CVE-2023-24844

Q: What is the severity of CVE-2023-24844?

CVE-2023-24844 has a CVSS score of 8.4 (HIGH). This vulnerability allows memory corruption in Qualcomm's Core component when invoking calls to the Access Control core library with hardware-protected address ranges. It affects devices using Qualcomm chipsets, potentially enabling attackers to execute arbitrary code or cause denial of service. The impact is limited to systems with specific hardware configurations that expose this interface.

8.4 HIGH

📋 TL;DR

This vulnerability allows memory corruption in Qualcomm's Core component when invoking calls to the Access Control core library with hardware-protected address ranges. It affects devices using Qualcomm chipsets, potentially enabling attackers to execute arbitrary code or cause denial of service. The impact is limited to systems with specific hardware configurations that expose this interface.

💻 Affected Systems

Products:

Qualcomm chipsets with specific Core components

Versions: Multiple Qualcomm chipset versions prior to October 2023 patches

Operating Systems: Android, Linux-based systems using Qualcomm chips

Default Config Vulnerable: ⚠️ Yes

Notes: Requires specific hardware configurations and access to protected memory ranges. Not all Qualcomm devices are affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation on affected devices.

🟠

Likely Case

Local privilege escalation allowing attackers to gain elevated permissions on already-compromised devices or denial of service crashes.

🟢

If Mitigated

Limited impact due to hardware protection layers preventing exploitation or successful containment by security controls.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires specific hardware access and understanding of protected memory ranges. No public exploits available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Qualcomm security bulletin October 2023 patches

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/october-2023-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for firmware updates. 2. Apply Qualcomm-provided patches through OEM updates. 3. Reboot device after patch installation. 4. Verify patch application through version checks.

🔧 Temporary Workarounds

Restrict hardware access

all

Limit access to hardware-protected memory interfaces through system configuration

Device-specific configuration commands vary by manufacturer

🧯 If You Can't Patch

Isolate affected devices from critical networks
Implement strict access controls to prevent unauthorized hardware interface access

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against Qualcomm security bulletin. Review system logs for memory access errors in protected ranges.

Check Version:

Device-specific commands vary by manufacturer (e.g., Android: getprop ro.build.fingerprint)

Verify Fix Applied:

Verify firmware version has been updated to post-October 2023 patches. Confirm no memory corruption events in system logs.

📡 Detection & Monitoring

Log Indicators:

Memory access violations in protected address ranges
Core component crashes
Access Control library errors

Network Indicators:

Unusual hardware interface access patterns

SIEM Query:

Device logs: (event_category="memory_error" OR component="Core") AND address_range="protected"

📊 Metadata

CVE ID: CVE-2023-24844

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

Published: October 3, 2023

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/october-2023-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/october-2023-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ar8035 Firmware by Qualcomm

Fastconnect 6700 Firmware by Qualcomm

Fastconnect 6900 Firmware by Qualcomm

Fastconnect 7800 Firmware by Qualcomm

Qca8081 Firmware by Qualcomm

Qca8337 Firmware by Qualcomm

Qcm4490 Firmware by Qualcomm

Qcm8550 Firmware by Qualcomm

Qcn6024 Firmware by Qualcomm

Qcn9024 Firmware by Qualcomm

Qcs4490 Firmware by Qualcomm

Qcs8550 Firmware by Qualcomm

Qdu1000 Firmware by Qualcomm

Qdu1010 Firmware by Qualcomm

Qdu1110 Firmware by Qualcomm

Qdu1210 Firmware by Qualcomm

Qdx1010 Firmware by Qualcomm

Qdx1011 Firmware by Qualcomm

Qru1032 Firmware by Qualcomm

Qru1052 Firmware by Qualcomm

Qru1062 Firmware by Qualcomm

Sg8275p Firmware by Qualcomm

Sm8550p Firmware by Qualcomm

Snapdragon 4 Gen 2 Mobile Platform Firmware by Qualcomm

Snapdragon 8 Gen 2 Mobile Platform Firmware by Qualcomm

Snapdragon 8 Gen 2 Mobile Platform Firmware by Qualcomm

Snapdragon X65 5g Modem Rf System Firmware by Qualcomm

Snapdragon X70 Modem Rf System Firmware by Qualcomm

Wcd9370 Firmware by Qualcomm

Wcd9380 Firmware by Qualcomm

Wcd9385 Firmware by Qualcomm

Wcd9390 Firmware by Qualcomm

Wcd9395 Firmware by Qualcomm

Wcn3950 Firmware by Qualcomm

Wcn3988 Firmware by Qualcomm

Wsa8810 Firmware by Qualcomm

Wsa8815 Firmware by Qualcomm

Wsa8830 Firmware by Qualcomm

Wsa8832 Firmware by Qualcomm

Wsa8835 Firmware by Qualcomm

Wsa8840 Firmware by Qualcomm

Wsa8845 Firmware by Qualcomm

Wsa8845h Firmware by Qualcomm