December 2019 Security Bulletin
Version 1.0
Published: 12/02/2019
This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.
Please reach out to [email protected] for any questions related to this bulletin.
Announcements
We have discontinued publication of the open source public bulletin at https://www.codeaurora.org/security-advisories/security-bulletins . Starting from September 2019, we will have one single monthly bulletin listing both open-source and closed-source vulnerabilities.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2019-10513 | Lee Harrison and Hayawardh Vijayakumar, Samsung Knox Security |
| CVE-2019-10518, CVE-2019-10544, CVE-2019-10557 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin. |
| CVE-2019-10536, CVE-2019-10537 | Peter Park (peterpark) |
| CVE-2019-10564 | Pengfei Ding(丁鹏飞) of Huawei Mobile Security Lab |
| CVE-2019-10584 | Gengjia Chen (chengjia4574) |
This table summarizes security vulnerabilities that were addressed through proprietary software
Table of Vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2019-10482 | High | Content Protection | Internal |
| CVE-2019-10487 | High | Multi-Mode Call Processor | Internal |
| CVE-2019-10500 | Critical | Multi-Mode Call Processor | Internal |
| CVE-2019-10513 | High | SoC Infrastructure | 11/19/2018 |
| CVE-2019-10516 | High | Multi-Mode Call Processor | Internal |
| CVE-2019-10517 | High | DSP Service | Internal |
| CVE-2019-10518 | Medium | Data Network Stack & Connectivity | 02/14/2019 |
| CVE-2019-10525 | Critical | WCDMA | Internal |
| CVE-2019-10600 | High | WLAN HOST | Internal |
| CVE-2019-2242 | Critical | 1x | Internal |
| CVE-2019-2274 | High | Core | Internal |
CVE-2019-10482
| CVE ID | CVE-2019-10482 |
| Title | Information Exposure in Content Protection |
| Description | Due to the use of non-time-constant comparison functions there is issue in timing side channels which can be used as a potential side channel for SUI corruption |
| Technology Area | Content Protection |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCS404, QCS405, QCS605, QM215, SA6155P, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-10487
| CVE ID | CVE-2019-10487 |
| Title | Buffer Over-read Issue in Multi-mode Call processor |
| Description | Buffer over read can happen while parsing SMS OTA messages at transport layer if network sends un-intended values |
| Technology Area | Multi-Mode Call Processor |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 06/03/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE-2019-10500
| CVE ID | CVE-2019-10500 |
| Title | Incorrect Calculation of Buffer Size in NAS |
| Description | While processing MT Secondary PDP request, Buffer overflow will happen due to incorrect calculation of buffer size |
| Technology Area | Multi-Mode Call Processor |
| Vulnerability Type | CWE-131 Incorrect Calculation of Buffer Size |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 06/03/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE-2019-10513
| CVE ID | CVE-2019-10513 |
| Title | Null Pointer Dereference Issue in Trustzone |
| Description | Possibility of Null pointer access if the SPDM commands are executed in the non-standard way in Trustzone |
| Technology Area | SoC Infrastructure |
| Vulnerability Type | CWE-476 NULL Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/19/2018 |
| Customer Notified Date | 06/03/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCS404, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE-2019-10516
| CVE ID | CVE-2019-10516 |
| Title | Buffer Over-read Issue in Multi Mode Call processor |
| Description | Multiple read overflows in MM while decoding service accept,service reject,attach reject and MT detach |
| Technology Area | Multi-Mode Call Processor |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 06/03/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE-2019-10517
| CVE ID | CVE-2019-10517 |
| Title | Double Free Issues in DSP Services |
| Description | Memory is being freed up twice when two concurrent threads are executing in parallel |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8996AU, QCS405, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-10518
| CVE ID | CVE-2019-10518 |
| Title | Transient DOS Issue in HLOS Data |
| Description | Use after free of a pointer in iWLAN scenario during netmgr state transition to CONNECT |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 02/14/2019 |
| Customer Notified Date | 06/03/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, QCA6574AU, QCS405, QCS605, SDA660, SDA845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-10525
| CVE ID | CVE-2019-10525 |
| Title | Stack-based Buffer Overflow in WCDMA |
| Description | Buffer overflow during SIB read when network configures complete sib list along with first and last segment of other SIB |
| Technology Area | WCDMA |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 06/03/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE-2019-10600
| CVE ID | CVE-2019-10600 |
| Title | Null Pointer Dereference Issue in WLAN Host |
| Description | Use of local variable as argument to netlink CB callback goes out of it scope when callback triggered lead to invalid stack memory |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-476 NULL Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCA8081, QCS405, QCS605, QM215, SA6155P, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-2242
| CVE ID | CVE-2019-2242 |
| Title | Integer Overflow to Buffer Overflow in Modem |
| Description | Device memory may get corrupted because of buffer overflow/underflow. |
| Technology Area | 1x |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 02/04/2019 |
| Affected Chipsets* | APQ8009, APQ8016, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SM6150, SM7150, SXR1130 |
CVE-2019-2274
| CVE ID | CVE-2019-2274 |
| Title | Improper Access Control in TZ |
| Description | Improper Access Control for RPU write access from secure processor |
| Technology Area | Core |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 06/03/2019 |
| Affected Chipsets* | APQ8017, APQ8053, APQ8098, IPQ8074, MDM9150, MDM9650, MDM9655, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, Nicobar, QCA8081, QCN7605, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX55, SM6150, SM7150, SM8150, SXR1130 |
* Data is generated only at the time of bulletin creation
This table summarizes security vulnerabilities that were addressed through open source software located at the corresponding open source project links
Table of Vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2018-11980 | High | WLAN HOST | Internal |
| CVE-2019-10480 | High | WLAN HOST | Internal |
| CVE-2019-10481 | High | WLAN HOST | Internal |
| CVE-2019-10536 | High | WLAN Host Communication | 04/11/2019 |
| CVE-2019-10537 | High | WLAN HOST | 04/16/2019 |
| CVE-2019-10544 | Medium | Core Services | 04/10/2019 |
| CVE-2019-10557 | High | WLAN HOST | 05/04/2018 |
| CVE-2019-10564 | Medium | Multimedia | 11/29/2018 |
| CVE-2019-10572 | Medium | Video | Internal |
| CVE-2019-10584 | Medium | Video | 05/11/2019 |
| CVE-2019-10595 | High | WLAN HOST | Internal |
| CVE-2019-10598 | High | WLAN HOST | Internal |
| CVE-2019-10601 | High | WLAN Host Cmn | Internal |
| CVE-2019-10605 | High | WLAN HOST | Internal |
| CVE-2019-10607 | High | Security | Internal |
| CVE-2019-10614 | Medium | Video | Internal |
| CVE-2019-2304 | High | WLAN HOST | Internal |
CVE-2018-11980
| CVE ID | CVE-2018-11980 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | When a fake broadcast/multicast 11w rmf without mmie received, since no proper length check in wma_process_bip, buffer overflow will happen in both cds_is_mmie_valid and qdf_nbuf_trim_tail |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8937, MSM8996AU, MSM8998, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS605, SDM630, SDM636, SDM660, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
| Patch* |
CVE-2019-10480
| CVE ID | CVE-2019-10480 |
| Title | Buffer Copy Without Checking Size of Input in WLAN Host |
| Description | Out of bound write can happen in WMI firmware event handler due to lack of validation of data received from WLAN firmware |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCA9980, QCN7605, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130 |
| Patch* |
CVE-2019-10481
| CVE ID | CVE-2019-10481 |
| Title | Improper Validation of Array Index in WLAN Host |
| Description | Out of bound access occurs while handling the WMI FW event due to lack of check of buffer argument which comes directly from the WLAN FW |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8096AU, IPQ4019, IPQ8064, IPQ8074, MDM9607, MSM8996AU, QCA6574AU, QCA8081, QCN7605, SDX55, SM6150, SM7150, SM8150 |
| Patch* |
CVE-2019-10536
| CVE ID | CVE-2019-10536 |
| Title | Double Free Issue in WLAN Host |
| Description | Potential double free scenario if driver receives another DIAG_EVENT_LOG_SUPPORTED event from firmware as the pointer is not set to NULL on first call |
| Technology Area | WLAN Host Communication |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 04/11/2019 |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCN7605, QCS405, QCS605, SDA660, SDA845, SDM450, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
CVE-2019-10537
| CVE ID | CVE-2019-10537 |
| Title | Integer Overflow to Buffer Overflow in WLAN HOST |
| Description | Improper validation of event buffer extracted from FW response can lead to integer overflow, which will allow to pass the length check and eventually will lead to buffer overwrite when event data is copied to context buffer |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 04/16/2019 |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | MDM9607, Nicobar, QCA6574AU, QCN7605, QCS405, QCS605, SDM660, SDM845, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
CVE-2019-10544
| CVE ID | CVE-2019-10544 |
| Title | Use of Out-of-range Pointer Offset in Diag Services |
| Description | Improper length check on source buffer to handle userspace data received can lead to out-of-bound access in diag handlers |
| Technology Area | Core Services |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 04/10/2019 |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, QCN7605, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
CVE-2019-10557
| CVE ID | CVE-2019-10557 |
| Title | Buffer Over-read in WLAN |
| Description | Out-of-bound read in the wireless driver in the Linux kernel due to lack of check of buffer length. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 05/04/2018 |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDX20, SDX55, SXR1130 |
| Patch* |
|
CVE-2019-10564
| CVE ID | CVE-2019-10564 |
| Title | Use of Out-of-range Pointer Offset in Multimedia |
| Description | Possible OOB issue in EEPROM due to lack of check while accessing memory map array at the time of reading operation |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/29/2018 |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8053, MSM8909W, MSM8917, MSM8953, Nicobar, QCS405, QCS605, QM215, SA6155P, SDA845, SDM429, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
CVE-2019-10572
| CVE ID | CVE-2019-10572 |
| Title | Use of Out-of-range Pointer Offset in Video |
| Description | Improper check in video driver while processing data from video firmware can lead to integer overflow and then buffer overflow |
| Technology Area | Video |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Remote |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, SA6155P, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
| Patch* |
CVE-2019-10584
| CVE ID | CVE-2019-10584 |
| Title | Buffer Over-read Issue in Video Driver |
| Description | Possibility of out of bound access in debug queue, if packet size field is corrupted |
| Technology Area | Video |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 05/11/2019 |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS405, QCS605, QM215, SA6155P, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
CVE-2019-10595
| CVE ID | CVE-2019-10595 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Possible buffer overwrite in message handler due to lack of validation of tid value calculated from packets received from firmware |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8064, APQ8096AU, IPQ4019, IPQ8064, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909, MSM8909W, MSM8939, MSM8996AU, QCA4531, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCA9558, QCA9880, QCA9886, QCA9980, SDA660, SDM630, SDM636, SDM660, SDX20, SDX24 |
| Patch* |
|
CVE-2019-10598
| CVE ID | CVE-2019-10598 |
| Title | Buffer Copy Without Checking Size of Input in WLAN Host |
| Description | Out of bound access can occur while processing peer info in IBSS connection mode due to lack of upper bounds check to ensure that for loop further will not cause an overflow |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8053, APQ8096AU, MDM9607, MSM8996AU, QCA6574AU, QCN7605, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
| Patch* |
CVE-2019-10601
| CVE ID | CVE-2019-10601 |
| Title | Improper Validation of Array Index in WLAN Host |
| Description | Out of bound access can occur while processing firmware event due to lack of validation of WMI message received from firmware |
| Technology Area | WLAN Host Cmn |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8096AU, IPQ4019, IPQ8064, IPQ8074, MSM8996AU, Nicobar, QCA6574AU, QCN7605, QCS405, SDM630, SDM636, SDM660, SDM845, SM6150, SM7150, SM8150 |
| Patch* |
CVE-2019-10605
| CVE ID | CVE-2019-10605 |
| Title | Buffer Copy Without Checking Size of Input in WLAN Host |
| Description | Buffer overwrite can occur in IEEE80211 header filling function due to lack of range check of array index received from firmware |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8053, IPQ8074, MDM9607, MDM9650, MSM8909, MSM8939, QCN7605, SDA660, SDM630, SDM636, SDM660, SDX20, SDX24 |
| Patch* |
CVE-2019-10607
| CVE ID | CVE-2019-10607 |
| Title | Buffer Copy Without Checking Size of Input in Kernel |
| Description | Out of bounds memcpy can occur by providing the embedded NULL character string and length greater than the actual string length |
| Technology Area | Security |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8996, MSM8996AU, QCA4531, QCA8081, QCA9531, QCA9558, QCA9886, QCA9980, QCN7605, QCS605, SDA660, SDX20, SDX24, SDX55, SM8150, SXR1130 |
| Patch* |
CVE-2019-10614
| CVE ID | CVE-2019-10614 |
| Title | Use of Out-of-range Pointer Offset in Video |
| Description | Out of boundary access is possible as there is no validation of data accessed against the received size of the packet in case of malicious firmware |
| Technology Area | Video |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Remote |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS405, QCS605, QM215, SA6155P, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
CVE-2019-2304
| CVE ID | CVE-2019-2304 |
| Title | Integer Overflow to Buffer Overflow Issue in WLAN HOST |
| Description | Integer overflow to buffer overflow due to lack of validation of event arguments received from firmware. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 09/02/2019 |
| Affected Chipsets* | IPQ4019, IPQ8064, IPQ8074, MDM9607, MSM8917, MSM8920, MSM8937, MSM8940, QCN7605, QCS405, QCS605, SDA845, SDM660, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
| Patch* |
|
* Data is generated only at the time of bulletin creation
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | December 2, 2019 | Bulletin Published |
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
- Announcements
- Acknowledgements
- Table of Vulnerabilities
- CVE-2019-10482
- CVE-2019-10487
- CVE-2019-10500
- CVE-2019-10513
- CVE-2019-10516
- CVE-2019-10517
- CVE-2019-10518
- CVE-2019-10525
- CVE-2019-10600
- CVE-2019-2242
- CVE-2019-2274
- Table of Vulnerabilities
- CVE-2018-11980
- CVE-2019-10480
- CVE-2019-10481
- CVE-2019-10536
- CVE-2019-10537
- CVE-2019-10544
- CVE-2019-10557
- CVE-2019-10564
- CVE-2019-10572
- CVE-2019-10584
- CVE-2019-10595
- CVE-2019-10598
- CVE-2019-10601
- CVE-2019-10605
- CVE-2019-10607
- CVE-2019-10614
- CVE-2019-2304
- Industry Coordination
- Version History
