SB2024090244 - Multiple vulnerabilities in MediaTek chipsets

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2024-20084)

The vulnerability allows a local privileged application to gain access to sensitive information.

The vulnerability exists due to a missing bounds check within power. A local privileged application can gain access to sensitive information.

2) Out-of-bounds read (CVE-ID: CVE-2024-20085)

The vulnerability allows a local privileged application to gain access to sensitive information.

The vulnerability exists due to a missing bounds check within power. A local privileged application can gain access to sensitive information.

3) Out-of-bounds write (CVE-ID: CVE-2024-20086)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within vdec. A local privileged application can execute arbitrary code.

4) Out-of-bounds write (CVE-ID: CVE-2024-20087)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within vdec. A local privileged application can execute arbitrary code.

5) Out-of-bounds read (CVE-ID: CVE-2024-20088)

The vulnerability allows a local privileged application to gain access to sensitive information.

The vulnerability exists due to a missing bounds check within KeyInstall. A local privileged application can gain access to sensitive information.

6) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2024-20089)

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to incorrect error handling within wlan. A local application can perform service disruption.

Remediation

Install update from vendor's website.

References

• https://corp.mediatek.com/product-security-bulletin/September-2024