On August 2nd, 2021 Qualcomm’s August 2021 product security bulletin revealed a very lengthy security vulnerability release report. The release report describes several proprietary and open-source software security issues that affected numerous Qualcomm chipsets. What is more, news about these security vulnerabilities arrived on the same day when news of Google abandoning Qualcomm’s chipsets appeared online. The semiconductor industry giants are in a global race for onshore chip production, so the situation is quite tense in the industry at the moment.
Qualcomm Security Vulnerabilities
The Qualcomm security vulnerability release report took a long time to be released and is very large. It contains dozens of security vulnerabilities affecting varying chipsets, categorized with CVE ID codes (Common Vulnerabilities and Exposures) and the respective descriptions. Of these vulnerabilities, it is important to note that 7 are marked as being a critical risk while the rest range between medium and high risk. A CVSS score (Common Vulnerability Scoring System) was assigned to each vulnerability. The vulnerabilities have been addressed by both proprietary software and open-source software.
Technical Details of The Vulnerabilities
The proprietary software issues and the respective CVE ID codes, security ratings, technology area, and reported dates for the vulnerabilities found by security researchers are as follows; The open-source software issues and the respective CVE ID codes, security ratings, technology area, and reported dates for the vulnerabilities found by security researchers are as follows;
The Vulnerability Descriptions
Below is a description of the critical vulnerabilities only. All of the critical vulnerabilities may allow a remote attacker to compromise or gain full control of a system with unpatched software. All other information can be found in the Qualcomm security bulletin release report. The descriptions are as follows;
Affected Chipset Models
The security vulnerabilities affect a wide range of Qualcomm products, some of which include;
Qualcomm APQ Qualcomm MDM Qualcomm AR Qualcomm AQT Qualcomm QCA Qualcomm MSM Qualcomm SD Qualcomm WCN Qualcomm WSA
Note: The complete list of all affected chipsets contains more than one hundred entries. It can be found on the release report page.
The Current Situation
Vulnerabilities in Qualcomm chipset software (just like vulnerabilities in Intel or TSMC products) mean that millions of devices that are powered by these products are open to remote attacks. For that reason, Qualcomm has been long at work on fixes. Patches have been released to address both the proprietary and open-source software vulnerabilities. According to Qualcomm’s report “OEMs have been notified and strongly recommended to release patches on end devices.” For all users and OEMs of Qualcomm chipsets: patches and fixes can be found on the release report page. For the latest information, Qualcomm can also be directly contacted via their support page.