Israel-based cyber security company CheckPointdiscovered a vulnerability that could allow code execution on millions of devices.
CheckPoint researchers According to the details he shared with The Hacker News These vulnerabilities, located in the RCE (Remote Code Execution) type, allow attackers to access data without the need to execute any malware on their targets.
In addition, the privileges of Android applications running with low rights can be upgraded.
ALLHACK vulnerabilities caused by the open source lossless audio codec called ALAC (Apple Lossless Audio Codec), developed by Apple in 2011, are used by Qualcomm and MediaTek.
While the vulnerabilities in the proprietary versions of ALAC are constantly being patched by Apple, the open source version used by the chip manufacturers does not seem to have been updated since 2011.
According to CheckPoint’s post Two of the vulnerabilities affect MediaTek and one affects Qualcomm chips.
- CVE-2021-0674 (MediaTek): Information disclosure on ALAC codecs without any user intervention
- CVE-2021-0675 (MediaTek): LPE vulnerability using ALAC codecs
- CVE-2021-30351 (Qualcomm): Out-of bound memory access vulnerability caused by incorrect validation during audio playback
While these vulnerabilities were reported to be patched by CheckPoint in December 2021, Qualcomm and MediaTek have already released security updates for the devices.
Those who have not yet updated their devices at the moment do not need to do anything else to close the gap, except to apply software updates.