CVE-2024-21479

Q: What is the severity of CVE-2024-21479?

CVE-2024-21479 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to cause a Denial of Service (DoS) condition by exploiting a buffer over-read (CWE-126) in Apple Lossless Audio Codec (ALAC) processing. When a specially crafted ALAC audio file is played, it can crash the media player or cause system instability. This affects any device or software using Qualcomm's vulnerable ALAC decoder implementation.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability allows attackers to cause a Denial of Service (DoS) condition by exploiting a buffer over-read (CWE-126) in Apple Lossless Audio Codec (ALAC) processing. When a specially crafted ALAC audio file is played, it can crash the media player or cause system instability. This affects any device or software using Qualcomm's vulnerable ALAC decoder implementation.

💻 Affected Systems

Products:

Qualcomm chipsets with ALAC decoder support

Versions: Specific chipset versions listed in Qualcomm August 2024 security bulletin

Operating Systems: Android and other OS using Qualcomm audio processing

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using Qualcomm's audio processing pipeline when playing ALAC-encoded audio files.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent system crash requiring reboot, potential data loss if system becomes unstable during critical operations, and disruption of audio/media services.

🟠

Likely Case

Temporary application crash or freeze during music playback, requiring user intervention to restart the media player.

🟢

If Mitigated

Isolated media player crash with no system-wide impact, minimal service disruption.

🌐 Internet-Facing: MEDIUM - Attackers could host malicious ALAC files on websites or streaming services, but requires user interaction to play the file.

🏢 Internal Only: LOW - Requires local file access or user interaction with malicious content, limited to media playback scenarios.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to play a malicious ALAC file; no remote code execution capability based on CWE-126 classification.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm August 2024 security bulletin for specific chipset firmware updates

Vendor Advisory: https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html

Restart Required: Yes

Instructions:

1. Check device manufacturer for firmware updates. 2. Apply Qualcomm chipset firmware updates. 3. Restart device after update installation.

🔧 Temporary Workarounds

Disable ALAC playback

all

Prevent playback of ALAC-encoded audio files through system or application settings

Use alternative audio formats

all

Convert ALAC files to other lossless formats like FLAC or WAV

🧯 If You Can't Patch

Restrict ALAC file playback to trusted sources only
Implement application sandboxing to contain crashes

🔍 How to Verify

Check if Vulnerable:

Check device chipset model and firmware version against Qualcomm's affected list

Check Version:

Android: 'getprop ro.bootloader' or check Settings > About Phone; Other systems: consult device documentation

Verify Fix Applied:

Verify firmware version has been updated to patched version from manufacturer

📡 Detection & Monitoring

Log Indicators:

Media player crash logs
Audio service termination events
Kernel panic logs related to audio processing

Network Indicators:

Unusual ALAC file downloads from untrusted sources

SIEM Query:

EventID: Application Crash AND ProcessName: media_player.exe AND ExceptionCode: ACCESS_VIOLATION

📊 Metadata

CVE ID: CVE-2024-21479

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-126

Published: August 5, 2024

Last Updated: November 26, 2024

🔗 References

https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ar8035 Firmware by Qualcomm

Fastconnect 6700 Firmware by Qualcomm

Fastconnect 6800 Firmware by Qualcomm

Fastconnect 6900 Firmware by Qualcomm

Fastconnect 7800 Firmware by Qualcomm

Qam8255p Firmware by Qualcomm

Qam8295p Firmware by Qualcomm

Qam8650p Firmware by Qualcomm

Qam8775p Firmware by Qualcomm

Qamsrv1h Firmware by Qualcomm

Qamsrv1m Firmware by Qualcomm

Qca6310 Firmware by Qualcomm

Qca6320 Firmware by Qualcomm

Qca6391 Firmware by Qualcomm

Qca6426 Firmware by Qualcomm

Qca6436 Firmware by Qualcomm

Qca6574au Firmware by Qualcomm

Qca6584au Firmware by Qualcomm

Qca6696 Firmware by Qualcomm

Qca6698aq Firmware by Qualcomm

Qca8081 Firmware by Qualcomm

Qca8337 Firmware by Qualcomm

Qca9367 Firmware by Qualcomm

Qca9377 Firmware by Qualcomm

Qcc710 Firmware by Qualcomm

Qcn6224 Firmware by Qualcomm

Qcn6274 Firmware by Qualcomm

Qcn9074 Firmware by Qualcomm

Qcs410 Firmware by Qualcomm

Qcs4490 Firmware by Qualcomm

Qcs610 Firmware by Qualcomm

Qfw7114 Firmware by Qualcomm

Qfw7124 Firmware by Qualcomm

Sa6145p Firmware by Qualcomm

Sa6150p Firmware by Qualcomm

Sa6155p Firmware by Qualcomm

Sa7255p Firmware by Qualcomm

Sa7775p Firmware by Qualcomm

Sa8145p Firmware by Qualcomm

Sa8150p Firmware by Qualcomm

Sa8155p Firmware by Qualcomm

Sa8195p Firmware by Qualcomm

Sa8255p Firmware by Qualcomm

Sa8295p Firmware by Qualcomm

Sa8530p Firmware by Qualcomm

Sa8540p Firmware by Qualcomm

Sa8620p Firmware by Qualcomm

Sa8650p Firmware by Qualcomm

Sa8770p Firmware by Qualcomm

Sa8775p Firmware by Qualcomm

Sa9000p Firmware by Qualcomm

Sd 8 Gen1 5g Firmware by Qualcomm

Sd835 Firmware by Qualcomm

Sd865 5g Firmware by Qualcomm

Sdx55 Firmware by Qualcomm

Snapdragon 4 Gen 2 Mobile Platform Firmware by Qualcomm

Snapdragon 8 Gen 1 Mobile Platform Firmware by Qualcomm

Snapdragon 8 Gen 1 Mobile Platform Firmware by Qualcomm

Snapdragon 835 Mobile Pc Platform Firmware by Qualcomm

Snapdragon 865 5g Mobile Platform Firmware by Qualcomm

Snapdragon 865\+ 5g Mobile Platform \(sm8250 Ab\) Firmware by Qualcomm

Snapdragon 870 5g Mobile Platform \(sm8250 Ac\) Firmware by Qualcomm

Snapdragon Auto 5g Modem Rf Gen 2 Firmware by Qualcomm

Snapdragon W5\+ Gen 1 Wearable Platform Firmware by Qualcomm

Snapdragon Wear 4100\+ Platform Firmware by Qualcomm

Snapdragon X55 5g Modem Rf System Firmware by Qualcomm

Snapdragon X72 5g Modem Rf System Firmware by Qualcomm

Snapdragon X75 5g Modem Rf System Firmware by Qualcomm

Snapdragon Xr2 5g Platform Firmware by Qualcomm

Srv1h Firmware by Qualcomm

Srv1m Firmware by Qualcomm

Sw5100 Firmware by Qualcomm

Sw5100p Firmware by Qualcomm

Sxr2130 Firmware by Qualcomm

Talynplus Firmware by Qualcomm

Video Collaboration Vc1 Platform Firmware by Qualcomm

Video Collaboration Vc3 Platform Firmware by Qualcomm