Check Point has identified a vulnerability in MediaTek (CVE-2021-0674, CVE-2021-0675) and Qualcomm (CVE-2021-30351) decoders for the Apple Lossless Audio Codec (ALAC) audio compression format. The problem allows attacker code to be executed while processing specially formatted data in the ALAC format.
The danger of the vulnerability is exacerbated by the fact that it affects Android devices equipped with MediaTek and Qualcomm chips. As a result of the attack, an attacker can organize the execution of malware on a device that has access to the user's communication and multimedia data, including data from the camera. According to a rough estimate, 2/3 of all users of smartphones based on the Android platform are affected by the problem. For example, in the US, the total share of all Android smartphones sold in Q4 2021 shipped with MediaTek and Qualcomm chips was 95.1% (48.1% - MediaTek, 47% - Qualcomm).
Details of the exploitation of the vulnerability have not yet been disclosed, but it is reported that fixes were made to MediaTek and Qualcomm components for the Android platform in December 2021. In the December report on vulnerabilities in the Android platform, the problems are marked as critical vulnerabilities in closed components for Qualcomm chips. The vulnerability in MediaTek components is not mentioned in the reports.
Vulnerability is interesting for its roots. In 2011, Apple opened under the Apache 2.0 license the source code for the ALAC codec, which allows you to compress audio data without quality loss, and made it possible to use all the patents related to the codec. The code was published but left unmaintained and has not changed in the last 11 years. At the same time, Apple continued to separately support the implementation used in its platforms, including fixing bugs and vulnerabilities in it. MediaTek and Qualcomm based their implementations of ALAC codecs on Apple's original open source code, but did not address the vulnerabilities addressed by Apple's implementation in their implementations.
There is no information yet about the manifestation of a vulnerability in the code of other products that also use the outdated ALAC code. For example, the ALAC format has been supported since FFmpeg 1.1, but the decoder implementation code is actively maintained.
Source: opennet.ru