Product Security

Security Bulletins

Qualcomm security bulletins can be found here, just navigate the year and month you are interested in reviewing.

Bulletins

December 2017

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements
This is the first public security bulletin released by Qualcomm Technologies Inc. Subsequent bulletins will be released on a regular cadence.

Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us:

CVE-2017-6211

Matthew Spisak of ENDGAME (www.endgame.com)

CVE-2017-9709

Jake Valletta

Table of Vulnerabilities

CVE ID

Security Rating

Technology Area

Date Reported

CVE-2017-11005

High

Qualcomm IPC

Internal

CVE-2017-11006

High

GPS

Internal

CVE-2017-14907

Critical

Trusted Execution Environment

Internal

CVE-2017-14908

High

Security Feature

Internal

CVE-2017-14909

High

GPS

Internal

CVE-2017-14914

High

Storage

Internal

CVE-2017-14916

High

Trusted Execution Environment

Internal

CVE-2017-14917

High

Trusted Execution Environment

Internal

CVE-2017-14918

High

GPS

Internal

CVE-2017-15813

High

WLAN

Internal

CVE-2017-6211

Critical

Multimode Core Protocol

1/23/2017

CVE-2017-9709

Medium

Telephony

4/6/2017

Vulnerability Details

CVE ID

CVE-2017-11005

Title

Use After Free in Core

Description

A Use After Free condition can occur during a deinitialization path.

Technology Area

Qualcomm IPC

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

8/7/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SDM670, SDX20

 

CVE ID

CVE-2017-11006

Title

Use After Free in GNSS

Description

A Use After Free condition can occur during positioning.

Technology Area

GPS

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

8/7/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 615/16,SD 415, SD 625, SD 650/52, SD 820, SD 835, SDM670, SDX20

 

CVE ID

CVE-2017-14907

Title

Cryptographic Issues in TrustZone

Description

Cryptographic strength is reduced while deriving disk encryption key.

Technology Area

Trusted Execution Environment

Vulnerability Type

CWE-310 Cryptographic Issues

Access Vector

Local

Security Rating

Critical

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

S820A, S820AM, SD 425, SD 430, SD 625, SD 650/52, SD 820, SD 835

 

CVE ID

CVE-2017-14908

Title

Improper Input Validation in SafeSwitch

Description

The SafeSwitch test application does not properly validate the number of blocks to verify.

Technology Area

Security Feature

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 410/12, SD 430, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835,

 

CVE ID

CVE-2017-14909

Title

Integer Overflow to Buffer Overflow in GPS

Description

A count value that is read from a file is not properly validated.

Technology Area

GPS

Vulnerability Type

CWE-680 Integer Overflow to Buffer Overflow

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

S820AM, SD 820, SD 835

 

CVE ID

CVE-2017-14914

Title

Use After Free in Storage

Description

Handles in the global client structure can become stale.

Technology Area

Storage

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

S820A, MDM9206, MDM9310, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MSM8909W, S820AM, QCS605, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 600, SD 602A, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 835, SDM670, SDX20

 

CVE ID

CVE-2017-14916

Title

Buffer Copy without Checking Size of Input in TEE kernel

Description

Buffer sizes in the message passing interface are not properly validated.

Technology Area

Trusted Execution Environment

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

QCS605, SD 625, SD 650/52, SD 835, SDM670

 

CVE ID

CVE-2017-14917

Title

Integer Overflow to Buffer Overflow in TEE kernel

Description

Buffer sizes in the message passing interface are not properly validated.

Technology Area

Trusted Execution Environment

Vulnerability Type

CWE-680 Integer Overflow to Buffer Overflow

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

MDM9206, QCS605, SD 625, SD 650/52, SD 835, SDM670

 

CVE ID

CVE-2017-14918

Title

Use After Free in GPS

Description

In the GPS location wireless interface, a Use After Free condition can occur.

Technology Area

GPS

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

7/3/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 400, SD 425, SD 625, SD 650/52, SD 820, SD 835, SDX20

 

CVE ID

CVE-2017-15813

Title

Buffer Copy without Checking Size of Input in WLAN

Description

A buffer overflow can occur while reading firmware logs.

Technology Area

WLAN

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

7/3/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, S820AM, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SDM670, SDX20

 

CVE ID

CVE-2017-6211

Title

Improper Input Validation in Multimode core protocol

Description

In the processing of a downlink supplementary services message, a buffer overflow can occur.

Technology Area

MMCP

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

AdjacentNetwork

Security Rating

Critical

Date Reported

01/23/2017

Customer Notified Date

2/27/2017

Affected Chipsets

S820A, MDM6600, MDM9206, MDM9310, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, S820AM, QCS605, QSC6270, S600, SD 200, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 835, SDM670, SDX20M

 

CVE ID

CVE-2017-9709

Title

Improper Access Control in Telephony

Description

A privilege escalation vulnerability exists in telephony.

Technology Area

Telephony

Vulnerability Type

CWE-284 Improper Access Control

Access Vector

Local

Security Rating

Medium

Date Reported

04/06/2017

Customer Notified Date

7/3/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 400, SD 425, SD 625, SD 650/52, SD 820, SD 835, SDX20

Version History

Version

Date

Comments

1.0

December 4, 2017

Bulletin Published