CVE-2023-21643

Q: What is the severity of CVE-2023-21643?

CVE-2023-21643 has a CVSS score of 9.1 (CRITICAL). CVE-2023-21643 is a memory corruption vulnerability in Qualcomm automotive systems caused by untrusted pointer dereference during system calls. This allows attackers to potentially execute arbitrary code or cause denial of service. Affected systems include automotive platforms using vulnerable Qualcomm chipsets.

9.1 CRITICAL

📋 TL;DR

CVE-2023-21643 is a memory corruption vulnerability in Qualcomm automotive systems caused by untrusted pointer dereference during system calls. This allows attackers to potentially execute arbitrary code or cause denial of service. Affected systems include automotive platforms using vulnerable Qualcomm chipsets.

💻 Affected Systems

Products:

Qualcomm automotive platforms and chipsets

Versions: Specific versions not publicly detailed in references; affected versions prior to August 2023 patches

Operating Systems: Automotive operating systems using Qualcomm components

Default Config Vulnerable: ⚠️ Yes

Notes: Affects automotive systems with vulnerable Qualcomm components; exact product list may be in vendor bulletins.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing arbitrary code execution with kernel privileges, potentially leading to vehicle control takeover or persistent backdoor installation.

🟠

Likely Case

System crash or denial of service affecting automotive functions, potentially disrupting critical vehicle systems.

🟢

If Mitigated

Limited impact with proper memory protection and privilege separation, potentially only causing application crashes.

🌐 Internet-Facing: LOW - Automotive systems typically have limited direct internet exposure.

🏢 Internal Only: HIGH - Exploitation requires local access but could be achieved through compromised components or physical access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access to the system; no public exploit code available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches included in August 2023 Qualcomm security bulletin

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin

Restart Required: Yes

Instructions:

1. Consult Qualcomm August 2023 security bulletin for specific patches. 2. Apply vendor-provided firmware updates. 3. Restart affected automotive systems.

🔧 Temporary Workarounds

Restrict system call access

all

Limit access to vulnerable system calls through kernel hardening

Configuration varies by automotive platform; consult vendor documentation

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized local access to automotive systems
Deploy additional monitoring for memory corruption attempts and system crashes

🔍 How to Verify

Check if Vulnerable:

Check Qualcomm chipset version and firmware against August 2023 security bulletin

Check Version:

Platform-specific commands; consult automotive system documentation

Verify Fix Applied:

Verify firmware version has been updated to include August 2023 patches

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Memory access violation errors
Unexpected system restarts

Network Indicators:

Unusual local system call patterns if monitored

SIEM Query:

Search for kernel panic events or memory corruption alerts in automotive system logs

📊 Metadata

CVE ID: CVE-2023-21643

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

CWE: CWE-822

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Apq8064au Firmware by Qualcomm

Apq8096au Firmware by Qualcomm

Msm8996au Firmware by Qualcomm

Qam8295p Firmware by Qualcomm

Qca6564a Firmware by Qualcomm

Qca6564au Firmware by Qualcomm

Qca6574a Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qca6584au Firmware by Qualcomm

Qca6595 Firmware by Qualcomm

Qca6595au Firmware by Qualcomm

Qca6696 Firmware by Qualcomm

Sa6145p Firmware by Qualcomm

Sa6150p Firmware by Qualcomm

Sa6155 Firmware by Qualcomm

Sa6155p Firmware by Qualcomm

Sa8145p Firmware by Qualcomm

Sa8150p Firmware by Qualcomm

Sa8155 Firmware by Qualcomm

Sa8155p Firmware by Qualcomm

Sa8195p Firmware by Qualcomm

Sa8295p Firmware by Qualcomm

Sa8540p Firmware by Qualcomm

Sa9000p Firmware by Qualcomm