Qualcomm on Tuesday disclosed nearly two dozen security vulnerabilities in its chipsets, including the company’s flagship suite of SnapDragon processor chips and affecting products that range from cars to powerline communications.
Among the 22 proprietary software issues released in Qualcomm’s January 2023 security bulletin are two bugs (CVE-2022-33218 and CVE-2022-33219) in automotive and one bug (CVE-2022-33265) in powerline communication firmware, all of which are rated high or critical for severity and complicated to patch.
In addition, there are five other major flaws (CVE-2022-40516 through CVE-2022-40520) related to UEFI firmware on ARM, which tends to affect the entire ecosystem of ARM-based laptops and devices.
Firmware attacks have become more common in recent years as hackers shift their focus from user-facing operating systems to the lower-level embedded code that supports hardware. Last month, firmware and hardware security company Eclypsium found several severe vulnerabilities in baseboard management controller (BMC) firmware made by American Megatreneds(AMI) and used by many worldwide server manufacturers.
“As operating systems like Windows, Mac, and Linux are becoming more secure and hardened, attackers have started looking for other areas to attack. And firmware becomes a perfect choice for them because its protections basically live below the operating systems,” Nate Warfield, director of threat research and intelligence at Eclypsium, told SC Media in an interview. “Our team even found ransomware groups like Conti start to research into getting firmware level persistence on devices.”
Binarly, an AI-powered firmware protection company that reported the five UEFI firmware vulnerabilities (CVE-2022-40516 through CVE-2022-40520) to Qualcomm, noted that Tuesday’s advisory is particularly noteworthy as it marks the first massive public disclosure related to UEFI firmware on ARM.
“We opened Pandora’s box of ARM devices UEFI firmware vulnerabilities impacting enterprise vendors,” Alex Matrosov, founder and CEO of Binarly told SC Media. “The big part of vulnerabilities [we reported] related to Qualcomm’s reference code for Snapdragon chips. The vulnerabilities in reference code are usually one of the most impactful since they tend to affect the whole ecosystem and not just a single vendor. Due to the complexity of the UEFI firmware supply chain, these vulnerabilities often create additional impact.”
The vulnerabilities also have downstream impacts. Computer hardware giant Lenovo adopted Qualcomm’s chip, and the five bugs Binarly reported to Qualcomm also affect Lenovo ThinkPad X13s, leading the company to issue BIOS updates to plug the security hole.
While CVE-2022-40516 through CVE-2022-40520 pose threats to the entire ecosystem of ARM-based laptops and devices, Warfield suggested that the bug in powerline communications is even more complicated to fix with much higher patching cost.
“If the patch goes wrong on a Windows computer, it can be rolled back. But if a patch goes wrong on a power station, it could cause a blackout,” Warfield said.
On a positive note, Thomas Pace, CEO of firmware security company NetRise, told SC Media that the Qualcomm disclosure shows that awareness around firmware vulnerabilities is rising, something that should lead manufacturers to improve protections over time.
“The disclosure from such a large-scale company is a good step in the direction of improving [firmware security],” Pace said.