CVE-2022-25713

Q: What is the severity of CVE-2022-25713?

CVE-2022-25713 has a CVSS score of 7.8 (HIGH). CVE-2022-25713 is a memory corruption vulnerability in Qualcomm automotive chipsets that occurs during shared key export operations. Attackers can exploit this to execute arbitrary code or cause denial of service. This affects automotive systems using vulnerable Qualcomm components.

7.8 HIGH

Buffer Overflow

📋 TL;DR

CVE-2022-25713 is a memory corruption vulnerability in Qualcomm automotive chipsets that occurs during shared key export operations. Attackers can exploit this to execute arbitrary code or cause denial of service. This affects automotive systems using vulnerable Qualcomm components.

💻 Affected Systems

Products:

Qualcomm automotive chipsets and platforms

Versions: Multiple automotive platforms - specific versions detailed in Qualcomm advisory

Operating Systems: Automotive-grade Linux, QNX, Android Automotive

Default Config Vulnerable: ⚠️ Yes

Notes: Affects automotive systems including infotainment, telematics, and ADAS components using vulnerable Qualcomm chipsets.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete vehicle system compromise, potentially affecting safety-critical functions like braking or steering.

🟠

Likely Case

Denial of service causing system crashes or instability in infotainment/telematics systems.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: MEDIUM - While automotive systems may have internet connectivity, exploitation typically requires some level of access to the vehicle's network.

🏢 Internal Only: HIGH - Once an attacker gains access to the vehicle's internal network, exploitation is relatively straightforward.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to the vehicle's internal network and knowledge of the vulnerable key export functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm's May 2023 security bulletin for specific platform patches

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/may-2023-bulletin

Restart Required: Yes

Instructions:

1. Contact vehicle manufacturer for available updates 2. Apply Qualcomm-provided patches for affected automotive platforms 3. Restart affected systems 4. Verify patch installation

🔧 Temporary Workarounds

Network Segmentation

all

Isolate automotive systems from untrusted networks and implement strict access controls

Disable Unnecessary Services

all

Disable non-essential network services on automotive components

🧯 If You Can't Patch

Implement strict network segmentation to isolate automotive systems
Deploy intrusion detection systems monitoring for memory corruption attempts

🔍 How to Verify

Check if Vulnerable:

Check with vehicle manufacturer for affected component list and firmware versions

Check Version:

Manufacturer-specific commands vary - consult vehicle documentation

Verify Fix Applied:

Verify firmware version against patched versions in Qualcomm advisory

📡 Detection & Monitoring

Log Indicators:

Memory access violations
Unexpected process crashes in automotive systems
Failed key export operations

Network Indicators:

Unusual network traffic to automotive components
Attempts to access key management services

SIEM Query:

source="automotive_system" AND (event_type="crash" OR event_type="memory_violation")

📊 Metadata

CVE ID: CVE-2022-25713

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: May 2, 2023

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/may-2023-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/may-2023-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ar8035 Firmware by Qualcomm

Qam8295p Firmware by Qualcomm

Qca6390 Firmware by Qualcomm

Qca6391 Firmware by Qualcomm

Qca6421 Firmware by Qualcomm

Qca6426 Firmware by Qualcomm

Qca6431 Firmware by Qualcomm

Qca6436 Firmware by Qualcomm

Qca6574 Firmware by Qualcomm

Qca6574a Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qca6595au Firmware by Qualcomm

Qca6696 Firmware by Qualcomm

Qca6698aq Firmware by Qualcomm

Qca8081 Firmware by Qualcomm

Qca8337 Firmware by Qualcomm

Qsm8350 Firmware by Qualcomm

Sa4150p Firmware by Qualcomm

Sa4155p Firmware by Qualcomm

Sa6145p Firmware by Qualcomm

Sa6150p Firmware by Qualcomm

Sa6155p Firmware by Qualcomm

Sa8145p Firmware by Qualcomm

Sa8150p Firmware by Qualcomm

Sa8155p Firmware by Qualcomm

Sa8195p Firmware by Qualcomm

Sa8295p Firmware by Qualcomm

Sa8540p Firmware by Qualcomm

Sa9000p Firmware by Qualcomm

Sd 8 Gen1 5g Firmware by Qualcomm

Sd865 5g Firmware by Qualcomm

Sm7250 Aa Firmware by Qualcomm

Sm7250 Ab Firmware by Qualcomm

Sm7250 Ac Firmware by Qualcomm

Sm7250p Firmware by Qualcomm

Sm8250 Ab Firmware by Qualcomm

Sm8250 Ac Firmware by Qualcomm

Sm8250 Firmware by Qualcomm

Sm8350 Ac Firmware by Qualcomm

Sm8350 Firmware by Qualcomm

Sm8450 Firmware by Qualcomm

Snapdragon 8cx Gen 3 Compute Platform Firmware by Qualcomm

Snapdragon X55 5g Modem Rf System Firmware by Qualcomm

Snapdragon X65 5g Modem Rf System Firmware by Qualcomm

Snapdragon Xr2 5g Platform Firmware by Qualcomm

Sxr2130 Firmware by Qualcomm

Wcd9380 Firmware by Qualcomm

Wcd9385 Firmware by Qualcomm

Wcn3998 Firmware by Qualcomm

Wcn685x 1 Firmware by Qualcomm

Wcn685x 5 Firmware by Qualcomm

Wsa8810 Firmware by Qualcomm

Wsa8815 Firmware by Qualcomm

Wsa8830 Firmware by Qualcomm

Wsa8835 Firmware by Qualcomm