- MediaTek releases security advisory detailing 13 vulnerabilities
- Among them is a critical-severity RCE, plaguing 51 chipsets
- Flaws have been addressed and patches are available, so update now
MediaTek has disclosed more than a dozen vulnerabilities affecting various elements of its products.
Among the flaws is a remote code execution (RCE) vulnerability affecting the modem component, found in 51 chipsets. Tracked as CVE-2024-20154, it was given a “critical” severity rating, although the exact score was not disclosed (it’s somewhere in the 9.0-10.0 range).
“In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed,” MediaTek explained in its security advisory. “User interaction is not needed for exploitation.”
No evidence of abuse
While the list of affected chipsets is fairly extensive and includes devices used in IoT gear, Chromebooks, cars, and smartphones, the number of software versions is only six. The entire list can be found on this link.
Among the other flaws are seven that were rated as “high severity”, including privilege escalations, denial of service, remote code execution, information leakage, and more. MediaTek said it notified device manufacturers two months ago, suggesting that the vulnerabilities have since been patched for the most part.
Prior to this January 2025 update, MediaTek addressed critical vulnerabilities in its chipsets in November 2024. That Product Security Bulletin detailed several high-severity vulnerabilities, including CVE-2024-20104 and CVE-2024-20106, which could lead to privilege escalation and arbitrary code execution. These flaws affected a range of chipsets, and users were advised to apply the latest security updates as soon as possible.
At press time, there was no evidence that any of these flaws were being abused in the wild. However, since threat actors will often scan the internet for endpoints vulnerable to known flaws, users are advised not to delay the patch.
Via The Register