Qualcomm, Lenovo Flag Multiple High Impact Firmware Vulnerabilities

Qualcomm on Tuesday disclosed nearly two dozen security vulnerabilities in its chipsets, including the company’s flagship suite of SnapDragon processor chips and affecting products that range from cars to powerline communications.

Among the 22 proprietary software issues released in Qualcomm’s January 2023 security bulletin are two bugs (CVE-2022-33218 and CVE-2022-33219) in automotive and one bug (CVE-2022-33265) in powerline communication firmware, all of which are rated high or critical for severity and complicated to patch.

In addition, there are five other major flaws (CVE-2022-40516 through CVE-2022-40520) related to UEFI firmware on ARM, which tends to affect the entire ecosystem of ARM-based laptops and devices.

Firmware attacks have become more common in recent years as hackers shift their focus from user-facing operating systems to the lower-level embedded code that supports hardware. Last month, firmware and hardware security company Eclypsium found several severe vulnerabilities in baseboard management controller (BMC) firmware made by American Megatreneds(AMI) and used by many worldwide server manufacturers.

“As operating systems like Windows, Mac, and Linux are becoming more secure and hardened, attackers have started looking for other areas to attack. And firmware becomes a perfect choice for them because its protections basically live below the operating systems,” Nate Warfield, director of threat research and intelligence at Eclypsium, told SC Media in an interview. “Our team even found ransomware groups like Conti start to research into getting firmware level persistence on devices.” 

Binarly, an AI-powered firmware protection company that reported the five UEFI firmware vulnerabilities (CVE-2022-40516 through

Read more

Explore the site

More from the blog

Latest News