Qualcomm, Lenovo issues numerous patches to address security flaws
Qualcomm and Lenovo have issued patches to address a number of security flaws in their chipsets, some of which could result in data leakage and memory corruption.
Security flaws have been discovered in the Unified Extensible Firmware Interface (UEFI) firmware reference code of Qualcomm’s Snapdragon series of processors, which are used in products ranging from automobiles to powerline communications. These flaws affect devices built on the ARM architecture.
According to Qualcomm’s security bulletin, 20 different vulnerabilities affecting various chipsets were patched. This was because of the diverse range of products that use these chipsets, the affected devices are from various technology areas, ranging from automotive to Android connectivity, WLAN, powerline communication, and Kernel.
Three of those patched have critical security ratings, and they are as follows: CVE-2022-33218 (CVSS score 8.2; Technology: Automotive): Memory corruption vulnerability as a result of incorrect input validation CVE-2022-33219 (CVSS score 9.3; Technology: Automotive): Memory corruption caused by integer overflow to buffer overflow while registering a new listener with shared buffer. CVE-2022-33265 (CVSS score: 7.3; Technology: Powerline Communication Firmware): Memory corruption caused by information exposure while sending multiple MMEs from a single, unrelated device.
Furthermore, the updates address 17 other high security rating vulnerabilities that Qualcomm has confirmed and informed the appropriate vendors about. Five of these are also applicable to Lenovo ThinkPad X13 laptops. CVE-2022-40516 and CVE-2022-40517 (CVSS rating: High; CVSS score 8.4; Technology: Boot): Memory corruption in Core caused by stack-based buffer overflow CVE-2022-40520 (CVSS score 8.4; Technology: Connectivity): Memory corruption caused by a stack-based buffer overflow in Core CVE-2022-40518, CVE-2022-40519 (CVSS rating: Medium; CVSS score: 6.8; Technology: Boot): Information disclosure as a result of buffer overread in Core.
Lenovo has also addressed some other vulnerabilities in the ThinkPad X13’s BIOS in addition to these patches. Lenovo advises users to update their BIOS to version 1.47 (N3HET75W) or higher.
The vulnerabilities also have knock-on effects. Lenovo adopted Qualcomm’s chip, and the five bugs Binarly reported to Qualcomm also affect Lenovo ThinkPad X13s, prompting the company to release BIOS updates to close the security gap.
The sources for this piece include an article in SCMagazine.