CVE-2024-21466

Q: What is the severity of CVE-2024-21466?

CVE-2024-21466 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows information disclosure when parsing sub-IE length during new IE generation in Qualcomm components. It affects devices using Qualcomm chipsets with vulnerable firmware. Attackers could potentially read sensitive memory contents.

6.5 MEDIUM

📋 TL;DR

This vulnerability allows information disclosure when parsing sub-IE length during new IE generation in Qualcomm components. It affects devices using Qualcomm chipsets with vulnerable firmware. Attackers could potentially read sensitive memory contents.

💻 Affected Systems

Products:

Qualcomm chipsets and associated firmware

Versions: Specific versions not detailed in reference; affected versions listed in Qualcomm July 2024 bulletin

Operating Systems: Android, embedded systems using Qualcomm chips

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with Qualcomm components that handle IE (Information Element) parsing in wireless protocols.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive information like encryption keys, credentials, or proprietary data could be leaked from device memory to an attacker.

🟠

Likely Case

Limited information disclosure of adjacent memory contents, potentially revealing device state or configuration data.

🟢

If Mitigated

No impact if proper network segmentation and access controls prevent attackers from reaching vulnerable components.

🌐 Internet-Facing: MEDIUM - Requires network access to vulnerable services but could affect exposed devices.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted packets to vulnerable parsing functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches included in Qualcomm July 2024 security updates

Vendor Advisory: https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2024-bulletin.html

Restart Required: Yes

Instructions:

1. Check device manufacturer for firmware updates. 2. Apply Qualcomm July 2024 security patches. 3. Reboot device after update.

🔧 Temporary Workarounds

Network segmentation

all

Isolate devices with Qualcomm chips from untrusted networks

Firewall rules

all

Block unnecessary network protocols to vulnerable components

🧯 If You Can't Patch

Segment affected devices in isolated network zones
Implement strict network access controls and monitoring

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against Qualcomm's July 2024 security bulletin

Check Version:

Device-specific commands vary by manufacturer; typically in device settings or using manufacturer tools

Verify Fix Applied:

Verify firmware version has been updated to include July 2024 patches

📡 Detection & Monitoring

Log Indicators:

Unusual parsing errors in wireless protocol logs
Memory access violations in system logs

Network Indicators:

Malformed packets targeting IE parsing functions
Unexpected information disclosure in network traffic

SIEM Query:

Search for memory access violations or parsing errors in device logs related to wireless protocols

📊 Metadata

CVE ID: CVE-2024-21466

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE: CWE-191

Published: July 1, 2024

Last Updated: November 21, 2024

🔗 References

https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2024-bulletin.html Patch,Vendor Advisory
https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2024-bulletin.html Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fastconnect 7800 Firmware by Qualcomm

Immersive Home 3210 Platform Firmware by Qualcomm

Immersive Home 326 Platform Firmware by Qualcomm

Ipq5300 Firmware by Qualcomm

Ipq5302 Firmware by Qualcomm

Ipq5312 Firmware by Qualcomm

Ipq5332 Firmware by Qualcomm

Ipq9008 Firmware by Qualcomm

Ipq9554 Firmware by Qualcomm

Ipq9570 Firmware by Qualcomm

Ipq9574 Firmware by Qualcomm

Qam8255p Firmware by Qualcomm

Qam8620p Firmware by Qualcomm

Qam8650p Firmware by Qualcomm

Qam8775p Firmware by Qualcomm

Qamsrv1h Firmware by Qualcomm

Qamsrv1m Firmware by Qualcomm

Qca0000 Firmware by Qualcomm

Qca6554a Firmware by Qualcomm

Qca6564au Firmware by Qualcomm

Qca6574 Firmware by Qualcomm

Qca6574a Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qca6584au Firmware by Qualcomm

Qca6595 Firmware by Qualcomm

Qca6595au Firmware by Qualcomm

Qca6678aq Firmware by Qualcomm

Qca6696 Firmware by Qualcomm

Qca6698aq Firmware by Qualcomm

Qca8075 Firmware by Qualcomm

Qca8081 Firmware by Qualcomm

Qca8082 Firmware by Qualcomm

Qca8084 Firmware by Qualcomm

Qca8085 Firmware by Qualcomm

Qca8386 Firmware by Qualcomm

Qcc2073 Firmware by Qualcomm

Qcc2076 Firmware by Qualcomm

Qcf8000 Firmware by Qualcomm

Qcf8001 Firmware by Qualcomm

Qcn5124 Firmware by Qualcomm

Qcn6402 Firmware by Qualcomm

Qcn6412 Firmware by Qualcomm

Qcn6422 Firmware by Qualcomm

Qcn6432 Firmware by Qualcomm

Qcn9000 Firmware by Qualcomm

Qcn9074 Firmware by Qualcomm

Qcn9274 Firmware by Qualcomm

Sa7255p Firmware by Qualcomm

Sa7775p Firmware by Qualcomm

Sa8255p Firmware by Qualcomm

Sa8620p Firmware by Qualcomm

Sa8650p Firmware by Qualcomm

Sa8770p Firmware by Qualcomm

Sa8775p Firmware by Qualcomm

Sa9000p Firmware by Qualcomm

Srv1h Firmware by Qualcomm

Srv1l Firmware by Qualcomm

Srv1m Firmware by Qualcomm

Sw5100 Firmware by Qualcomm

Sw5100p Firmware by Qualcomm

Wcn3980 Firmware by Qualcomm

Wcn3988 Firmware by Qualcomm

Wsa8830 Firmware by Qualcomm

Wsa8835 Firmware by Qualcomm