Lucene search

K
thnThe Hacker NewsTHN:49C68C231CC8A22EABED1CAEE1FD94C1
HistoryJun 02, 2022 - 10:09 a.m.

Critical UNISOC Chip Vulnerability Affects Millions of Android Smartphones

2022-06-0210:09:00
The Hacker News
thehackernews.com
34
unisoc
android
vulnerability
smartphone
chipset
buffer overflow
radio communications
check point
denial-of-service
cve-2022-20210
security bulletin
modem firmware
mediatek
qualcomm
apple
kryptowire

EPSS

0.002

Percentile

56.4%

UNISOC Chip

A critical security flaw has been uncovered in UNISOC’s smartphone chipset that could be potentially weaponized to disrupt a smartphone’s radio communications through a malformed packet.

“Left unpatched, a hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location,” Israeli cybersecurity company Check Point said in a report shared with The Hacker News. “The vulnerability is in the modem firmware, not in the Android OS itself.”

UNISOC, a semiconductor company based in Shanghai, is the world’s fourth-largest mobile processor manufacturer after Mediatek, Qualcomm, and Apple, accounting for 10% of all SoC shipments in Q3 2021, according to Counterpoint Research.

The now-patched issue has been assigned the identifier CVE-2022-20210 and is rated 9.4 out of 10 for severity on the CVSS vulnerability scoring system.

In a nutshell, the vulnerability — discovered following a reverse-engineering of UNISOC’s LTE protocol stack implementation — relates to a case of buffer overflow vulnerability in the component that handles Non-Access Stratum (NAS) messages in the modem firmware, resulting in denial-of-service.

To mitigate the risk, it’s recommended that users update their Android devices to the latest available software as and when it becomes available as part of Google’s Android Security Bulletin for June 2022.

“An attacker could have used a radio station to send a malformed packet that would reset the modem, depriving the user of the possibility of communication,” Check Point’s Slava Makkaveev said.

This isn’t the first time UNISOC chipsets have come under the scanner. In March 2022, mobile security firm Kryptowire disclosed a critical security flaw (CVE-2022-27250, CVSS score: 9.8) that, if exploited, could allow malicious actors to take control over user data and device functionality

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

EPSS

0.002

Percentile

56.4%

Related for THN:49C68C231CC8A22EABED1CAEE1FD94C1