Kaspersky researchers conducted a security assessment of a modern System-on-Chip (SoC), Unisoc UIS7862A, which features an integrated 2G/3G/4G modem. This SoC can be found in various mobile devices by multiple vendors or, more interestingly, in the head units of modern Chinese vehicles, which are becoming increasingly common on the roads.
The head unit is one of a car’s key components, and a breach of its information security poses a threat to road safety, as well as the confidentiality of user data. During research, Kaspersky identified several critical vulnerabilities at various levels of the Unisoc UIS7862A modem’s cellular protocol stack. This article discusses a stack-based buffer overflow vulnerability in the 3G RLC protocol implementation (CVE-2024-39432).
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- CISA Adds Five Known Exploited Vulnerabilities to Catalog
June 23, 2023
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-32434 Apple Multiple Products Integer Overflow Vulnerability CVE-2023-32435 Apple iOS and iPadOS WebKit Memory Corruption Vulnerability Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency
- Apple Releases Security Updates for Multiple Products
June 22, 2023
Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device. CISA encourages users and administrators to review the following advisories and apply the necessary updates. watchOS 8.8.1 macOS Big Sur 11.7.8 macOS Monterey 12.6.7 Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency
- CISA Releases Two Industrial Control Systems Advisories
June 20, 2023
CISA released two Industrial Control Systems (ICS) advisories on June 20, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-171-01 Enphase Envoy Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency
- Whitehall wide open to cyber-attack, warn campaigners
June 18, 2023
Government departments responsible for running health and social care, and for collecting taxes, are using outdated software that leaves them wide open to cyber-attacks, according to a disturbing new investigation. The use of “legacy” servers and databases has been uncovered through freedom of information (FoI) requests from the low-tax pressure group the TaxPayers’ Alliance. It has ...
- Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
June 15, 2023
Starting as early as October 10, 2022, UNC4841 sent emails to victim organizations that contained malicious file attachments designed to exploit CVE-2023-2868 to gain initial access to vulnerable Barracuda ESG appliances. Over the course of their campaign, UNC4841 has primarily relied upon three principal code families to establish and maintain a presence on an ESG appliance, ...
- Progress Software Releases Security Advisory for MOVEit Transfer Vulnerability – CVE-2023-35708
June 15, 2023
Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment. In Progress MOVEit Transfer versions released before ...