access ARM Trusted Firmware runtime services via the ARM SMC (Secure Monitor Call) instruction.

Vulnerability details: Permanent DOS in Hypervisor while untrusted VM without PSCI support makes a PSCI call.

Vulnerability Type : CWE-476 NULL Pointer Dereference

My observation: I speculated that Linux initiate various CPU-centric power operations will be affected.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2024-bulletin.html

Preface: According to news in October 2023, experts speculated that commercial spyware exploited a security vulnerability in the Arm Mali GPU driver to compromise some people’s devices. The vulnerability was claimed to be a local attack. But how do attacker plant malware on a smartphone without remote access? Hard to say! Phishing and social engineering techniques may be involved.

Background: About four years ago, the mainstream GPUs are PowerVr, Mali, and Adreno (Qualcomm). Apple used a customized version of PowerVr in the early days. However, as Apple develops its own GPU, PowerVr software design now owned by Canyon Bridge Capital Partners. Mali is the graphics acceleration IP of ARM. Mali is actually ARM’s Mali series IP core.

The first version of the Mali microarchitecture is called Utgard. Later there were versions called Midgard (second generation), Bifrost (third generation), and Valhall (fourth generation). Valhall was launched in the second quarter of 2019. The main series are Mali-G57 and Mali-G77.

However, commercial spyware has exploited a security hole in Arm’s Mali GPU drivers to compromise some people’s devices, according to news from Oct 2023.

ARM decided last September (2023) not to disclose any details of CVE-2023-5091 to the public. The official announcement published on January 8, 2024 finally.

Vulnerability details: Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU processing operations to gain access to already freed memory. This issue affects Valhall GPU Kernel Driver: from r37p0 through r40p0.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5091

Preface: A2DP is a protocol supported on most Bluetooth Audio devices. Opus is open source , OPUS a2dp being introduced in Android 13.

Background: In Bluetooth, there is a possibility of code-execution due to a use after free. This could lead to paired device escalation of privilege in the privileged Bluetooth process with no additional execution privileges needed. User interaction is not needed for exploitation. Such design weakness published on 30th Oct, 2023. The CVE reference is CVE-2023-21361.

The advantages of using C++ for Android app development is its ability to create cross-platform apps. By writing platform-agnostic code in C++, you can reuse it for developing iOS apps using tools like Apple’s Xcode and Swift. This allows for efficient code sharing between Android and iOS platforms.

Vulnerability details: In a2dp_vendor_opus_decoder_decode_packet of a2dp_vendor_opus_decoder.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-40078

Preface: One action Apple has taken over the past few years is to harden the Safari WebContent (or “renderer”) process sandbox attack surface on iOS, most recently by removing the ability for WebContent to be exploited directly to the GPU process.

Background: App Sandbox provides protection to system resources and user data by limiting your app’s access to resources requested through entitlements.

Essentials – App Sandbox Entitlement

A Boolean value that indicates whether the app may use access control technology to contain damage to the system and user data if an app is compromised.

Key: com[.]apple[.]security[.]app-sandbox

Vulnerability details: An app may be able to break out of its sandbox. The issue was addressed with improved memory handling.

Impact: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-42914

Preface: Bluetooth is now a regular part of your mobile experience. It covers everything from audio to wireless headphones and speakers, pairing game controllers and keyboards, network connections, and even the occasional file transfer over the air.

Background: What is Bluetooth adapter in Android? The BluetoothAdapter lets you perform fundamental Bluetooth tasks, such as initiate device discovery, query a list of bonded (paired) devices, instantiate a BluetoothDevice using a known MAC address, and create a BluetoothServerSocket to listen for connection requests from other devices.

Vulnerability details: In callback_thread_event of com_android_bluetooth_btservice_AdapterService[.]cpp, there is a possible memory corruption due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: This vulnerability was named CVE-2023-40088 since 9th Aug 2023 and announced to public on 5th Dec 2023. The advisory is available at:

https://source.android.com/docs/security/bulletin/2023-12-01

https://nvd.nist.gov/vuln/detail/CVE-2023-40088

Preface: Das U-Boot (subtitled “the Universal Boot Loader” and often shortened to U-Boot. 

Background: Das U-Boot is an open-source boot loader used in embedded devices to perform various low-level hardware initialization tasks and boot the device’s operating system kernel. It is available for a number of computer architectures, including 68k, ARM, Blackfin, MicroBlaze, MIPS, Nios, SuperH, PPC, RISC-V and x86. 

Best practice: A bootloader design on the ARM platform is way different than what we have seen so far on the x86 platform. On the ARM platform, the minimalist bootloader design needs to implement the Trusted Board Boot (TBB) feature. The TBB feature allows the platform to be protected from malicious firmware attack by implementing a chain of trust (CoT) at each firmware level up to the normal world bootloader. Trusted Firmware (TF) implements a subset of the TBB requirements for ARM reference platform. 

Vulnerability details: In modify for next stage of fdt.rs, there is a possible way to render KASLR ineffective due to improperly used crypto.This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-40082

Preface: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Background: An RLC PDU (Protocol Data Unit) consists of an RLC header and data. From an upper layer, RLC receives an RLC SDU (Service Data Unit). The data part of an RLC PDU is either a complete RLC SDU or an SDU segment. A single RLC PDU maps to a single MAC SDU . RLC has three transmission modes: TM , UM and AM .

Vulnerability details: In 5G NRLC, there is a possible invalid memory access due to lack of error handling. This could lead to remote denial of service, if UE received invalid 1-byte rlc sdu, with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link for details – https://corp.mediatek.com/product-security-bulletin/November-2023

Preface: VMOS is a virtual machine app that runs on Android, which can run another Android OS as the guest operating system. Users can optionally run the guest Android VM as a rooted Android OS. The VMOS guest Android operating system has access to the Google Play Store and other Google apps.

Background: It comes down to Android 13 featuring better handling of virtualization. Android 13 supports a common hypervisor in the form of KVM — a kernel-based virtual machine. VMOS Lets You Run a Virtual Android Machine on your Phone. CAP_NET_ADMIN is in any user or network namespace. If VMOS also relies on namespaces architecture. Therefore, the consequence of the vulnerability will be happened. It is a critical vulnerability.
It comes down to Android 13 featuring better handling of virtualization. Android 13 supports a common hypervisor in the form of KVM — a kernel-based virtual machine.
As a result, the consequences of the vulnerability occur. This vulnerability is the same as CVE-2023-21250, which is a critical level vulnerability.

Vulnerability details: Since official announcement did not provided any details on CVE-2023-21250. However, my speculation believed that CVE-2023-21250 and CVE-2023-2136 may be same as vulnerability shown in attached diagram.

Official announcement: For details, please refer to the link – https://source.android.com/docs/security/bulletin/2023-07-01