July 2020 Security Bulletin

Version 1.0

Published: 07/07/2020

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Table of Contents

Announcements:
Acknowledgements:
Proprietary Software Issues:
Open Source Software Issues:
Industry Coordination:
Version History:

Announcements

None

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2020-3681 Found internally and later rediscovered by Richard Aplin of Bohemian Bits.
CVE-2020-3698, CVE-2020-3699 aedla
CVE-2019-14037, CVE-2019-14093 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2019-14100 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2019-14101 Arash Tohidi (@h4ul4)

Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating Technology Area Date Reported
CVE-2020-3681 Critical WIN PLC FW 12/26/2019
CVE-2019-14123 High Content Protection Internal
CVE-2019-14124 High Content Protection Internal
CVE-2019-14130 High Content Protection Internal
CVE-2020-3671 High Multimedia 02/25/2020
CVE-2020-3688 High Video Internal
CVE-2020-3701 High Camera Driver Internal

This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

Public ID Security Rating Technology Area Date Reported
CVE-2019-14101 Medium Core Services 09/10/2019

CVE-2020-3681

CVE ID CVE-2020-3681
Title Cryptographic Issue in PLC Firmware
Description Authenticated and encrypted payload MMEs can be forged and remotely sent to any HPAV2 system using a jailbreak key recoverable from code.
Technology Area WIN PLC FW
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector Remote
Security Rating Critical
Date Reported 12/26/2019
Customer Notified Date 04/06/2020
Affected Chipsets* No active affected products

CVE-2019-14123

CVE ID CVE-2019-14123
Title Improper Input Validation in Content Protection
Description Possible buffer overflow and over read possible due to missing bounds checks for fixed limits if we consider widevine HLOS client as non-trustable
Technology Area Content Protection
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* Kamorta, QCS404, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130

CVE-2019-14124

CVE ID CVE-2019-14124
Title Access of Uninitialized Pointer in Content Protection
Description Memory failure in content protection module due to not having pointer within the scope
Technology Area Content Protection
Vulnerability Type CWE-824 Access of Uninitialized Pointer
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* Kamorta, QCS404, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130

CVE-2019-14130

CVE ID CVE-2019-14130
Title Use of Out-of-range Pointer Offset Issue in Content Protection
Description Memory corruption can occurs in trusted application if offset size from HLOS is more than actual mapped buffer size
Technology Area Content Protection
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* Kamorta, QCS404, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130

CVE-2020-3671

CVE ID CVE-2020-3671
Title Use After Free Issue in Graphics
Description Use-after-free issue could occur due to dangling pointer when generating a frame buffer in OpenGL ES
Technology Area Multimedia
Vulnerability Type CWE-416 Use After Free
Access Vector Remote
Security Rating High
Date Reported 02/25/2020
Customer Notified Date 06/01/2020
Affected Chipsets* APQ8009, Nicobar, QCM2150, QCS405, Saipan, SDM845, SM8150, SM8250, SXR2130

CVE-2020-3688

CVE ID CVE-2020-3688
Title Buffer Over-read issue in Video
Description Possible buffer overflow while parsing mp4 clip with corrupted sample atoms due to improper validation of index
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 04/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3701

CVE ID CVE-2020-3701
Title Use After Free Issue in Camera Driver
Description Use after free issue while processing error notification from camx driver due to not properly releasing the sequence data
Technology Area Camera Driver
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 04/06/2020
Affected Chipsets* Saipan, SM8250, SXR2130

CVE-2019-14101

CVE ID CVE-2019-14101
Title Improper Input Validation in Diag Services
Description Out of bounds read can happen in diag event set mask command handler when user provided length in the command request is less than expected length
Technology Area Core Services
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported 09/10/2019
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8096, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCN7605, QCS404, QCS405, QCS605, QM215, Rennell, SA415M, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

* Data is generated only at the time of bulletin creation

Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating Technology Area Date Reported
CVE-2020-3698 Critical WLAN HOST 11/19/2019
CVE-2020-3699 Critical WLAN HOST 11/19/2019
CVE-2019-10580 High HLOS Internal
CVE-2020-3700 High WIN WLAN Host Internal

This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

Public ID Security Rating Technology Area Date Reported
CVE-2019-14037 Medium Data Network Stack & Connectivity 08/20/2019
CVE-2019-14093 Medium Display 08/28/2019
CVE-2019-14099 Medium Multimedia 10/18/2019
CVE-2019-14100 Medium NPU 08/25/2019

CVE-2020-3698

CVE ID CVE-2020-3698
Title Improper Input Validation in WLAN Host
Description Out of bound write while QoS DSCP mapping due to improper input validation for data received from association response frame
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Remote
Security Rating Critical
Date Reported 11/19/2019
Customer Notified Date 04/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QM215, SA6155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX55, SM8150, SM8250, SXR2130
Patch*

CVE-2020-3699

CVE ID CVE-2020-3699
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible out of bound access while processing assoc response from host due to improper length check before copying into buffer
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported 11/19/2019
Customer Notified Date 04/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QM215, SA6155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2019-10580

CVE ID CVE-2019-10580
Title Use After Free Issue in HLOS
Description When kernel thread unregistered listener, Use after free issue happened as the listener client`s private data has been already freed
Technology Area HLOS
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 01/06/2020
Affected Chipsets* MDM9607, MSM8909W, Nicobar, QCM2150, QCS405, QCS605, Saipan, SC8180X, SDM429W, SDX55, SM8150, SM8250, SXR2130
Patch*

CVE-2020-3700

CVE ID CVE-2020-3700
Title Buffer Over-read Issue in WLAN
Description Possible out of bounds read due to a missing bounds check and could lead to local information disclosure in the wifi driver with no additional execution privileges needed
Technology Area WIN WLAN Host
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 04/06/2020
Affected Chipsets* APQ8053, APQ8096AU, IPQ4019, IPQ8064, IPQ8074, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCA9531, QCA9558, QCA9980, SC8180X, SDM439, SDX55, SM8150, SM8250, SXR2130
Patch*

CVE-2019-14037

CVE ID CVE-2019-14037
Title Use After Free Issue in HLOS Data
Description Close and bind operations done on a socket can lead to a Use-After-Free condition.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 08/20/2019
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8996, MSM8996AU, QCN7605, QCN7606, QCS605, SC8180X, SDA660, SDA845, SDM439, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM8150, SXR1130
Patch*

CVE-2019-14093

CVE ID CVE-2019-14093
Title Improper Validation of Array Index in Display
Description Array out of bound access can occur in display module due to lack of bound check on input parcel received
Technology Area Display
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating Medium
Date Reported 08/28/2019
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, QCM2150, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM636, SDM660, SDX20
Patch*

CVE-2019-14099

CVE ID CVE-2019-14099
Title Use of Out-of-range Pointer Offset in Camera
Description Device misbehavior may be observed when incorrect offset, length or number of buffers is passed by user space
Technology Area Multimedia
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported 10/18/2019
Customer Notified Date 01/06/2020
Affected Chipsets* APQ8053, MDM9206, MDM9207C, MDM9607, MSM8909W, MSM8917, MSM8953, Nicobar, QCM2150, QCS405, QCS605, QM215, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-14100

CVE ID CVE-2019-14100
Title Use of Out-of-Range Pointer Offset in Neural processing unit
Description Register write via debugfs is disabled by default to prevent register writing via debugfs.
Technology Area NPU
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported 08/25/2019
Customer Notified Date 01/06/2020
Affected Chipsets* MDM9206, MDM9207C, MDM9607, Nicobar, QCS405, SA6155P, SC8180X, SDX55, SM8150
Patch*

* Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

     

  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 July 7, 2020 Bulletin Published

Version Date Comments 1.0 July 7, 2020 Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

©2020 Qualcomm Technologies, Inc. and/or its affiliated companies.

References to "Qualcomm" may mean Qualcomm Incorporated, or subsidiaries or business units within the Qualcomm corporate structure, as applicable.

Qualcomm Incorporated includes Qualcomm's licensing business, QTL, and the vast majority of its patent portfolio. Qualcomm Technologies, Inc., a wholly-owned subsidiary of Qualcomm Incorporated, operates, along with its subsidiaries, substantially all of Qualcomm's engineering, research and development functions, and substantially all of its products and services businesses. Qualcomm products referenced on this page are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Materials that are as of a specific date, including but not limited to press releases, presentations, blog posts and webcasts, may have been superseded by subsequent events or disclosures.

Nothing in these materials is an offer to sell any of the components or devices referenced herein.