CVE-2023-33014

Q: What is the severity of CVE-2023-33014?

CVE-2023-33014 has a CVSS score of 7.6 (HIGH). This vulnerability in Qualcomm Core services allows information disclosure when processing Diag commands. Attackers could potentially access sensitive system information without proper authorization. This affects devices using Qualcomm chipsets with vulnerable Core services implementations.

7.6 HIGH

📋 TL;DR

This vulnerability in Qualcomm Core services allows information disclosure when processing Diag commands. Attackers could potentially access sensitive system information without proper authorization. This affects devices using Qualcomm chipsets with vulnerable Core services implementations.

💻 Affected Systems

Products:

Qualcomm chipsets with Core services
Devices using Qualcomm processors

Versions: Specific versions not publicly detailed in advisory

Operating Systems: Android, Linux-based systems with Qualcomm drivers

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with Qualcomm chipsets where Core services are enabled. Exact product list requires checking Qualcomm's advisory.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system information disclosure including sensitive memory contents, cryptographic keys, or device identifiers leading to further compromise.

🟠

Likely Case

Limited information disclosure of system configuration data, potentially enabling reconnaissance for further attacks.

🟢

If Mitigated

No information disclosure if proper access controls and patching are implemented.

🌐 Internet-Facing: MEDIUM - Requires local access or network proximity, but could be combined with other vulnerabilities for remote exploitation.

🏢 Internal Only: HIGH - Malicious insiders or compromised internal systems could exploit this to gather sensitive information.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires access to Diag interface which typically needs elevated privileges or physical access. No public exploit code available as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm January 2024 security bulletin for specific patched versions

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/january-2024-bulletin

Restart Required: Yes

Instructions:

1. Check Qualcomm advisory for affected chipset versions. 2. Obtain firmware updates from device manufacturer. 3. Apply security patches provided by OEM. 4. Reboot device to activate patches.

🔧 Temporary Workarounds

Disable Diag interface

android

Restrict access to diagnostic interfaces if not required for operations

adb shell setprop persist.vendor.sys.usb.config mtp,adb
adb shell setprop sys.usb.config mtp,adb

Implement access controls

all

Restrict physical and network access to diagnostic ports

🧯 If You Can't Patch

Implement strict physical security controls to prevent unauthorized device access
Segment network to isolate devices with vulnerable Qualcomm chipsets

🔍 How to Verify

Check if Vulnerable:

Check device chipset version and compare against Qualcomm's patched versions list in January 2024 bulletin

Check Version:

adb shell getprop ro.bootloader (for Android devices) or check device firmware version in settings

Verify Fix Applied:

Verify firmware version has been updated to include January 2024 security patches from Qualcomm

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to Diag services
Unexpected diagnostic command execution

Network Indicators:

Unusual traffic to diagnostic ports (typically 9200-9210)
Suspicious USB debugging connections

SIEM Query:

source="*diag*" OR source="*qualcomm*" AND (event_type="access_denied" OR event_type="unauthorized_access")

📊 Metadata

CVE ID: CVE-2023-33014

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: January 2, 2024

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/january-2024-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/january-2024-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ar8035 Firmware by Qualcomm

Fastconnect 6700 by Qualcomm

Fastconnect 6900 Firmware by Qualcomm

Fastconnect 7800 Firmware by Qualcomm

Qam8255p Firmware by Qualcomm

Qam8650p Firmware by Qualcomm

Qam8775p Firmware by Qualcomm

Qca6595 Firmware by Qualcomm

Qca6595au Firmware by Qualcomm

Qca6698aq Firmware by Qualcomm

Qca6797aq Firmware by Qualcomm

Qca8081 Firmware by Qualcomm

Qca8337 Firmware by Qualcomm

Qcm4490 Firmware by Qualcomm

Qcn6024 Firmware by Qualcomm

Qcn9024 Firmware by Qualcomm

Qcs4490 Firmware by Qualcomm

Qcs8550 Firmware by Qualcomm

Sa8255p Firmware by Qualcomm

Sm4450 Firmware by Qualcomm

Snapdragon Ar2 Gen 1 Platform Firmware by Qualcomm

Snapdragon X65 5g Modem Rf System Firmware by Qualcomm

Snapdragon X70 Modem Rf System Firmware by Qualcomm

Ssg2115p Firmware by Qualcomm

Ssg2125p Firmware by Qualcomm

Sxr1230p Firmware by Qualcomm

Sxr2230p Firmware by Qualcomm

Wcd9370 Firmware by Qualcomm

Wcd9380 Firmware by Qualcomm

Wcd9385 Firmware by Qualcomm

Wcn3950 Firmware by Qualcomm

Wcn3988 Firmware by Qualcomm

Wsa8810 Firmware by Qualcomm

Wsa8815 Firmware by Qualcomm

Wsa8830 Firmware by Qualcomm

Wsa8832 Firmware by Qualcomm

Wsa8835 Firmware by Qualcomm