Product Security

Security Bulletins

Qualcomm security bulletins can be found here, just navigate the year and month you are interested in reviewing.

Bulletins

July 2018
June 2018
May 2018
April 2018
December 2017

July 2018 Qualcomm Technologies, Inc. Security Bulletin

Version 1.0

Published: 07/02/2018

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating. A broad description of the ratings can be found at the following link.  

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-11088 Domen Puncer Kugler and Keuntae Shin
CVE-2018-5838 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-11088 Medium Performance 9/1/2017
CVE-2018-11257 Critical Trusted Execution Environment Internal
CVE-2018-11258 High DSP Service Internal
CVE-2018-11259 Critical Trusted Execution Environment Internal
CVE-2018-5838 High Graphics 11/2/2017
CVE-2018-5874 Critical Video Internal
CVE-2018-5875 Critical Video Internal
CVE-2018-5876 Critical Video Internal
CVE-2018-5878 High RIL Internal
CVE-2018-5882 High Video Internal
CVE-2018-5884 High Video Internal
CVE-2018-5885 High Trusted Execution Environment Internal
CVE-2018-5891 High Data Network Stack & Connectivity Internal
CVE-2018-5892 High Android UI Internal
CVE-2018-5894 High Video Internal

CVE-2017-11088

CVE ID CVE-2017-11088
Title Improper Input Validation in io-prefetch
Description A SQL injection vulnerability exists in the Linux io-prefetcher.
Technology Area Performance
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 9/1/2017
Customer Notified Date 2/5/2018

CVE-2018-11257

CVE ID CVE-2018-11257
Title Permissions, Privileges, and Access Controls in TA Environment
Description RPMB has an option that allows RPMB erase for secure devices.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 3/5/2018

CVE-2018-11258

CVE ID CVE-2018-11258
Title Use After Free in Multimedia
Description In ADSP RPC, a Use After Free condition can occur.
Technology Area DSP Service
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018

CVE-2018-11259

CVE ID CVE-2018-11259
Title Improper Access Control in NAND-based EFS
Description From fastboot on a NAND-based device, the EFS partition can be erased. Apps processor then has non-secure world full read/write access to the partition until the modem boots and configures the EFS partition addresses in its MPU partition.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 2/5/2018

CVE-2018-5838

CVE ID CVE-2018-5838
Title Improper Validation of Array Index in Graphics
Description In the adreno OpenGL driver, an out-of-bounds access can occur in SurfaceFlinger.
Technology Area Graphics
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 11/2/2017
Customer Notified Date 3/5/2018

CVE-2018-5874

CVE ID CVE-2018-5874
Title Stack-based Buffer Overflow in Multimedia
Description While parsing an mp4 file, a stack-based buffer overflow can occur.
Technology Area Video
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Network
Security Rating Critical
Date Reported Internal
Customer Notified Date 4/2/2018

CVE-2018-5875

CVE ID CVE-2018-5875
Title Integer Overflow to Buffer Overflow in Multimedia
Description While parsing an mp4 file, an integer overflow leading to a buffer overflow can occur.
Technology Area Video
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Network
Security Rating Critical
Date Reported Internal
Customer Notified Date 4/2/2018

CVE-2018-5876

CVE ID CVE-2018-5876
Title Buffer Copy without Checking Size of Input in Multimedia
Description While parsing an mp4 file, a buffer overflow can occur.
Technology Area Video
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Network
Security Rating Critical
Date Reported Internal
Customer Notified Date 4/2/2018

CVE-2018-5878

CVE ID CVE-2018-5878
Title Buffer Copy without Checking Size of Input in RIL
Description While sending the response to a RIL_REQUEST_GET_SMSC_ADDRESS message, a buffer overflow can occur.
Technology Area RIL
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 4/2/2018

CVE-2018-5882

CVE ID CVE-2018-5882
Title Buffer Over-read in Multimedia
Description While parsing a Flac file with a corrupted comment block, a buffer over-read can occur.
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 4/2/2018

CVE-2018-5884

CVE ID CVE-2018-5884
Title Improper Access Control in Multimedia
Description Non-standard applications without permission may acquire permission of Qualcomm-specific proprietary intents.
Technology Area Video
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/5/2018

CVE-2018-5885

CVE ID CVE-2018-5885
Title Possible buffer overflow in Secure UI
Description While loading dynamic fonts, a buffer overflow may occur if the number of segments in the font file is out of range.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018

CVE-2018-5891

CVE ID CVE-2018-5891
Title Use After Free in Data
Description While processing modem SSR after IMS is registered, the IMS data daemon is restarted but the ipc_dataHandle is no longer available. Consequently, the DPL thread frees the internal memory for dataDHandle but the local variable pointer is not updated which can lead to a Use After Free condition.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018

CVE-2018-5892

CVE ID CVE-2018-5892
Title Configuration in Android
Description The Touch Pal application can collect user behavior data without awareness by the user.
Technology Area Android UI
Vulnerability Type CWE-16 Configuration
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018

CVE-2018-5894

CVE ID CVE-2018-5894
Title Improper Validation of Array Index in Multimedia
Description While parsing an mp4 file, an out-of-bounds access can occur.
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 3/5/2018

Version History

Version Date Comments
1.0 July 2, 2018 Bulletin Published

June 2018 Qualcomm Technologies, Inc. Security Bulletin

Version 1.0

Published: 06/04/2018

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating. A broad description of the ratings can be found at the following link.  

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-13218 Google Project Zero

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-13218 High WLAN HOST, Core Services 7/28/2017

CVE-2017-13218

CVE ID CVE-2017-13218
Title Permissions, Privileges and Acess control issue in Kernel
Description Access to CNTVCT_EL0 could be used for side channel attacks and this could lead to local information disclosure with no additional execution privileges needed.
Technology Area WLAN HOST, Core Services
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported 7/28/2017
Customer Notified Date 4/2/2018

Version History

Version Date Comments
1.0 June 4, 2018 Bulletin Published

May 2018 Qualcomm Technologies, Inc. Security Bulletin

Version 1.0

Published: 05/08/2018

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating. A broad description of the ratings can be found at the following link.  

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-11009, CVE-2017-9711 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-9711 Medium Data Network Stack & Connectivity 4/13/2017
CVE-2017-14912 High Content Protection Internal
CVE-2017-11009 High Video 5/22/2017
CVE-2017-14913 High Trusted Execution Environment Internal
CVE-2017-14915 High Trusted Execution Environment Internal
CVE-2017-18160 High GPS Internal

CVE-2017-9711

CVE ID CVE-2017-9711
Title Permissions, Privileges, and Access Controls in Data
Description Certain unprivileged processes are able to perform IOCTL calls.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating Medium
Date Reported 4/13/2017
Customer Notified Date 7/3/2017

CVE-2017-14912

CVE ID CVE-2017-14912
Title Improper Access Control in TrustZone
Description The attributes of buffers in Secure Display were not marked properly.
Technology Area Content Protection
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 5/9/2017

CVE-2017-11009

CVE ID CVE-2017-11009
Title Buffer Copy without Checking Size of Input in Multimedia
Description A buffer overflow vulnerability exists while parsing a bitstream.
Technology Area Video
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported 5/22/2017
Customer Notified Date 8/7/2017

CVE-2017-14913

CVE ID CVE-2017-14913
Title Improper Input Validation in TrustZone
Description DDR address input validation is being improperly truncated.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 5/9/2017

CVE-2017-14915

CVE ID CVE-2017-14915
Title Use After Free in Secure Processor
Description Accessing SPCOM functions with a compromised client structure can result in a Use After Free condition.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 5/9/2017

CVE-2017-18160

CVE ID CVE-2017-18160
Title Cryptographic Issues in GPS
Description AGPS session failure in GNSS module due to cyphersuites are hardcoded and needed manual update everytime
Technology Area GPS
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017

Version History

Version Date Comments
1.0 May 8, 2018 Bulletin Published

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Table of Vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2013-4420 High On-device Logging Internal
CVE-2016-5341 Medium GPS Internal
CVE-2017-11010 High Trusted Execution Environment Internal
CVE-2017-11011 High Trusted Execution Environment Internal
CVE-2017-14910 High Security Feature Internal
CVE-2017-14911 Critical Trusted Execution Environment Internal
CVE-2017-17773 Critical Video Services Internal
CVE-2017-18071 Critical Trusted Execution Environment Internal
CVE-2017-18072 High WLAN Firmware 11/9/2016
CVE-2017-18073 High Trusted Execution Environment Internal
CVE-2017-18074 High Audio Internal
CVE-2017-18125 High Trusted Execution Environment Internal
CVE-2017-18126 High WLAN Firmware 12/9/2016
CVE-2017-18127 High Virtual Reality Internal
CVE-2017-18128 Critical Trusted Execution Environment Internal
CVE-2017-18129 High Trusted Execution Environment Internal
CVE-2017-18130 High Video Services Internal
CVE-2017-18132 High Trusted Execution Environment Internal
CVE-2017-18133 High Trusted Execution Environment Internal
CVE-2017-18134 High User Identity Module Internal
CVE-2017-18135 High Data Services Internal
CVE-2017-18136 High Audio Internal
CVE-2017-18137 High Data Services Internal
CVE-2017-18138 High GERAN Internal
CVE-2017-18139 High Modem Internal
CVE-2017-18140 High Data Network Stack & Connectivity Internal
CVE-2017-18142 High Data Services Internal
CVE-2017-18143 High Trusted Execution Environment Internal
CVE-2017-18144 High Data Network Stack & Connectivity Internal
CVE-2017-18145 High Data Network Stack & Connectivity Internal
CVE-2017-18146 Critical Trusted Execution Environment Internal
CVE-2017-18147 High Multimode Call Processing Services Internal
CVE-2017-8274 Critical Trusted Execution Environment Internal
CVE-2017-8275 High Video Services Internal
CVE-2018-3589 High RFA Internal
CVE-2018-3590 High Radio Interface Layer Internal
CVE-2018-3591 Critical Storage Services Internal
CVE-2018-3592 Critical Multimode Call Processing Services Internal
CVE-2018-3593 High Radio Interface Layer Internal
CVE-2018-3594 High Video Services Internal

Vulnerability Details

CVE-2013-4420

CVE ID CVE-2013-4420
Title Improper Input Validation in Logging
Description Multiple directory traversal vulnerabilities exist in libtar.
Technology Area On-device Logging
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/3/2017

CVE-2016-5341

CVE ID CVE-2016-5341
Title Improper Access Control in GPS
Description A man-in-the-middle can cause a denial of service in GPS.
Technology Area GPS
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Network
Security Rating Medium
Date Reported Internal
Customer Notified Date 7/3/2017

CVE-2017-11010

CVE ID CVE-2017-11010
Title Improper Access Control in Core
Description Access control left a configuration space unprotected.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/7/2017

CVE-2017-11011

CVE ID CVE-2017-11011
Title Use After Free in Core
Description A Use After Free condition can occur in a communication API.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/7/2017

CVE-2017-14910

CVE ID CVE-2017-14910
Title Buffer Over-read in Sphinx
Description A buffer overread is possible if there are no newlines in an input file.
Technology Area Security Feature
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 5/9/2017

CVE-2017-14911

CVE ID CVE-2017-14911
Title Improper Authentication in Boot
Description It is possible for the XBL loader to skip the authentication of device config.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-287 Improper Authentication
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 5/9/2017

CVE-2017-17773

CVE ID CVE-2017-17773
Title Buffer Overflow in Video
Description While processing an mpeg4 file, a buffer overflow can occur.
Technology Area Video Services
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Network
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/4/2017

CVE-2017-18071

CVE ID CVE-2017-18071
Title Improper Access Control in Core
Description Debug policy can potentially be bypassed.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 3/14/2017

CVE-2017-18072

CVE ID CVE-2017-18072
Title Information Exposure in WLAN
Description Information exposure can occur in some 802.11 frames.
Technology Area WLAN Firmware
Vulnerability Type CWE-200 Information Exposure
Access Vector AdjacentNetwork
Security Rating High
Date Reported 11/9/2016
Customer Notified Date 11/6/2017

CVE-2017-18073

CVE ID CVE-2017-18073
Title Improper Input Validation in TrustZone
Description The HLOS can gain access to unauthorized memory.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017

CVE-2017-18074

CVE ID CVE-2017-18074
Title Improper Input Validation in Audio
Description While playing a .wma file with modified media header with non-standard bytes per second parameter value, a reachable assert occurs.
Technology Area Audio
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017

CVE-2017-18125

CVE ID CVE-2017-18125
Title Improper Input Validation in TrustZone
Description A secure camera buffer can be reused.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017

CVE-2017-18126

CVE ID CVE-2017-18126
Title Use of Insufficiently Random Values in WLAN.
Description Information elements in some 802.11 frames are not sufficiently random.
Technology Area WLAN Firmware
Vulnerability Type CWE-330 Use of Insufficiently Random Values
Access Vector AdjacentNetwork
Security Rating High
Date Reported 12/9/2016
Customer Notified Date 11/6/2017

CVE-2017-18127

CVE ID CVE-2017-18127
Title Improper Input Validation in Virtual Reality
Description While processing a command packet in the VR service, a buffer overflow can occur.
Technology Area Virtual Reality
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017

CVE-2017-18128

CVE ID CVE-2017-18128
Title Improper Access Control in Core.
Description Improper access control while configuring MPU protecting error correction registers may potentially lead to exposure of related secured data.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/4/2017

CVE-2017-18129

CVE ID CVE-2017-18129
Title Improper Access Control in TrustZone.
Description It is possible for IPA(internet protocol accelerator) channels owned by one security domain to be controlled from other domains.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017

CVE-2017-18130

CVE ID CVE-2017-18130
Title Buffer Over-read in Multimedia
Description While playing an ASF file, a buffer over-read can potentially occur.
Technology Area Video Services
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017

CVE-2017-18132

CVE ID CVE-2017-18132
Title Buffer Over-read in Core
Description An out-of-bounds access can potentially occur in tz_assign().
Technology Area Trusted Execution Environment
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017

CVE-2017-18133

CVE ID CVE-2017-18133
Title Improper Validation of Array Index in Core
Description An out of bound access for ebi channel array can potentially occur.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017

CVE-2017-18134

CVE ID CVE-2017-18134
Title Buffer Copy without Checking Size of Input in UIM
Description A buffer overflow may potentially occur while processing a response from the SIM card.
Technology Area User Identity Module
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 10/2/2017

CVE-2017-18135

CVE ID CVE-2017-18135
Title Buffer Copy without Checking Size of Input in Data
Description In the Wireless Data Service (WDS) module, a buffer overflow can occur.
Technology Area Data Services
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017

CVE-2017-18136

CVE ID CVE-2017-18136
Title Use After Free in Audio
Description In the omx aac component, a Use After Free condition may potentially occur.
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017

CVE-2017-18137

CVE ID CVE-2017-18137
Title Buffer Copy without Checking Size of Input in Data
Description While processing the IPv6 pdp address of the pdp context, a buffer overflow can occur.
Technology Area Data Services
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 10/2/2017

CVE-2017-18138

CVE ID CVE-2017-18138
Title Buffer Copy without Checking Size of Input in GERAN
Description In GERAN, a buffer overflow may potentially occur.
Technology Area GERAN
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017

CVE-2017-18139

CVE ID CVE-2017-18139
Title Buffer Copy without Checking Size of Input in IMS
Description A buffer overflow vulnerability may potentially exist while making an IMS call.
Technology Area Modem
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017

CVE-2017-18140

CVE ID CVE-2017-18140
Title Use After Free in Data
Description When processing a call disconnection, a Use After Free condition may potentially occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017

CVE-2017-18142

CVE ID CVE-2017-18142
Title Buffer Copy without Checking Size of Input in Data
Description While processing the IMS SIP username, a buffer overflow can occur.
Technology Area Data Services
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017

CVE-2017-18143

CVE ID CVE-2017-18143
Title Configuration in Core
Description On a secure device, PD dumps are collected when debugging is not enabled.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-16 Configuration
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017

CVE-2017-18144

CVE ID CVE-2017-18144
Title Use After Free in Data
Description While processing the retransmission of WPA supplicant command send failures, there is a make after break of the connection to WPA supplicant where the local pointer is not properly updated. If the WPA supplicant command transmission fails, a Use After Free condition will occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017

CVE-2017-18145

CVE ID CVE-2017-18145
Title Use After Free in Data
Description While the DPM native process is processing framework events, the iterator pointer is deleted after processing an event. When processing subsequent events, a Use After Condition will occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017

CVE-2017-18146

CVE ID CVE-2017-18146
Title Cryptographic Issues in Core
Description In some corner cases, signature verification can fail.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/4/2017

CVE-2017-18147

CVE ID CVE-2017-18147
Title Improper Input Validation in MMCP
Description In MMCP, a downlink message is not being properly validated.
Technology Area Multimode Call Processing Services
Vulnerability Type CWE-20 Improper Input Validation
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017

CVE-2017-8274

CVE ID CVE-2017-8274
Title Improper Access Control in Core
Description An access control vulnerability exists in Core.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 6/5/2017

CVE-2017-8275

CVE ID CVE-2017-8275
Title Integer Overflow or Wraparound in Video
Description An integer overflow vulnerability exists in a video library.
Technology Area Video Services
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 6/5/2017

CVE-2018-3589

CVE ID CVE-2018-3589
Title Buffer Copy without Checking Size of Input in RFA
Description The vswr capture size is larger than the maximum size of a diag logPacket, which can lead to a buffer overflow when the sample buffer is copied to the logPacket buffer.
Technology Area RFA
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018

CVE-2018-3590

CVE ID CVE-2018-3590
Title Use After Free in RIL
Description A Use After Free condition can occur in RIL while handling requests from Android.
Technology Area Radio Interface Layer
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018

CVE-2018-3591

CVE ID CVE-2018-3591
Title Configuration in Core.
Description The default build configuration of deviceprogrammer can expose peek and poke commands.
Technology Area Storage Services
Vulnerability Type CWE-16 Configuration
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 1/1/2018

CVE-2018-3592

CVE ID CVE-2018-3592
Title Use After Free in MMCP
Description Added a change to check if the pointer has been reset to NULL or not, before writing to the memory pointed by the pointer.
Technology Area Multimode Call Processing Services
Vulnerability Type CWE-416 Use After Free
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported Internal
Customer Notified Date 1/1/2018

CVE-2018-3593

CVE ID CVE-2018-3593
Title Use After Free in RIL
Description Repeated enable/disable eMBMS requests may result in a double free condition.
Technology Area Radio Interface Layer
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018

CVE-2018-3594

CVE ID CVE-2018-3594
Title Buffer Over-read in Video
Description While parsing a private frame in an ID3 tag, a buffer over-read can occur when comparing frame data with predefined owner identifier strings.
Technology Area Video Services
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018

Version

Date

Comments

1.0

April 13, 2018

Bulletin Published

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements
This is the first public security bulletin released by Qualcomm Technologies Inc. Subsequent bulletins will be released on a regular cadence.

Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us:

CVE-2017-6211

Matthew Spisak of ENDGAME (www.endgame.com)

CVE-2017-9709

Jake Valletta

Table of Vulnerabilities

CVE ID

Security Rating

Technology Area

Date Reported

CVE-2017-11005

High

Qualcomm IPC

Internal

CVE-2017-11006

High

GPS

Internal

CVE-2017-14907

Critical

Trusted Execution Environment

Internal

CVE-2017-14908

High

Security Feature

Internal

CVE-2017-14909

High

GPS

Internal

CVE-2017-14914

High

Storage

Internal

CVE-2017-14916

High

Trusted Execution Environment

Internal

CVE-2017-14917

High

Trusted Execution Environment

Internal

CVE-2017-14918

High

GPS

Internal

CVE-2017-15813

High

WLAN

Internal

CVE-2017-6211

Critical

Multimode Core Protocol

1/23/2017

CVE-2017-9709

Medium

Telephony

4/6/2017

Vulnerability Details

CVE ID

CVE-2017-11005

Title

Use After Free in Core

Description

A Use After Free condition can occur during a deinitialization path.

Technology Area

Qualcomm IPC

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

8/7/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SDX20

 

CVE ID

CVE-2017-11006

Title

Use After Free in GNSS

Description

A Use After Free condition can occur during positioning.

Technology Area

GPS

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

8/7/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 615/16,SD 415, SD 625, SD 650/52, SD 820, SD 835, SDX20

 

CVE ID

CVE-2017-14907

Title

Cryptographic Issues in TrustZone

Description

Cryptographic strength is reduced while deriving disk encryption key.

Technology Area

Trusted Execution Environment

Vulnerability Type

CWE-310 Cryptographic Issues

Access Vector

Local

Security Rating

Critical

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

S820A, S820AM, SD 425, SD 430, SD 625, SD 650/52, SD 820, SD 835

 

CVE ID

CVE-2017-14908

Title

Improper Input Validation in SafeSwitch

Description

The SafeSwitch test application does not properly validate the number of blocks to verify.

Technology Area

Security Feature

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 410/12, SD 430, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835,

 

CVE ID

CVE-2017-14909

Title

Integer Overflow to Buffer Overflow in GPS

Description

A count value that is read from a file is not properly validated.

Technology Area

GPS

Vulnerability Type

CWE-680 Integer Overflow to Buffer Overflow

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

S820AM, SD 820, SD 835

 

CVE ID

CVE-2017-14914

Title

Use After Free in Storage

Description

Handles in the global client structure can become stale.

Technology Area

Storage

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

S820A, MDM9206, MDM9310, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 600, SD 602A, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 835, SDX20

 

CVE ID

CVE-2017-14916

Title

Buffer Copy without Checking Size of Input in TEE kernel

Description

Buffer sizes in the message passing interface are not properly validated.

Technology Area

Trusted Execution Environment

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

SD 625, SD 650/52, SD 835

 

CVE ID

CVE-2017-14917

Title

Integer Overflow to Buffer Overflow in TEE kernel

Description

Buffer sizes in the message passing interface are not properly validated.

Technology Area

Trusted Execution Environment

Vulnerability Type

CWE-680 Integer Overflow to Buffer Overflow

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

MDM9206, SD 625, SD 650/52, SD 835

 

CVE ID

CVE-2017-14918

Title

Use After Free in GPS

Description

In the GPS location wireless interface, a Use After Free condition can occur.

Technology Area

GPS

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

7/3/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 400, SD 425, SD 625, SD 650/52, SD 820, SD 835, SDX20

 

CVE ID

CVE-2017-15813

Title

Buffer Copy without Checking Size of Input in WLAN

Description

A buffer overflow can occur while reading firmware logs.

Technology Area

WLAN

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

7/3/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SDX20

 

CVE ID

CVE-2017-6211

Title

Improper Input Validation in Multimode core protocol

Description

In the processing of a downlink supplementary services message, a buffer overflow can occur.

Technology Area

MMCP

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

AdjacentNetwork

Security Rating

Critical

Date Reported

01/23/2017

Customer Notified Date

2/27/2017

Affected Chipsets

S820A, MDM6600, MDM9206, MDM9310, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, S820AM, QSC6270, S600, SD 200, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 835, SDX20M

 

CVE ID

CVE-2017-9709

Title

Improper Access Control in Telephony

Description

A privilege escalation vulnerability exists in telephony.

Technology Area

Telephony

Vulnerability Type

CWE-284 Improper Access Control

Access Vector

Local

Security Rating

Medium

Date Reported

04/06/2017

Customer Notified Date

7/3/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 400, SD 425, SD 625, SD 650/52, SD 820, SD 835, SDX20

Version History

Version

Date

Comments

1.0

December 4, 2017

Bulletin Published

2.0

February 8, 2018

Revision