December 2019

December 2019 Security Bulletin

Version 1.0

Published: 12/02/2019

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

We have discontinued publication of the open source public bulletin at https://www.codeaurora.org/security-advisories/security-bulletins. Starting from September 2019, we will have one single monthly bulletin listing both open-source and closed-source vulnerabilities.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2019-10513 Lee Harrison and Hayawardh Vijayakumar, Samsung Knox Security
CVE-2019-10518, CVE-2019-10544, CVE-2019-10557 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2019-10536, CVE-2019-10537 Peter Park (peterpark)
CVE-2019-10564 Pengfei Ding(丁鹏飞) of Huawei Mobile Security Lab
CVE-2019-10584 Gengjia Chen (chengjia4574)

This table summarizes security vulnerabilities that were addressed through proprietary software

Table of Vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2019-10482 High Content Protection Internal
CVE-2019-10487 High Multi-Mode Call Processor Internal
CVE-2019-10500 Critical Multi-Mode Call Processor Internal
CVE-2019-10513 High SoC Infrastructure 11/19/2018
CVE-2019-10516 High Multi-Mode Call Processor Internal
CVE-2019-10517 High DSP Service Internal
CVE-2019-10518 Medium Data Network Stack & Connectivity 02/14/2019
CVE-2019-10525 Critical WCDMA Internal
CVE-2019-10600 High WLAN HOST Internal
CVE-2019-2242 Critical 1x Internal
CVE-2019-2274 High Core Internal

CVE-2019-10482

CVE ID CVE-2019-10482
Title Information Exposure in Content Protection
Description Due to the use of non-time-constant comparison functions there is issue in timing side channels which can be used as a potential side channel for SUI corruption
Technology Area Content Protection
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS404, QCS405, QCS605, QM215, SA6155P, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10487

CVE ID CVE-2019-10487
Title Buffer Over-read Issue in Multi-mode Call processor
Description Buffer over read can happen while parsing SMS OTA messages at transport layer if network sends un-intended values
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 06/03/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10500

CVE ID CVE-2019-10500
Title Incorrect Calculation of Buffer Size in NAS
Description While processing MT Secondary PDP request, Buffer overflow will happen due to incorrect calculation of buffer size
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 06/03/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10513

CVE ID CVE-2019-10513
Title Null Pointer Dereference Issue in Trustzone
Description Possibility of Null pointer access if the SPDM commands are executed in the non-standard way in Trustzone
Technology Area SoC Infrastructure
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating High
Date Reported 11/19/2018
Customer Notified Date 06/03/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCS404, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-10516

CVE ID CVE-2019-10516
Title Buffer Over-read Issue in Multi Mode Call processor
Description Multiple read overflows in MM while decoding service accept,service reject,attach reject and MT detach
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 06/03/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10517

CVE ID CVE-2019-10517
Title Double Free Issues in DSP Services
Description Memory is being freed up twice when two concurrent threads are executing in parallel
Technology Area DSP Service
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8996AU, QCS405, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10518

CVE ID CVE-2019-10518
Title Transient DOS Issue in HLOS Data
Description Use after free of a pointer in iWLAN scenario during netmgr state transition to CONNECT
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 02/14/2019
Customer Notified Date 06/03/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, QCA6574AU, QCS405, QCS605, SDA660, SDA845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10525

CVE ID CVE-2019-10525
Title Stack-based Buffer Overflow in WCDMA
Description Buffer overflow during SIB read when network configures complete sib list along with first and last segment of other SIB
Technology Area WCDMA
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 06/03/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10600

CVE ID CVE-2019-10600
Title Null Pointer Dereference Issue in WLAN Host
Description Use of local variable as argument to netlink CB callback goes out of it scope when callback triggered lead to invalid stack memory
Technology Area WLAN HOST
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCA8081, QCS405, QCS605, QM215, SA6155P, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-2242

CVE ID CVE-2019-2242
Title Integer Overflow to Buffer Overflow in Modem
Description Device memory may get corrupted because of buffer overflow/underflow.
Technology Area 1x
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 02/04/2019
Affected Chipsets* APQ8009, APQ8016, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SM6150, SM7150, SXR1130

CVE-2019-2274

CVE ID CVE-2019-2274
Title Improper Access Control in TZ
Description Improper Access Control for RPU write access from secure processor
Technology Area Core
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 06/03/2019
Affected Chipsets* APQ8017, APQ8053, APQ8098, IPQ8074, MDM9150, MDM9650, MDM9655, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, Nicobar, QCA8081, QCN7605, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX55, SM6150, SM7150, SM8150, SXR1130

* Data is generated only at the time of bulletin creation

This table summarizes security vulnerabilities that were addressed through open source software located at the corresponding open source project links

Table of Vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2018-11980 High WLAN HOST Internal
CVE-2019-10480 High WLAN HOST Internal
CVE-2019-10481 High WLAN HOST Internal
CVE-2019-10536 High WLAN Host Communication 04/11/2019
CVE-2019-10537 High WLAN HOST 04/16/2019
CVE-2019-10544 Medium Core Services 04/10/2019
CVE-2019-10557 High WLAN HOST 05/04/2018
CVE-2019-10564 Medium Multimedia 11/29/2018
CVE-2019-10572 Medium Video Internal
CVE-2019-10584 Medium Video 05/11/2019
CVE-2019-10595 High WLAN HOST Internal
CVE-2019-10598 High WLAN HOST Internal
CVE-2019-10601 High WLAN Host Cmn Internal
CVE-2019-10605 High WLAN HOST Internal
CVE-2019-10607 High Security Internal
CVE-2019-10614 Medium Video Internal
CVE-2019-2304 High WLAN HOST Internal

CVE-2018-11980

CVE ID CVE-2018-11980
Title Buffer Copy Without Checking Size of Input in WLAN
Description When a fake broadcast/multicast 11w rmf without mmie received, since no proper length check in wma_process_bip, buffer overflow will happen in both cds_is_mmie_valid and qdf_nbuf_trim_tail
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8937, MSM8996AU, MSM8998, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS605, SDM630, SDM636, SDM660, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130
Patch*

CVE-2019-10480

CVE ID CVE-2019-10480
Title Buffer Copy Without Checking Size of Input in WLAN Host
Description Out of bound write can happen in WMI firmware event handler due to lack of validation of data received from WLAN firmware
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCA9980, QCN7605, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130
Patch*

CVE-2019-10481

CVE ID CVE-2019-10481
Title Improper Validation of Array Index in WLAN Host
Description Out of bound access occurs while handling the WMI FW event due to lack of check of buffer argument which comes directly from the WLAN FW
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8096AU, IPQ4019, IPQ8064, IPQ8074, MDM9607, MSM8996AU, QCA6574AU, QCA8081, QCN7605, SDX55, SM6150, SM7150, SM8150
Patch*

CVE-2019-10536

CVE ID CVE-2019-10536
Title Double Free Issue in WLAN Host
Description Potential double free scenario if driver receives another DIAG_EVENT_LOG_SUPPORTED event from firmware as the pointer is not set to NULL on first call
Technology Area WLAN Host Communication
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating High
Date Reported 04/11/2019
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCN7605, QCS405, QCS605, SDA660, SDA845, SDM450, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-10537

CVE ID CVE-2019-10537
Title Integer Overflow to Buffer Overflow in WLAN HOST
Description Improper validation of event buffer extracted from FW response can lead to integer overflow, which will allow to pass the length check and eventually will lead to buffer overwrite when event data is copied to context buffer
Technology Area WLAN HOST
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 04/16/2019
Customer Notified Date 09/02/2019
Affected Chipsets* MDM9607, Nicobar, QCA6574AU, QCN7605, QCS405, QCS605, SDM660, SDM845, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-10544

CVE ID CVE-2019-10544
Title Use of Out-of-range Pointer Offset in Diag Services
Description Improper length check on source buffer to handle userspace data received can lead to out-of-bound access in diag handlers
Technology Area Core Services
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported 04/10/2019
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, QCN7605, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-10557

CVE ID CVE-2019-10557
Title Buffer Over-read in WLAN
Description Out-of-bound read in the wireless driver in the Linux kernel due to lack of check of buffer length.
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported 05/04/2018
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDX20, SDX55, SXR1130
Patch*

CVE-2019-10564

CVE ID CVE-2019-10564
Title Use of Out-of-range Pointer Offset in Multimedia
Description Possible OOB issue in EEPROM due to lack of check while accessing memory map array at the time of reading operation
Technology Area Multimedia
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported 11/29/2018
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8053, MSM8909W, MSM8917, MSM8953, Nicobar, QCS405, QCS605, QM215, SA6155P, SDA845, SDM429, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-10572

CVE ID CVE-2019-10572
Title Use of Out-of-range Pointer Offset in Video
Description Improper check in video driver while processing data from video firmware can lead to integer overflow and then buffer overflow
Technology Area Video
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Remote
Security Rating Medium
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, SA6155P, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130
Patch*

CVE-2019-10584

CVE ID CVE-2019-10584
Title Buffer Over-read Issue in Video Driver
Description Possibility of out of bound access in debug queue, if packet size field is corrupted
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 05/11/2019
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS405, QCS605, QM215, SA6155P, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-10595

CVE ID CVE-2019-10595
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible buffer overwrite in message handler due to lack of validation of tid value calculated from packets received from firmware
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8053, APQ8064, APQ8096AU, IPQ4019, IPQ8064, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909, MSM8909W, MSM8939, MSM8996AU, QCA4531, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCA9558, QCA9880, QCA9886, QCA9980, SDA660, SDM630, SDM636, SDM660, SDX20, SDX24
Patch*

CVE-2019-10598

CVE ID CVE-2019-10598
Title Buffer Copy Without Checking Size of Input in WLAN Host
Description Out of bound access can occur while processing peer info in IBSS connection mode due to lack of upper bounds check to ensure that for loop further will not cause an overflow
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8053, APQ8096AU, MDM9607, MSM8996AU, QCA6574AU, QCN7605, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130
Patch*

CVE-2019-10601

CVE ID CVE-2019-10601
Title Improper Validation of Array Index in WLAN Host
Description Out of bound access can occur while processing firmware event due to lack of validation of WMI message received from firmware
Technology Area WLAN Host Cmn
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8096AU, IPQ4019, IPQ8064, IPQ8074, MSM8996AU, Nicobar, QCA6574AU, QCN7605, QCS405, SDM630, SDM636, SDM660, SDM845, SM6150, SM7150, SM8150
Patch*

CVE-2019-10605

CVE ID CVE-2019-10605
Title Buffer Copy Without Checking Size of Input in WLAN Host
Description Buffer overwrite can occur in IEEE80211 header filling function due to lack of range check of array index received from firmware
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8053, IPQ8074, MDM9607, MDM9650, MSM8909, MSM8939, QCN7605, SDA660, SDM630, SDM636, SDM660, SDX20, SDX24
Patch*

CVE-2019-10607

CVE ID CVE-2019-10607
Title Buffer Copy Without Checking Size of Input in Kernel
Description Out of bounds memcpy can occur by providing the embedded NULL character string and length greater than the actual string length
Technology Area Security
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8996, MSM8996AU, QCA4531, QCA8081, QCA9531, QCA9558, QCA9886, QCA9980, QCN7605, QCS605, SDA660, SDX20, SDX24, SDX55, SM8150, SXR1130
Patch*

CVE-2019-10614

CVE ID CVE-2019-10614
Title Use of Out-of-range Pointer Offset in Video
Description Out of boundary access is possible as there is no validation of data accessed against the received size of the packet in case of malicious firmware
Technology Area Video
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Remote
Security Rating Medium
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS405, QCS605, QM215, SA6155P, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-2304

CVE ID CVE-2019-2304
Title Integer Overflow to Buffer Overflow Issue in WLAN HOST
Description Integer overflow to buffer overflow due to lack of validation of event arguments received from firmware.
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 09/02/2019
Affected Chipsets* IPQ4019, IPQ8064, IPQ8074, MDM9607, MSM8917, MSM8920, MSM8937, MSM8940, QCN7605, QCS405, QCS605, SDA845, SDM660, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130
Patch*

* Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

 

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

 

Version History

Version Date Comments
1.0 December 2, 2019 Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

 

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

 

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.