Arm patches GPU driver bug exploited by spyware to snoop on targets

Commercial spyware has exploited a security hole in Arm's Mali GPU drivers to compromise some people's devices, according to Google today.

These graphics processors are used in a ton of gear, from phones and tablets to laptops and cars, so the kernel-level vulnerability may be present in countless equipment. This includes Android handsets made by Google, Samsung, and others.

The vulnerable drivers are paired with Arm's Midgard (launched in 2010), Bifrost (2016), Valhall (2019), and fifth generation Mali GPUs (2023), so we imagine this buggy code will be in millions of systems.

On Monday, Arm issued an advisory for the flaw, which is tracked as CVE-2023-4211. This is a use-after-free bug affecting Midgard driver versions r12p0 to r32p0; Bifrost versions r0p0 to r42p0; Valhall versions r19p0 to r42p0; and Arm 5th Gen GPU Architecture versions r41p0 to r42p0.

We're told Arm has corrected the security blunder in its drivers for Bifrost to fifth-gen. "This issue is fixed in Bifrost, Valhall, and Arm 5th Gen GPU Architecture Kernel Driver r43p0," the advisory stated. "Users are recommended to upgrade if they are impacted by this issue. Please contact Arm support for Midgard GPUs."

We note version r43p0 of Arm's open source Mali drivers for Bifrost to fifth-gen were released in March. Midgard has yet to publicly get that version, it appears, hence why you need to contact Arm for that. We've asked Arm for more details on that.

What this means for the vast majority of people is: look out for operating system or manufacturer updates with Mali GPU driver fixes to install to close this security hole, or look up the open source drivers and apply updates yourself if you're into that. Your equipment may already be patched by now, given the release in late March, and details of the bug are only just coming out. If you're a device maker, you should be rolling out patches to customers.

"A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory," is how Arm described the bug. That, it seems, is enough to allow spyware to take hold of a targeted vulnerable device.

According to Arm there is "evidence that this vulnerability may be under limited, targeted exploitation." We've received confirmation from Google, whose Threat Analysis Group's (TAG) Maddie Stone and Google Project Zero's Jann Horn found and reported the vulnerability to the chip designer, that this targeted exploitation has indeed taken place. 

"At this time, TAG can confirm the CVE was used in the wild by a commercial surveillance vendor," a TAG spokesperson told The Register. "More technical details will be available at a later date, aligning with our vulnerability disclosure policy."

• Apple squashes security bugs after iPhone flaws exploited by Predator spyware
• CISA adds latest Chrome zero-day to Known Exploited Vulnerabilities Catalog
• Probe reveals previously secret Israeli spyware that infects targets via ads
• Security researchers believe mass exploitation attempts against WS_FTP have begun

TAG is keeping quiet for now on who exactly is exploiting Mali's kernel drivers this time. It could perhaps be Pegasus or Predator maybe; the main point here is that attacks are likely to be against very specific targets, such as activists, journalists, or persons of interest to certain governments.

Also, for what it's worth, Arm on Monday also said it has patched a bunch of other exploitable GPU driver bugs that aren't credited to any researcher nor said to have been exploited: CVE-2023-33200, a race-condition fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r44p1 and r45p0; and CVE-2023-34970, a GPU operation issue fixed in Valhall and Arm 5th Gen GPU Architecture Kernel Driver r44p1 and r45p0.

Speaking of bugs under exploit…

Google highlighted CVE-2023-4211 in its October Android security bulletin, also published on Monday. That bulletin warned of "indications" that this particular Arm driver bug, as well as a critical system vulnerability, CVE-2023-4863, could lead to remote code execution again "under limited, targeted exploitation."

Meanwhile, Qualcomm, in a security bulletin published the same day cited intelligence from TAG and Project Zero that four additional vulnerabilities, CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 have also been exploited in targeted attacks. 

While it shared details about one of the four, CVE-2022-22071, in its May 2022 bulletin, Qualcomm says it won't be sharing any info about the other three until December 2023. This could be an unpleasant Christmas treat.

Here's all the details we have as of now: "Patches for the issues affecting [Qualcomm's] Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible," the advisory stated. "Please contact your device manufacturer for more information on the patch status about specific devices."

It's worth noting that in 2022 Googlers uncovered a vulnerability tracked as CVE-2022-22706, also in Mali GPU kernel drivers, being used to deploy spyware developed by Spanish vendor Variston.

This particular firm has developed spyware called Heliconia that can exploit vulnerabilities in Chrome and Firefox browsers as well as Microsoft Defender security software. ®