Israel-based cybersecurity company CheckPoint discovered a vulnerability that could allow code execution on millions of devices. According to the details
CheckPoint researchers shared with The Hacker News , these vulnerabilities of the RCE (Remote Code Execution) type allow attackers to access data without the need to run any malware on their targets.
In addition, the privileges of Android applications running with low rights can be upgraded.
ALLHACK zafiyedollar series, which originates from the open source lossless audio codec named ALAC (Apple Lossless Audio Codec) developed by Apple in 2011, is used by Qualcomm and MediaTek.
While the security vulnerabilities in the proprietary versions of ALAC are constantly being patched by Apple, the open source version used by the chip manufacturers does not seem to have been updated since 2011.
According to CheckPoint’s article, two of the vulnerabilities affect MediaTek and one Qualcomm chips.
- CVE-2021-0674 (MediaTek): Information disclosure on ALAC codecs without any user intervention
- CVE-2021-0675 ( MediaTek): Local entitlement promotion (LPE) vulnerability using ALAC codecs
- CVE-2021-30351 (Qualcomm): Out-of bound memory access due to incorrect authentication during audio playback While this vulnerability
was found to be patched by CheckPoint in December 2021, Qualcomm and MediaTek have already released security updates for the devices.
Those who have not yet updated their devices at the moment do not need to do anything else to close the gap, except apply the software updates.
0 Comments