Product Security

Security Bulletins

Qualcomm security bulletins can be found here, just navigate the year and month you are interested in reviewing.

Bulletins

October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
December 2017

October 2018 Qualcomm Technologies, Inc. Security Bulletin

Version 1.0

Published: 10/01/2018

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating. A broad description of the ratings can be found at the following link.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2018-11824, CVE-2018-5866, CVE-2018-5914 derrek (https://twitter.com/derrekr6)

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-18298 High Trusted Execution Environment Internal
CVE-2017-18304 High Power Internal
CVE-2017-18313 High WLAN Firmware Internal
CVE-2017-18299 High Trusted Execution Environment Internal
CVE-2017-18292 High Trusted Execution Environment Internal
CVE-2017-18312 High Trusted Execution Environment Internal
CVE-2017-18297 High Trusted Execution Environment Internal
CVE-2017-18170 High BT Controller Internal
CVE-2017-18283 High BT Controller Internal
CVE-2017-18171 Critical BT Controller Internal
CVE-2017-18172 High Trusted Execution Environment Internal
CVE-2017-18282 High Trusted Execution Environment Internal
CVE-2017-18277 High WLAN HOST Internal
CVE-2017-18294 High Trusted Execution Environment Internal
CVE-2017-18293 High Trusted Execution Environment Internal
CVE-2017-18295 High DSP Service Internal
CVE-2017-18305 Critical Trusted Execution Environment Internal
CVE-2017-18296 Critical Trusted Execution Environment Internal
CVE-2017-18300 High Trusted Execution Environment Internal
CVE-2017-18303 High Sensors Internal
CVE-2017-18124 High Trusted Execution Environment Internal
CVE-2017-18309 High Qualcomm IPC Internal
CVE-2017-18311 Critical Trusted Execution Environment Internal
CVE-2017-18310 Critical Trusted Execution Environment Internal
CVE-2017-18308 High Trusted Execution Environment Internal
CVE-2018-3588 High Trusted Execution Environment Internal
CVE-2018-11305 High POSITIONING_WLAN Internal
CVE-2018-11951 High Trusted Execution Environment Internal
CVE-2018-11950 Critical Trusted Execution Environment Internal
CVE-2018-11821 High WLAN Firmware Internal
CVE-2018-11822 High WLAN Firmware Internal
CVE-2018-5866 Critical Trusted Execution Environment 1/16/2018
CVE-2018-5914 High Buses 1/23/2018
CVE-2018-11824 Critical Biometrics 1/23/2018
CVE-2018-11828 High WLAN Firmware Internal
CVE-2018-11846 High Storage Internal
CVE-2018-11849 High WLAN Firmware Internal
CVE-2018-11850 High WLAN Firmware Internal
CVE-2018-11853 High WLAN Firmware Internal
CVE-2018-11854 High WLAN Firmware Internal
CVE-2018-11856 High WLAN Firmware Internal
CVE-2018-11857 High WLAN Firmware Internal
CVE-2018-11858 High WLAN Firmware Internal
CVE-2018-11859 High WLAN Firmware Internal
CVE-2018-11861 High WLAN Firmware Internal
CVE-2018-11862 High WLAN Firmware Internal
CVE-2018-11865 High WLAN Firmware Internal
CVE-2018-11866 High WLAN Firmware Internal
CVE-2018-11867 High WLAN Firmware Internal
CVE-2018-11870 High WLAN Firmware Internal
CVE-2018-11871 High WLAN Firmware Internal
CVE-2018-11872 High WLAN Firmware Internal
CVE-2018-11873 High WLAN Firmware Internal
CVE-2018-11874 High WLAN Firmware Internal
CVE-2018-11875 High WLAN Firmware Internal
CVE-2018-11876 High WLAN Firmware Internal
CVE-2018-11877 High WLAN Firmware Internal
CVE-2018-11879 High WLAN Firmware Internal
CVE-2018-11880 High WLAN Firmware Internal
CVE-2018-11882 High WLAN Firmware Internal
CVE-2018-11884 High WLAN Firmware Internal

CVE-2017-18298

CVE ID CVE-2017-18298
Title Null Pointer Dereference in Broadcast
Description Lack of Input Validation in SDMX API can lead to NULL pointer access
Technology Area Trusted Execution Environment
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660

CVE-2017-18304

CVE ID CVE-2017-18304
Title Buffer Over-read in Power
Description Insufficient memory allocation in boot due to incorrect size being passed could result in out of bounds access.
Technology Area Power
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets FSM9055, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDX20

CVE-2017-18313

CVE ID CVE-2017-18313
Title Need to move DXE accessible memory to end of CNSS image
Description Under certain mode of operations, HLOS may be able get direct or indirect access through DXE channels to tamper with the authenticated WCNSS firmware stored in DDR because DXE-accessible memory is located within the authenticated image.
Technology Area WLAN Firmware
Vulnerability Type CWE-284 Improper Access Control
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 615/16/SD 415, SD 617

CVE-2017-18299

CVE ID CVE-2017-18299
Title Improper Access Control in Core
Description Improper translation table consolidation logic leads to resource exhaustion and QSEE error
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660

CVE-2017-18292

CVE ID CVE-2017-18292
Title Lack of input validation may lead to system reset
Description Secure app running in non secure space can restart TZ by calling Widevine app API repeatedly.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 820A

CVE-2017-18312

CVE ID CVE-2017-18312
Title Possible SFS corruption while accessing SafeSwitch services
Description While accessing SafeSwitch services, SFS corruption is possible.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-285 Improper Authorization
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets MSM8996AU, SD 410/12, SD 617, SD 650/52, SD 810, SD 820, SD 820A

CVE-2017-18297

CVE ID CVE-2017-18297
Title Double Free in Trusted Application Environment
Description Double memory free while closing TEE SE API Session management
Technology Area Trusted Execution Environment
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820

CVE-2017-18170

CVE ID CVE-2017-18170
Title Integer Underflow vulnerability in Bluetooth controller
Description Improper input validation in Bluetooth Controller function can lead to possible memory corruption.
Technology Area BT Controller
Vulnerability Type CWE-191 Integer Underflow (Wrap or Wraparound)
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets QCA9379, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845, SD 850, SDM630, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016

CVE-2017-18283

CVE ID CVE-2017-18283
Title Lack of input validation in Bluetooth controller may lead to system reset
Description Possible memory corruption when Read Val Blob Req is received with invalid parameters.
Technology Area BT Controller
Vulnerability Type CWE-20 Improper Input Validation
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets QCA9379, SD 210/SD 212/SD 205, SD 625, SD 835, SD 845, SD 850, SDA660

CVE-2017-18171

CVE ID CVE-2017-18171
Title Improper Input Validation in BTSOC
Description Improper input validation for GATT data packet received in BTSOC fucntion can lead to possible memory corruption.
Technology Area BT Controller
Vulnerability Type CWE-20 Improper Input Validation
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets QCA9379, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845, SD 850, SDM630, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016

CVE-2017-18172

CVE ID CVE-2017-18172
Title Integer Overflow or Wraparound in SUI
Description In a device, with screen size 1440x2560, the check of contiguous buffer will overflow on certain buffer size resulting in an Integer Overflow or Wraparound in System UI.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets MDM9635M, SD 400, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 820A, SD 835, SDM630, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2017-18282

CVE ID CVE-2017-18282
Title Improper Access Control in Access Control module
Description Privilege escalation using SDCC to access RPM
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/11/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 835, SDA660

CVE-2017-18277

CVE ID CVE-2017-18277
Title Loop with Unreachable Exit Condition in WLAN
Description When dynamic memory allocation fails, currently the process sleeps for one second and continues with infinite loop without retrying for memory allocation.
Technology Area WLAN HOST
Vulnerability Type CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, QCN5502, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835

CVE-2017-18294

CVE ID CVE-2017-18294
Title Improper input validation when loading a TA image through QSEECOM driver
Description While reading file class type from ELF header, a buffer overread may happen if the ELF file size is less than the size of ELF64 header size.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets FSM9055, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDA660, SDX20

CVE-2017-18293

CVE ID CVE-2017-18293
Title Improper access control on TLMM banked GPIO registers on some targets
Description When a particular GPIO is protected by blocking access to the corresponding "GPIO resource registers", the protection can be bypassed using the corresponding banked GPIO registers instead.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 835, SDA660

CVE-2017-18295

CVE ID CVE-2017-18295
Title Buffer Copy Without Checking Size of Input in DSP Services
Description Possible buffer overflow if input is not null terminated in DSP Service module.
Technology Area DSP Service
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SDX20

CVE-2017-18305

CVE ID CVE-2017-18305
Title Improper Access Control in Core
Description XBL sec mem dump system call allows complete control of EL3 by unlocking all XPUs if auth_en fuse is not blown.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835

CVE-2017-18296

CVE ID CVE-2017-18296
Title Improper Access Control in Safeswitch
Description Access control on applications is not applied while accessing SafeSwitch services
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDA660, SDX20

CVE-2017-18300

CVE ID CVE-2017-18300
Title Information Exposure in TZ
Description Improper clean up of Secure Display buffers after a Trusted Application crash
Technology Area Trusted Execution Environment
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835, SDA660

CVE-2017-18303

CVE ID CVE-2017-18303
Title Buffer Copy Without Checking Size of Input in SSC
Description Stack buffer overflow while processing sensors registry configuration file
Technology Area Sensors
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 820A, SD 835, SDA660, SDX20

CVE-2017-18124

CVE ID CVE-2017-18124
Title Use of Out-of-range Pointer Offset in Core
Description During secure boot, addition is performed on uint8 ptrs which if overflows is undefined.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017
Affected Chipsets FSM9055, IPQ4019, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDX20

CVE-2017-18309

CVE ID CVE-2017-18309
Title Improper Validation of Array Index in G-Link
Description A micro-core of QMP transportation may cause a macro-core to read from or write to arbitrary memory.
Technology Area Qualcomm IPC
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/4/2017
Affected Chipsets SD 845, SD 850

CVE-2017-18311

CVE ID CVE-2017-18311
Title Improper access control of unused configuration xPU ports
Description XPU Master privilege escalation is possible due to improper access control of unused configuration xPU ports where unused configuration ports are open.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 9/4/2017
Affected Chipsets MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2017-18310

CVE ID CVE-2017-18310
Title Improper Access Control in TZ
Description ClientEnv exposes services 0-32 to HLOS
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 5/9/2017
Affected Chipsets MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2017-18308

CVE ID CVE-2017-18308
Title Improper Access Control in Core Services
Description Modem segments are unlocked after authentication
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/4/2017
Affected Chipsets MDM9607, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430

CVE-2018-3588

CVE ID CVE-2018-3588
Title Improper Access Control in Core.
Description There is improper access control of the SSC and GPU mapped regions.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 820, SD 820A, SD 835, SDA660

CVE-2018-11305

CVE ID CVE-2018-11305
Title Use After Free in GPS
Description When a series of FDAL messages are sent to the modem, a Use After Free condition can occur.
Technology Area POSITIONING_WLAN
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDA660, SDX20

CVE-2018-11951

CVE ID CVE-2018-11951
Title Improper Access Control in Core
Description In certain flashless boot procedure, XBL_LOADER performs the ZI region clear for QTEE instead of XBL_SEC. The ZI clear must be performed by an execution environment at least at the same privilege level than the execution environment performing the authentication.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Affected Chipsets SD 845, SD 850

CVE-2018-11950

CVE ID CVE-2018-11950
Title Improper Input Validation in Core
Description Unapproved TrustZone applications can be loaded and executed.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 2/5/2018
Affected Chipsets SD 845, SD 850

CVE-2018-11821

CVE ID CVE-2018-11821
Title Integer Overflow or Wraparound in WLAN
Description A possible integer overflow may happen in WLAN during memory allocation.
Technology Area WLAN Firmware
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets IPQ8074, MDM9206, MDM9607, MDM9650, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 835, SD 845, SD 850, SDA660, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016

CVE-2018-11822

CVE ID CVE-2018-11822
Title Integer Overflow or Wraparound in WLAN
Description A possible integer overflow may happen in WLAN during memory allocation.
Technology Area WLAN Firmware
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 835, SD 845, SD 850, SDA660

CVE-2018-5866

CVE ID CVE-2018-5866
Title Untrusted Pointer Dereference in TrustZone
Description While processing logs, data is copied into a buffer pointed to by an untrusted pointer.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-822 Untrusted Pointer Dereference
Access Vector Local
Security Rating Critical
Date Reported 1/16/2018
Customer Notified Date 4/2/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 835, SD 845, SD 850, SDA660

CVE-2018-5914

CVE ID CVE-2018-5914
Title Improper Validation of Array Index in TZ CORE
Description Possibility for array out of bound in TZ function while accessing the peripheral details using the incoming data
Technology Area Buses
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating High
Date Reported 1/23/2018
Customer Notified Date 5/7/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 835, SDA660

CVE-2018-11824

CVE ID CVE-2018-11824
Title Stack-based Buffer Overflow in TrustZone
Description A stack-based buffer overflow can occur in a firmware routine.
Technology Area Biometrics
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating Critical
Date Reported 1/23/2018
Customer Notified Date 7/2/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835, SD 845, SD 850, SDA660

CVE-2018-11828

CVE ID CVE-2018-11828
Title Uncontrolled Resource Consumption in WLAN
Description When FW tries to get random mac address generated from new SW RNG and ADC values read are constant then DUT get struck in loop while trying to get random ADC samples.
Technology Area WLAN Firmware
Vulnerability Type CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52

CVE-2018-11846

CVE ID CVE-2018-11846
Title Information Exposure in Storage
Description The use of a non-time-constant memory comparison operation (such as memcmp) can lead to timing/side channel attacks.
Technology Area Storage
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 210/SD 212/SD 205, SD 845, SD 850

CVE-2018-11849

CVE ID CVE-2018-11849
Title Buffer Copy Without Checking Size of Input in WLAN
Description Lack of check on out of range for 'num_bssid' When processing WMI_START_SCAN_CMDID will lead to buffer flow.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8996AU, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, QCA9886, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016

CVE-2018-11850

CVE ID CVE-2018-11850
Title Buffer Copy Without Checking Size of Input in WLAN
Description Lack of check on out of range for 'remaining_len' When processing WMI_START_SCAN_CMDID will lead to buffer flow.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 625, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDX20

CVE-2018-11853

CVE ID CVE-2018-11853
Title Reachable Assertion in WLAN
Description Lack of check on out of range for 'num_chan' When processing WMI_ROAM_SET_CHAN_LIST will lead to buffer flow.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets IPQ8074, MDM9206, MDM9607, MDM9650, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016

CVE-2018-11854

CVE ID CVE-2018-11854
Title Buffer Copy Without Checking Size of Input in WLAN
Description Lack of check of valid length of input parameter may cause buffer overwrite in WLAN.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 835, SD 845, SD 850, SDA660

CVE-2018-11856

CVE ID CVE-2018-11856
Title Buffer Copy Without Checking Size of Input in WLAN
Description Improper input validation leads to buffer overwrite in the WLAN function that handles WMI commands
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 835, SD 845, SD 850

CVE-2018-11857

CVE ID CVE-2018-11857
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overwrite can happen while processing WMI_VDEV_ENCRYPT_DECRYPT_DATA_REQ_CMDID if input length is greater than the maximum allocated size.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 835, SD 845, SD 850

CVE-2018-11858

CVE ID CVE-2018-11858
Title Possible buffer overwrite in WLAN
Description When processing WMI_VDEV_SET_IE_CMDID, buffer overwrite may occur due to lack of input validation of the IE length.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 835, SD 845, SD 850

CVE-2018-11859

CVE ID CVE-2018-11859
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overwrite can happen in WLAN due to lack of validation of the input length.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 845, SD 850

CVE-2018-11861

CVE ID CVE-2018-11861
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overflow can happen in WLAN due to lack of validation of the input length.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 845, SD 850, SDA660

CVE-2018-11862

CVE ID CVE-2018-11862
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overflow can happen in WLAN due to lack of validation of the input length.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 845, SD 850, SDA660

CVE-2018-11865

CVE ID CVE-2018-11865
Title Integer Overflow to Buffer Overflow in WLAN
Description Integer overflow may happen when calculating an internal structure size due to lack of validation of the input length.
Technology Area WLAN Firmware
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016

CVE-2018-11866

CVE ID CVE-2018-11866
Title Integer Overflow to Buffer Overflow in WLAN
Description Integer overflow may happen when calculating an internal structure size due to lack of validation of the input length.
Technology Area WLAN Firmware
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets IPQ8074, MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016

CVE-2018-11867

CVE ID CVE-2018-11867
Title Buffer Copy Without Checking Size of Input in WLAN
Description Lack of buffer length check before copying in WLAN function while processing wmi_fips_event, can lead to a buffer overflow.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 845

CVE-2018-11870

CVE ID CVE-2018-11870
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overwrite can occur when the legacy rates count received from the host is not checked against the maximum number of legacy rates.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8996AU, QCA4531, QCA6174A, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 600, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDX20

CVE-2018-11871

CVE ID CVE-2018-11871
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overwrite can happen in WLAN function while processing WMI_PDEV_SET_PARAM_CMDID due to lack of input validation.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9980, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016

CVE-2018-11872

CVE ID CVE-2018-11872
Title Buffer Copy Without Checking Size of Input in WLAN
Description Improper input validation leads to buffer overwrite in the WLAN function that handles WMI commands
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 845, SD 850, SDA660

CVE-2018-11873

CVE ID CVE-2018-11873
Title Buffer Copy Without Checking Size of Input in WLAN
Description Improper input validation leads to buffer overwrite in the WLAN function that handles wlan_roam_buffer_host_invoke_roam.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 845

CVE-2018-11874

CVE ID CVE-2018-11874
Title Buffer Copy Without Checking Size of Input in WLAN
Description Buffer overflow if the length of passphrase is more than 32 when setting up secure (passphrase) NDP connection.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 835, SD 845, SD 850, SDA660

CVE-2018-11875

CVE ID CVE-2018-11875
Title Buffer Copy Without Checking Size of Input in WLAN
Description Lack of check of buffer size before copying in a WLAN function can lead to a buffer overflow.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 845, SD 850

CVE-2018-11876

CVE ID CVE-2018-11876
Title Buffer Copy Without Checking Size of Input in WLAN
Description Lack of input validation while copying to buffer in WLAN will lead to a buffer overflow.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 835, SD 845, SD 850, SDA660

CVE-2018-11877

CVE ID CVE-2018-11877
Title Buffer Copy Without Checking Size of Input in WLAN
Description When the buffer length passed is very large in WLAN, bounds check could be bypassed leading to potential buffer overwrite.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 835, SD 845, SD 850, SDA660

CVE-2018-11879

CVE ID CVE-2018-11879
Title Integer Overflow to Buffer Overflow in WLAN
Description When the buffer length passed is very large, bounds check could be bypassed leading to potential buffer overwrite
Technology Area WLAN Firmware
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 845

CVE-2018-11880

CVE ID CVE-2018-11880
Title Buffer Copy Without Checking Size of Input in WLAN
Description Incorrect bound check can lead to potential buffer overwrite if WLAN.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 835, SD 845, SD 850, SDA660

CVE-2018-11882

CVE ID CVE-2018-11882
Title Buffer Copy Without Checking Size of Input in WLAN
Description Incorrect bound check can lead to potential buffer overwrite in WLAN controller.
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 835, SD 845, SD 850, SDA660

CVE-2018-11884

CVE ID CVE-2018-11884
Title Buffer Copy Without Checking Size of Input in WLAN
Description Improper input validation leads to buffer overflow while processing command WMI_NETWORK_LIST_OFFLOAD_CONFIG_CMDID in WLAN function
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/2/2018
Affected Chipsets SD 835, SD 845, SD 850, SDA660

Version History

Version Date Comments
1.0 October 1, 2018 Bulletin Published

September 2018 Qualcomm Technologies, Inc. Security Bulletin

Version 1.0

Published: 09/04/2018

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating. A broad description of the ratings can be found at the following link.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081 Mathy Vanhoef, Frank Piessens
CVE-2018-11290, CVE-2018-11291, CVE-2018-5837, CVE-2018-5871 Mathieu Cunche, Célestin Matte, INSA-Lyon, Inria, and Mathy Vanhoef, imec-DistriNet, KU Leuven

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-13077 Critical WLAN Firmware 8/25/2017
CVE-2017-13078 Critical WLAN Firmware 8/25/2017
CVE-2017-13079 Critical WLAN Firmware 8/25/2017
CVE-2017-13080 Critical WLAN Firmware 8/25/2017
CVE-2017-13081 Critical WLAN Firmware 8/25/2017
CVE-2017-18280 High Buses Internal
CVE-2017-18301 High Trusted Execution Environment Internal
CVE-2017-18302 High Biometrics Internal
CVE-2017-18314 Critical Trusted Execution Environment Internal
CVE-2018-11267 High Storage Internal
CVE-2018-11268 High Storage Internal
CVE-2018-11269 High Storage Internal
CVE-2018-11277 Medium Telephony 8/17/2017
CVE-2018-11285 High Video Internal
CVE-2018-11287 High Video Internal
CVE-2018-11290 High WLAN Firmware 2/22/2017
CVE-2018-11291 High WLAN Firmware 2/22/2017
CVE-2018-11292 High WLAN Firmware Internal
CVE-2018-11982 Critical LTE Internal
CVE-2018-5837 High WLAN Firmware 2/22/2017
CVE-2018-5871 High WLAN Firmware 2/22/2017

CVE-2017-13077

CVE ID CVE-2017-13077
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur during the 4-way handshake of the WPA2 protocol.
Technology Area WLAN Firmware
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Affected Chipsets FSM9055, FSM9955, IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9980, QCN5500, QCN5502, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016

CVE-2017-13078

CVE ID CVE-2017-13078
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur during the 4-way handshake of the WPA/WPA2 protocol.
Technology Area WLAN Firmware
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Affected Chipsets IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9980, QCN5500, QCN5502, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016

CVE-2017-13079

CVE ID CVE-2017-13079
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur during the 4-way handshake and the group key handshake of the WPA/WPA2 protocol.
Technology Area WLAN Firmware
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Affected Chipsets IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA4531, QCA9558, QCA9980, QCN5502, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDX20

CVE-2017-13080

CVE ID CVE-2017-13080
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur during the 4-way handshake and the group key handshake of the WPA/WPA2 protocol.
Technology Area WLAN Firmware
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Affected Chipsets IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA4004, QCA4531, QCA6174A, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, QCA9558, QCA9980, QCN5502, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDX20

CVE-2017-13081

CVE ID CVE-2017-13081
Title Cryptographic Issues in WLAN
Description Cryptographic issues can occur during the 4-way handshake and the group key handshake of the WPA/WPA2 protocol.
Technology Area WLAN Firmware
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 8/25/2017
Customer Notified Date 2/5/2018
Affected Chipsets IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA4531, QCA9558, QCA9980, QCN5502, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDX20

CVE-2017-18280

CVE ID CVE-2017-18280
Title Access to the SPI/I2C bus is non-exclusive
Description SPI/I2C bus provides access to the trusted UI such as fingerprint reader and Secure Touch. When a Trusted Application has opened the SPI/I2C interface to a particular device, it is possible for another Trusted Application to read the data on this open interface by calling the SPI/I2C read function.
Technology Area Buses
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets MDM9607, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SDM429, SDM439, SDM632, Snapdragon_High_Med_2016

CVE-2017-18301

CVE ID CVE-2017-18301
Title Null pointer deference while invoking create key IOCTL with invalid arguments
Description Providing the NULL argument of ICE regulator while processing create key IOCTL results in system restart
Technology Area Trusted Execution Environment
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets FSM9055, FSM9955, MDM9607, MDM9640, MDM9650, MSM8909W, SD 425, SD 427, SD 430, SD 435, SD 450, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDM630, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016

CVE-2017-18302

CVE ID CVE-2017-18302
Title TOCTOU vulnerabilities in Ontario_Driver_Ioctl
Description A crafted HLOS client can modify the structure in memory passed to a QSEE application between the time of check and the time of use, resulting in arbitrary writes to TZ kernel memory regions.
Technology Area Biometrics
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets MSM8996AU, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2017-18314

CVE ID CVE-2017-18314
Title QDSS RG0 not protected after TZ cold boot
Description On TZ cold boot the CNOC_QDSS RG0 locked by xBL_SEC is cleared by TZ.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Network
Security Rating Critical
Date Reported Internal
Customer Notified Date 5/9/2017
Affected Chipsets MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2018-11267

CVE ID CVE-2018-11267
Title Improper Validation of Array Index in Core
Description When sending an malformed XML data to deviceprogrammer/firehose it may do an out of bounds buffer write allowing a region of memory to be filled with 0x20
Technology Area Storage
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Affected Chipsets MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016

CVE-2018-11268

CVE ID CVE-2018-11268
Title Improper Validation of Array Index in Storage
Description A potential buffer overflow exists when parsing TFTP options.
Technology Area Storage
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Affected Chipsets MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016

CVE-2018-11269

CVE ID CVE-2018-11269
Title Improper Validation of Array Index in Storage
Description A potential buffer overflow exists when parsing TFTP options.
Technology Area Storage
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016

CVE-2018-11277

CVE ID CVE-2018-11277
Title Permission Issues in Telephony
Description The com.qualcomm.embms is a vendor package deployed in the system image which has an inadequate permission level and allows any application installed from Play Store to request this permission at install-time. The system application interfaces with the Radio Interface Layer leading to potential access control issue.
Technology Area Telephony
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating Medium
Date Reported 8/17/2017
Customer Notified Date 6/4/2018
Affected Chipsets MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SDA660

CVE-2018-11285

CVE ID CVE-2018-11285
Title Buffer over-read in Video
Description While parsing FLAC file with corrupted picture block, a buffer over-read can occur.
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016

CVE-2018-11287

CVE ID CVE-2018-11287
Title Always-Incorrect Control Flow Implementation in Video
Description Incorrect control flow implementation in h265VspParseSliceHdr() while checking buffer sufficiency
Technology Area Video
Vulnerability Type CWE-670 Always-Incorrect Control Flow Implementation
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016

CVE-2018-11290

CVE ID CVE-2018-11290
Title Cryptographic Issues in WLAN
Description MAC address randomization performed during probe requests (for privacy reasons) is not done properly due to a flawed RNG in use.
Technology Area WLAN Firmware
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector Network
Security Rating High
Date Reported 2/22/2017
Customer Notified Date 6/4/2018
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, QCA6584, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820A, SD 845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016

CVE-2018-11291

CVE ID CVE-2018-11291
Title Cryptographic Issues in WLAN
Description Cryptographic issues due to the random number generator was not a strong one in NAN.
Technology Area WLAN Firmware
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector Network
Security Rating High
Date Reported 2/22/2017
Customer Notified Date 6/4/2018
Affected Chipsets IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016

CVE-2018-11292

CVE ID CVE-2018-11292
Title Buffer Overflow in WLAN
Description Lack of input validation in WLANWMI command handlers can lead to integer & heap overflows
Technology Area WLAN Firmware
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 6/4/2018
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6574AU, QCA6584, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820A, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2018-11982

CVE ID CVE-2018-11982
Title Double Free in LTE
Description A double free of ASN1 heap memory used for EUTRA CAP container occurs during UTRAN to LTE Capability inquiry procedure
Technology Area LTE
Vulnerability Type CWE-415 Double Free
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported Internal
Customer Notified Date 6/12/2017
Affected Chipsets MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 835, Snapdragon_High_Med_2016

CVE-2018-5837

CVE ID CVE-2018-5837
Title Cryptographic Issues in WLAN
Description MAC address randomization performed during probe requests is not done properly due to a flawed RNG which produced repeating output much earlier than expected.
Technology Area WLAN Firmware
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector Network
Security Rating High
Date Reported 2/22/2017
Customer Notified Date 3/5/2018
Affected Chipsets IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016

CVE-2018-5871

CVE ID CVE-2018-5871
Title Cryptographic Issues in WLAN
Description MAC address randomization performed during probe requests (for privacy reasons) is not done properly due to a flawed RNG which produces repeating output much earlier than expected.
Technology Area WLAN Firmware
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating High
Date Reported 2/22/2017
Customer Notified Date 4/2/2018
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016

Version History

Version Date Comments
1.0 September 4, 2018 Bulletin Published

August 2018 Qualcomm Technologies, Inc. Security Bulletin

Version 1.1

Published: 08/10/2018

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating. A broad description of the ratings can be found at the following link.  

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-11076 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.
CVE-2017-18155 Issue reported by a customer
CVE-2017-18275 En He <5862290@qq.com>
CVE-2018-5383   Eli Biham and Lior Neumann, Department of Computer Science, Technion – Israel Institute of Technology

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-11076 High Video 8/25/2017
CVE-2017-15841 High BTSOC - Rome Internal
CVE-2017-18131 High Trusted Execution Environment Internal
CVE-2017-18155 High Video 6/5/2017
CVE-2017-18156 High Connected Camera Internal
CVE-2017-18157 High Power Internal
CVE-2017-18173 High Trusted Execution Environment Internal
CVE-2017-18274 High Qualcomm SnapDragon Smart Protect Internal
CVE-2017-18275 High Telephony 1/12/2017
CVE-2017-18276 High KERNEL Internal
CVE-2017-18278 High Trusted Execution Environment Internal
CVE-2017-18279 High Camera Internal
CVE-2018-5383 Critical Bluetooth Controller 1/18/2018

CVE-2017-11076

CVE ID CVE-2017-11076
Title Use of Out-of-range Pointer Offset in Video
Description Use of Out-of-range Pointer Offset in Video
Technology Area Video
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Network
Security Rating High
Date Reported 8/25/2017
Customer Notified Date 11/6/2017
Affected Chipsets MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 810, SD 820, SD 820A, SD 835, SD 845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016

CVE-2017-15841

CVE ID CVE-2017-15841
Title Improper Authorization in BTSOC
Description Improper Authorization in BTSOC
Technology Area BTSOC - Rome
Vulnerability Type CWE-285 Improper Authorization
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/10/2017
Affected Chipsets SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, Snapdragon_High_Med_2016

CVE-2017-18131

CVE ID CVE-2017-18131
Title Use of Uninitialized Variable in Core
Description Use of Uninitialized Variable in Core
Technology Area Trusted Execution Environment
Vulnerability Type CWE-457 Use of Uninitialized Variable
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Affected Chipsets MDM9206, MDM9607, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 820, SD 820A, SD 835, SD 845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2017-18155

CVE ID CVE-2017-18155
Title Use of Unitialized Variable in Video
Description While playing HEVC content using HD DMB, an uninitialized variable can be used leading to a kernel fault
Technology Area Video
Vulnerability Type CWE-457 Use of Uninitialized Variable
Access Vector Local
Security Rating High
Date Reported 6/5/2017
Customer Notified Date 10/2/2017
Affected Chipsets MSM8996AU, SD 450, SD 625, SD 820, SD 820A, SD 835

CVE-2017-18156

CVE ID CVE-2017-18156
Title Use After Free in Connected Camera
Description While processing camera buffers in qmmf_alg_eglbuff_create, a Use After Free condition can occur.
Technology Area Connected Camera
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/4/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 625, SD 820, SD 820A, SD 835, SDX20

CVE-2017-18157

CVE ID CVE-2017-18157
Title Use After Free in Power
Description A Use After Free Condition can occur in Thermal Engine.
Technology Area Power
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 9/4/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDX20

CVE-2017-18173

CVE ID CVE-2017-18173
Title Integer Overflow or Wraparound in UEFI
Description Integer Overflow or Wraparound in UEFI
Technology Area Trusted Execution Environment
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 810, SD 820, SD 835, SDM630, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2017-18274

CVE ID CVE-2017-18274
Title Improper Validation of Array Index in QSSP
Description Improper Validation of Array Index in QSSP
Technology Area Qualcomm SnapDragon Smart Protect
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/11/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835

CVE-2017-18275

CVE ID CVE-2017-18275
Title Improper Validation of Array Index in QSSP
Description Improper Validation of Array Index in QSSP
Technology Area Telephony
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported 1/12/2017
Customer Notified Date 4/11/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845

CVE-2017-18276

CVE ID CVE-2017-18276
Title Improper Acess Control in Kernel
Description Improper Acess Control in Kernel
Technology Area KERNEL
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/11/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835, SD 845, SD 850

CVE-2017-18278

CVE ID CVE-2017-18278
Title Integer Overflow to Buffer Overflow in qsee_hash
Description Integer Overflow to Buffer Overflow in qsee_hash
Technology Area Trusted Execution Environment
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/14/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SD 850

CVE-2017-18279

CVE ID CVE-2017-18279
Title Possible integer overflow to buffer overflow in mm-camera2 string class
Description Possible integer overflow to buffer overflow in mm-camera2 string class
Technology Area Camera
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 4/11/2017
Affected Chipsets FSM9055, FSM9955, IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9980, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, SDM630, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016'

CVE-2018-5383

CVE ID CVE-2018-5383
Title Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange (from cert.org )
Description Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device. (from cert.org )
Technology Area Bluetooth Controller
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported 1/18/2018
Customer Notified Date 5/7/2018
Affected Chipsets AR9344, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA9377, QCA9379, QCA9886, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM710, SDX20, Snapdragon_High_Med_2016

Version History

Version Date Comments
1.1 August 10, 2018 Added Bulletin CVE-2018-5383

July 2018 Qualcomm Technologies, Inc. Security Bulletin

Version 1.1

Published: 07/26/2018

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating. A broad description of the ratings can be found at the following link.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

Table of vulnerabilities

CVE-2017-11088 Domen Puncer Kugler and Keuntae Shin
CVE-2018-5838 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-11088 Medium Performance 9/1/2017
CVE-2018-11257 Critical Trusted Execution Environment Internal
CVE-2018-11258 High DSP Service Internal
CVE-2018-11259 Critical Trusted Execution Environment Internal
CVE-2018-5838 High Graphics 11/2/2017
CVE-2018-5874 Critical Video Internal
CVE-2018-5875 Critical Video Internal
CVE-2018-5876 Critical Video Internal
CVE-2018-5878 High RIL Internal
CVE-2018-5882 High Video Internal
CVE-2018-5884 High Video Internal
CVE-2018-5885 High Trusted Execution Environment Internal
CVE-2018-5891 High Data Network Stack & Connectivity Internal
CVE-2018-5892 High Android UI Internal
CVE-2018-5894 High Video Internal

CVE-2017-11088

CVE ID CVE-2017-11088
Title Improper Input Validation in io-prefetch
Description A SQL injection vulnerability exists in the Linux io-prefetcher.
Technology Area Performance
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 9/1/2017
Customer Notified Date 2/5/2018
Affected Chipsets MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 430, SD 450, SD 617, SD 625, SD 650/52, SD 820, SD 835, SD 845

CVE-2018-11257

CVE ID CVE-2018-11257
Title Permissions, Privileges, and Access Controls in TA Environment
Description RPMB has an option that allows RPMB erase for secure devices.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 3/5/2018
Affected Chipsets SD 210/SD 212/SD 205, SD 845, SD 850

CVE-2018-11258

CVE ID CVE-2018-11258
Title Use After Free in Multimedia
Description In ADSP RPC, a Use After Free condition can occur.
Technology Area DSP Service
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDX20

CVE-2018-11259

CVE ID CVE-2018-11259
Title Improper Access Control in NAND-based EFS
Description From fastboot on a NAND-based device, the EFS partition can be erased. Apps processor then has non-secure world full read/write access to the partition until the modem boots and configures the EFS partition addresses in its MPU partition.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 2/5/2018
Affected Chipsets MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016

CVE-2018-5838

CVE ID CVE-2018-5838
Title Improper Validation of Array Index in Graphics
Description In the adreno OpenGL driver, an out-of-bounds access can occur in SurfaceFlinger.
Technology Area Graphics
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 11/2/2017
Customer Notified Date 3/5/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 820A, SD 835, SD 845, SDX20

CVE-2018-5874

CVE ID CVE-2018-5874
Title Stack-based Buffer Overflow in Multimedia
Description While parsing an mp4 file, a stack-based buffer overflow can occur.
Technology Area Video
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Network
Security Rating Critical
Date Reported Internal
Customer Notified Date 4/2/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDX20

CVE-2018-5875

CVE ID CVE-2018-5875
Title Integer Overflow to Buffer Overflow in Multimedia
Description While parsing an mp4 file, an integer overflow leading to a buffer overflow can occur.
Technology Area Video
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Network
Security Rating Critical
Date Reported Internal
Customer Notified Date 4/2/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDX20

CVE-2018-5876

CVE ID CVE-2018-5876
Title Buffer Copy without Checking Size of Input in Multimedia
Description While parsing an mp4 file, a buffer overflow can occur.
Technology Area Video
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Network
Security Rating Critical
Date Reported Internal
Customer Notified Date 4/2/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDX20

CVE-2018-5878

CVE ID CVE-2018-5878
Title Buffer Copy without Checking Size of Input in RIL
Description While sending the response to a RIL_REQUEST_GET_SMSC_ADDRESS message, a buffer overflow can occur.
Technology Area RIL
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 4/2/2018
Affected Chipsets MDM9206, MDM9607, MDM9635M, MDM9650, SD 210/SD 212/SD 205, SD 615/16/SD 415, SD 625, SD 835

CVE-2018-5882

CVE ID CVE-2018-5882
Title Buffer Over-read in Multimedia
Description While parsing a Flac file with a corrupted comment block, a buffer over-read can occur.
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 4/2/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDX20

CVE-2018-5884

CVE ID CVE-2018-5884
Title Improper Access Control in Multimedia
Description Non-standard applications without permission may acquire permission of Qualcomm-specific proprietary intents.
Technology Area Video
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/5/2018
Affected Chipsets MDM9206, MDM9607, MDM9635M, MDM9650, SD 210/SD 212/SD 205, SD 615/16/SD 415, SD 625, SD 835

CVE-2018-5885

CVE ID CVE-2018-5885
Title Possible buffer overflow in Secure UI
Description While loading dynamic fonts, a buffer overflow may occur if the number of segments in the font file is out of range.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Affected Chipsets MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 450, SD 615/16/SD 415, SD 625, SD 820, SD 845

CVE-2018-5891

CVE ID CVE-2018-5891
Title Use After Free in Data
Description While processing modem SSR after IMS is registered, the IMS data daemon is restarted but the ipc_dataHandle is no longer available. Consequently, the DPL thread frees the internal memory for dataDHandle but the local variable pointer is not updated which can lead to a Use After Free condition.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Affected Chipsets MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845

CVE-2018-5892

CVE ID CVE-2018-5892
Title Configuration in Android
Description The Touch Pal application can collect user behavior data without awareness by the user.
Technology Area Android UI
Vulnerability Type CWE-16 Configuration
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 2/5/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 810, SD 820, SD 835, SD 845, SDM630, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016

CVE-2018-5894

CVE ID CVE-2018-5894
Title Improper Validation of Array Index in Multimedia
Description While parsing an mp4 file, an out-of-bounds access can occur.
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 3/5/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SDX20

Version History

Version Date Comments
1.1 July 26, 2018 Added Affected Chipsets
1.0 July 2, 2018 Bulletin Published

June 2018 Qualcomm Technologies, Inc. Security Bulletin

Version 1.1

Published: 07/26/2018

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating. A broad description of the ratings can be found at the following link.  

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

Table of vulnerabilities

CVE-2017-13218 Google Project Zero

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-13218 High WLAN HOST, Core Services 7/28/2017

CVE-2017-13218

CVE ID CVE-2017-13218
Title Permissions, Privileges and Access control issue in Kernel
Description Access to CNTVCT_EL0 could be used for side channel attacks and this could lead to local information disclosure with no additional execution privileges needed.
Technology Area WLAN HOST, Core Services
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported 7/28/2017
Customer Notified Date 4/2/2018
Affected Chipsets FSM9055, IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8909W, QCA4531, QCA9980, QCN5502, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845

Version History

Version Date Comments
1.1 July 26, 2018 Added Affected Chipsets
1.0 June 4, 2018 Bulletin Published

May 2018 Qualcomm Technologies, Inc. Security Bulletin

Version 1.1

Published: 07/26/2018

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating. A broad description of the ratings can be found at the following link.
 

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

Table of vulnerabilities

CVE-2017-11009, CVE-2017-9711 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information.

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2017-9711 Medium Data Network Stack & Connectivity 4/13/2017
CVE-2017-14912 High Content Protection Internal
CVE-2017-11009 High Video 5/22/2017
CVE-2017-14913 High Trusted Execution Environment Internal
CVE-2017-14915 High Trusted Execution Environment Internal
CVE-2017-18160 High GPS Internal

CVE-2017-9711

CVE ID CVE-2017-9711
Title Permissions, Privileges, and Access Controls in Data
Description Certain unprivileged processes are able to perform IOCTL calls.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating Medium
Date Reported 4/13/2017
Customer Notified Date 7/3/2017
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SD 845

CVE-2017-14912

CVE ID CVE-2017-14912
Title Improper Access Control in TrustZone
Description The attributes of buffers in Secure Display were not marked properly.
Technology Area Content Protection
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 5/9/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 835

CVE-2017-11009

CVE ID CVE-2017-11009
Title Buffer Copy without Checking Size of Input in Multimedia
Description A buffer overflow vulnerability exists while parsing a bitstream.
Technology Area Video
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported 5/22/2017
Customer Notified Date 8/7/2017
Affected Chipsets SD 450, SD 625, SD 820, SD 820A, SD 835, SD 845, SD 850

CVE-2017-14913

CVE ID CVE-2017-14913
Title Improper Input Validation in TrustZone
Description DDR address input validation is being improperly truncated.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 5/9/2017
Affected Chipsets MDM9206, MDM9607, SD 835, SD 845, SD 850

CVE-2017-14915

CVE ID CVE-2017-14915
Title Use After Free in Secure Processor
Description Accessing SPCOM functions with a compromised client structure can result in a Use After Free condition.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 5/9/2017
Affected Chipsets SD 835

CVE-2017-18160

CVE ID CVE-2017-18160
Title Cryptographic Issues in GPS
Description AGPS session failure in GNSS module due to cyphersuites are hardcoded and needed manual update everytime
Technology Area GPS
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017
Affected Chipsets MDM9635M, MDM9645, MDM9650, MDM9655, MSM8909W, SD 835, SD 845, SD 850

Version History

Version Date Comments
1.1 July 26, 2018 Added Affected Chipsets
1.0 May 8, 2018 Bulletin Published

April 2018 Qualcomm Technologies, Inc. Security Bulletin

Version 1.1

Published: 07/26/2018

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating. A broad description of the ratings can be found at the following link.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

None.

Table of Vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2013-4420 High On-device Logging Internal
CVE-2016-5341 Medium GPS Internal
CVE-2017-11010 High Trusted Execution Environment Internal
CVE-2017-11011 High Trusted Execution Environment Internal
CVE-2017-14910 High Security Feature Internal
CVE-2017-14911 Critical Trusted Execution Environment Internal
CVE-2017-17773 Critical Video Services Internal
CVE-2017-18071 Critical Trusted Execution Environment Internal
CVE-2017-18072 High WLAN Firmware 11/9/2016
CVE-2017-18073 High Trusted Execution Environment Internal
CVE-2017-18074 High Audio Internal
CVE-2017-18125 High Trusted Execution Environment Internal
CVE-2017-18126 High WLAN Firmware 12/9/2016
CVE-2017-18127 High Virtual Reality Internal
CVE-2017-18128 Critical Trusted Execution Environment Internal
CVE-2017-18129 High Trusted Execution Environment Internal
CVE-2017-18130 High Video Services Internal
CVE-2017-18132 High Trusted Execution Environment Internal
CVE-2017-18133 High Trusted Execution Environment Internal
CVE-2017-18134 High User Identity Module Internal
CVE-2017-18135 High Data Services Internal
CVE-2017-18136 High Audio Internal
CVE-2017-18137 High Data Services Internal
CVE-2017-18138 High GERAN Internal
CVE-2017-18139 High Modem Internal
CVE-2017-18140 High Data Network Stack & Connectivity Internal
CVE-2017-18142 High Data Services Internal
CVE-2017-18143 High Trusted Execution Environment Internal
CVE-2017-18144 High Data Network Stack & Connectivity Internal
CVE-2017-18145 High Data Network Stack & Connectivity Internal
CVE-2017-18146 Critical Trusted Execution Environment Internal
CVE-2017-18147 High Multimode Call Processing Services Internal
CVE-2017-8274 Critical Trusted Execution Environment Internal
CVE-2017-8275 High Video Services Internal
CVE-2018-3589 High RFA Internal
CVE-2018-3590 High Radio Interface Layer Internal
CVE-2018-3591 Critical Storage Services Internal
CVE-2018-3592 Critical Multimode Call Processing Services Internal
CVE-2018-3593 High Radio Interface Layer Internal
CVE-2018-3594 High Video Services Internal

CVE-2013-4420

CVE ID CVE-2013-4420
Title Improper Input Validation in Logging
Description Multiple directory traversal vulnerabilities exist in libtar.
Technology Area On-device Logging
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 7/3/2017
Affected Chipsets SD 210/SD 212/SD 205, SD 400, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 820, SD 835, SD 845

CVE-2016-5341

CVE ID CVE-2016-5341
Title Improper Access Control in GPS
Description A man-in-the-middle can cause a denial of service in GPS.
Technology Area GPS
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Network
Security Rating Medium
Date Reported Internal
Customer Notified Date 7/3/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 808, SD 820, SD 820A, SD 835

CVE-2017-11010

CVE ID CVE-2017-11010
Title Improper Access Control in Core
Description Access control left a configuration space unprotected.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/7/2017
Affected Chipsets MDM9206, MDM9607, SD 835

CVE-2017-11011

CVE ID CVE-2017-11011
Title Use After Free in Core
Description A Use After Free condition can occur in a communication API.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 8/7/2017
Affected Chipsets MDM9206, MDM9607, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 820, SD 835

CVE-2017-14910

CVE ID CVE-2017-14910
Title Buffer Over-read in Sphinx
Description A buffer overread is possible if there are no newlines in an input file.
Technology Area Security Feature
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 5/9/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845

CVE-2017-14911

CVE ID CVE-2017-14911
Title Improper Authentication in Boot
Description It is possible for the XBL loader to skip the authentication of device config.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-287 Improper Authentication
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 5/9/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 820A, SD 835

CVE-2017-17773

CVE ID CVE-2017-17773
Title Buffer Overflow in Video
Description While processing an mpeg4 file, a buffer overflow can occur.
Technology Area Video Services
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Network
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/4/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 820A, SD 835, SDM630, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2017-18071

CVE ID CVE-2017-18071
Title Improper Access Control in Core
Description Debug policy can potentially be bypassed.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 3/14/2017
Affected Chipsets MDM9206, MDM9607, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52

CVE-2017-18072

CVE ID CVE-2017-18072
Title Information Exposure in WLAN
Description Information exposure can occur in some 802.11 frames.
Technology Area WLAN Firmware
Vulnerability Type CWE-200 Information Exposure
Access Vector AdjacentNetwork
Security Rating High
Date Reported 11/9/2016
Customer Notified Date 11/6/2017
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, QCA4531, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SD 845, SDM630, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2017-18073

CVE ID CVE-2017-18073
Title Improper Input Validation in TrustZone
Description The HLOS can gain access to unauthorized memory.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 820, SD 820A, SD 835

CVE-2017-18074

CVE ID CVE-2017-18074
Title Improper Input Validation in Audio
Description While playing a .wma file with modified media header with non-standard bytes per second parameter value, a reachable assert occurs.
Technology Area Audio
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017
Affected Chipsets MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 800, SD 808, SD 810, SD 820, SD 835

CVE-2017-18125

CVE ID CVE-2017-18125
Title Improper Input Validation in TrustZone
Description A secure camera buffer can be reused.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 3/14/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835, SD 845, SD 850

CVE-2017-18126

CVE ID CVE-2017-18126
Title Use of Insufficiently Random Values in WLAN.
Description Information elements in some 802.11 frames are not sufficiently random.
Technology Area WLAN Firmware
Vulnerability Type CWE-330 Use of Insufficiently Random Values
Access Vector AdjacentNetwork
Security Rating High
Date Reported 12/9/2016
Customer Notified Date 11/6/2017
Affected Chipsets MDM9206, MDM9607, MDM9640, MDM9650, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SD 845, SDM630, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2017-18127

CVE ID CVE-2017-18127
Title Improper Input Validation in Virtual Reality
Description While processing a command packet in the VR service, a buffer overflow can occur.
Technology Area Virtual Reality
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Affected Chipsets MSM8909W, SD 210/SD 212/SD 205, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 835, SD 845

CVE-2017-18128

CVE ID CVE-2017-18128
Title Improper Access Control in Core.
Description Improper access control while configuring MPU protecting error correction registers may potentially lead to exposure of related secured data.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/4/2017
Affected Chipsets SD 845, SD 850

CVE-2017-18129

CVE ID CVE-2017-18129
Title Improper Access Control in TrustZone.
Description It is possible for IPA(internet protocol accelerator) channels owned by one security domain to be controlled from other domains.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Affected Chipsets None found

CVE-2017-18130

CVE ID CVE-2017-18130
Title Buffer Over-read in Multimedia
Description While playing an ASF file, a buffer over-read can potentially occur.
Technology Area Video Services
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 400, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 820, SD 820A, SD 835, SD 845

CVE-2017-18132

CVE ID CVE-2017-18132
Title Buffer Over-read in Core
Description An out-of-bounds access can potentially occur in tz_assign().
Technology Area Trusted Execution Environment
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Affected Chipsets None found

CVE-2017-18133

CVE ID CVE-2017-18133
Title Improper Validation of Array Index in Core
Description An out of bound access for ebi channel array can potentially occur.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835

CVE-2017-18134

CVE ID CVE-2017-18134
Title Buffer Copy without Checking Size of Input in UIM
Description A buffer overflow may potentially occur while processing a response from the SIM card.
Technology Area User Identity Module
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 10/2/2017
Affected Chipsets SD 845, SD 850

CVE-2017-18135

CVE ID CVE-2017-18135
Title Buffer Copy without Checking Size of Input in Data
Description In the Wireless Data Service (WDS) module, a buffer overflow can occur.
Technology Area Data Services
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Affected Chipsets MDM9650, MDM9655, SD 450, SD 625, SD 650/52, SD 835, SD 845, SD 850

CVE-2017-18136

CVE ID CVE-2017-18136
Title Use After Free in Audio
Description In the omx aac component, a Use After Free condition may potentially occur.
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Affected Chipsets MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 820, SD 820A, SD 835, SD 845

CVE-2017-18137

CVE ID CVE-2017-18137
Title Buffer Copy without Checking Size of Input in Data
Description While processing the IPv6 pdp address of the pdp context, a buffer overflow can occur.
Technology Area Data Services
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 10/2/2017
Affected Chipsets MDM9640, MDM9645, MDM9650, MDM9655, SD 450, SD 625, SD 650/52, SD 810, SD 820, SD 835

CVE-2017-18138

CVE ID CVE-2017-18138
Title Buffer Copy without Checking Size of Input in GERAN
Description In GERAN, a buffer overflow may potentially occur.
Technology Area GERAN
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Affected Chipsets MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SD 845, SD 850

CVE-2017-18139

CVE ID CVE-2017-18139
Title Buffer Copy without Checking Size of Input in IMS
Description A buffer overflow vulnerability may potentially exist while making an IMS call.
Technology Area Modem
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Affected Chipsets MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SD 845, SD 850

CVE-2017-18140

CVE ID CVE-2017-18140
Title Use After Free in Data
Description When processing a call disconnection, a Use After Free condition may potentially occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845

CVE-2017-18142

CVE ID CVE-2017-18142
Title Buffer Copy without Checking Size of Input in Data
Description While processing the IMS SIP username, a buffer overflow can occur.
Technology Area Data Services
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/6/2017
Affected Chipsets MDM9650, MDM9655, SD 835, SD 845, SD 850

CVE-2017-18143

CVE ID CVE-2017-18143
Title Configuration in Core
Description On a secure device, PD dumps are collected when debugging is not enabled.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-16 Configuration
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Affected Chipsets SD 845, SD 850

CVE-2017-18144

CVE ID CVE-2017-18144
Title Use After Free in Data
Description While processing the retransmission of WPA supplicant command send failures, there is a make after break of the connection to WPA supplicant where the local pointer is not properly updated. If the WPA supplicant command transmission fails, a Use After Free condition will occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Affected Chipsets MSM8909W, SD 210/SD 212/SD 205, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845

CVE-2017-18145

CVE ID CVE-2017-18145
Title Use After Free in Data
Description While the DPM native process is processing framework events, the iterator pointer is deleted after processing an event. When processing subsequent events, a Use After Condition will occur.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Affected Chipsets MSM8909W, SD 210/SD 212/SD 205, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845

CVE-2017-18146

CVE ID CVE-2017-18146
Title Cryptographic Issues in Core
Description In some corner cases, signature verification can fail.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/4/2017
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850

CVE-2017-18147

CVE ID CVE-2017-18147
Title Improper Input Validation in MMCP
Description In MMCP, a downlink message is not being properly validated.
Technology Area Multimode Call Processing Services
Vulnerability Type CWE-20 Improper Input Validation
Access Vector AdjacentNetwork
Security Rating High
Date Reported Internal
Customer Notified Date 12/4/2017
Affected Chipsets MDM9206, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 450, SD 625, SD 650/52, SD 820, SD 835, SD 845, SD 850

CVE-2017-8274

CVE ID CVE-2017-8274
Title Improper Access Control in Core
Description An access control vulnerability exists in Core.
Technology Area Trusted Execution Environment
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 6/5/2017
Affected Chipsets MDM9206, MDM9607, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52

CVE-2017-8275

CVE ID CVE-2017-8275
Title Integer Overflow or Wraparound in Video
Description An integer overflow vulnerability exists in a video library.
Technology Area Video Services
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 6/5/2017
Affected Chipsets SD 210/SD 212/SD 205, SD 400, SD 430, SD 450, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 820, SD 835

CVE-2018-3589

CVE ID CVE-2018-3589
Title Buffer Copy without Checking Size of Input in RFA
Description The vswr capture size is larger than the maximum size of a diag logPacket, which can lead to a buffer overflow when the sample buffer is copied to the logPacket buffer.
Technology Area RFA
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Affected Chipsets MDM9650, MDM9655, SD 835, SD 845, SD 850

CVE-2018-3590

CVE ID CVE-2018-3590
Title Use After Free in RIL
Description A Use After Free condition can occur in RIL while handling requests from Android.
Technology Area Radio Interface Layer
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Affected Chipsets MSM8909W, SD 210/SD 212/SD 205, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845

CVE-2018-3591

CVE ID CVE-2018-3591
Title Configuration in Core.
Description The default build configuration of deviceprogrammer can expose peek and poke commands.
Technology Area Storage Services
Vulnerability Type CWE-16 Configuration
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 1/1/2018
Affected Chipsets MDM9206, MDM9607, MDM9635M, MDM9650, MDM9655, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845, SDM630, SDM636, SDM660, Snapdragon_High_Med_2016

CVE-2018-3592

CVE ID CVE-2018-3592
Title Use After Free in MMCP
Description Added a change to check if the pointer has been reset to NULL or not, before writing to the memory pointed by the pointer.
Technology Area Multimode Call Processing Services
Vulnerability Type CWE-416 Use After Free
Access Vector AdjacentNetwork
Security Rating Critical
Date Reported Internal
Customer Notified Date 1/1/2018
Affected Chipsets MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 835, SD 845, SD 850

CVE-2018-3593

CVE ID CVE-2018-3593
Title Use After Free in RIL
Description Repeated enable/disable eMBMS requests may result in a double free condition.
Technology Area Radio Interface Layer
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845

CVE-2018-3594

CVE ID CVE-2018-3594
Title Buffer Over-read in Video
Description While parsing a private frame in an ID3 tag, a buffer over-read can occur when comparing frame data with predefined owner identifier strings.
Technology Area Video Services
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Network
Security Rating High
Date Reported Internal
Customer Notified Date 1/1/2018
Affected Chipsets MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 820, SD 820A, SD 835, SD 845

Version History

Version Date Comments
1.1 July 26, 2018 Added Affected Chipsets
1.0 April 13, 2018 Bulletin Published

This document describes security vulnerabilities that Qualcomm Technologies, Inc. (QTI) addressed through software changes. QTI licensees were previously notified of the issues described in this bulletin. Each of the vulnerabilities have an associated security rating.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements
This is the first public security bulletin released by Qualcomm Technologies Inc. Subsequent bulletins will be released on a regular cadence.

Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us:

CVE-2017-6211

Matthew Spisak of ENDGAME (www.endgame.com)

CVE-2017-9709

Jake Valletta

Table of Vulnerabilities

CVE ID

Security Rating

Technology Area

Date Reported

CVE-2017-11005

High

Qualcomm IPC

Internal

CVE-2017-11006

High

GPS

Internal

CVE-2017-14907

Critical

Trusted Execution Environment

Internal

CVE-2017-14908

High

Security Feature

Internal

CVE-2017-14909

High

GPS

Internal

CVE-2017-14914

High

Storage

Internal

CVE-2017-14916

High

Trusted Execution Environment

Internal

CVE-2017-14917

High

Trusted Execution Environment

Internal

CVE-2017-14918

High

GPS

Internal

CVE-2017-15813

High

WLAN

Internal

CVE-2017-6211

Critical

Multimode Core Protocol

1/23/2017

CVE-2017-9709

Medium

Telephony

4/6/2017

Vulnerability Details

CVE ID

CVE-2017-11005

Title

Use After Free in Core

Description

A Use After Free condition can occur during a deinitialization path.

Technology Area

Qualcomm IPC

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

8/7/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SDX20

 

CVE ID

CVE-2017-11006

Title

Use After Free in GNSS

Description

A Use After Free condition can occur during positioning.

Technology Area

GPS

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

8/7/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 615/16,SD 415, SD 625, SD 650/52, SD 820, SD 835, SDX20

 

CVE ID

CVE-2017-14907

Title

Cryptographic Issues in TrustZone

Description

Cryptographic strength is reduced while deriving disk encryption key.

Technology Area

Trusted Execution Environment

Vulnerability Type

CWE-310 Cryptographic Issues

Access Vector

Local

Security Rating

Critical

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

S820A, S820AM, SD 425, SD 430, SD 625, SD 650/52, SD 820, SD 835

 

CVE ID

CVE-2017-14908

Title

Improper Input Validation in SafeSwitch

Description

The SafeSwitch test application does not properly validate the number of blocks to verify.

Technology Area

Security Feature

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 410/12, SD 430, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835,

 

CVE ID

CVE-2017-14909

Title

Integer Overflow to Buffer Overflow in GPS

Description

A count value that is read from a file is not properly validated.

Technology Area

GPS

Vulnerability Type

CWE-680 Integer Overflow to Buffer Overflow

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

S820AM, SD 820, SD 835

 

CVE ID

CVE-2017-14914

Title

Use After Free in Storage

Description

Handles in the global client structure can become stale.

Technology Area

Storage

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

S820A, MDM9206, MDM9310, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 600, SD 602A, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 835, SDX20

 

CVE ID

CVE-2017-14916

Title

Buffer Copy without Checking Size of Input in TEE kernel

Description

Buffer sizes in the message passing interface are not properly validated.

Technology Area

Trusted Execution Environment

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

SD 625, SD 650/52, SD 835

 

CVE ID

CVE-2017-14917

Title

Integer Overflow to Buffer Overflow in TEE kernel

Description

Buffer sizes in the message passing interface are not properly validated.

Technology Area

Trusted Execution Environment

Vulnerability Type

CWE-680 Integer Overflow to Buffer Overflow

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

5/9/2017

Affected Chipsets

MDM9206, SD 625, SD 650/52, SD 835

 

CVE ID

CVE-2017-14918

Title

Use After Free in GPS

Description

In the GPS location wireless interface, a Use After Free condition can occur.

Technology Area

GPS

Vulnerability Type

CWE-416 Use After Free

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

7/3/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 400, SD 425, SD 625, SD 650/52, SD 820, SD 835, SDX20

 

CVE ID

CVE-2017-15813

Title

Buffer Copy without Checking Size of Input in WLAN

Description

A buffer overflow can occur while reading firmware logs.

Technology Area

WLAN

Vulnerability Type

CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')

Access Vector

Local

Security Rating

High

Date Reported

Internal

Customer Notified Date

7/3/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 835, SDX20

 

CVE ID

CVE-2017-6211

Title

Improper Input Validation in Multimode core protocol

Description

In the processing of a downlink supplementary services message, a buffer overflow can occur.

Technology Area

MMCP

Vulnerability Type

CWE-20 Improper Input Validation

Access Vector

AdjacentNetwork

Security Rating

Critical

Date Reported

01/23/2017

Customer Notified Date

2/27/2017

Affected Chipsets

S820A, MDM6600, MDM9206, MDM9310, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, S820AM, QSC6270, S600, SD 200, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 835, SDX20M

 

CVE ID

CVE-2017-9709

Title

Improper Access Control in Telephony

Description

A privilege escalation vulnerability exists in telephony.

Technology Area

Telephony

Vulnerability Type

CWE-284 Improper Access Control

Access Vector

Local

Security Rating

Medium

Date Reported

04/06/2017

Customer Notified Date

7/3/2017

Affected Chipsets

S820A, MDM9206, MDM9607, MDM9650, MSM8909W, S820AM, SD 210/SD 212/SD 205, SD 400, SD 425, SD 625, SD 650/52, SD 820, SD 835, SDX20

Version History

Version

Date

Comments

1.0

December 4, 2017

Bulletin Published

2.0

February 8, 2018

Revision