This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.
Please reach out to [email protected] for any questions related to this bulletin.
| Announcements: |
| Acknowledgements: |
| Proprietary Software Issues: |
| Open Source Software Issues: |
| Industry Coordination: |
| Version History: |
None
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2020-3681 | Found internally and later rediscovered by Richard Aplin of Bohemian Bits. |
| CVE-2020-3698, CVE-2020-3699 | aedla |
| CVE-2019-14037, CVE-2019-14093 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin. |
| CVE-2019-14100 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
| CVE-2019-14101 | Arash Tohidi (@h4ul4) |
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-3681 | Critical | WIN PLC FW | 12/26/2019 |
| CVE-2019-14123 | High | Content Protection | Internal |
| CVE-2019-14124 | High | Content Protection | Internal |
| CVE-2019-14130 | High | Content Protection | Internal |
| CVE-2020-3671 | High | Multimedia | 02/25/2020 |
| CVE-2020-3688 | High | Video | Internal |
| CVE-2020-3701 | High | Camera Driver | Internal |
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2019-14101 | Medium | Core Services | 09/10/2019 |
| CVE ID | CVE-2020-3681 |
| Title | Cryptographic Issue in PLC Firmware |
| Description | Authenticated and encrypted payload MMEs can be forged and remotely sent to any HPAV2 system using a jailbreak key recoverable from code. |
| Technology Area | WIN PLC FW |
| Vulnerability Type | CWE-310 Cryptographic Issues |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | 12/26/2019 |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | No active affected products |
| CVE ID | CVE-2019-14123 |
| Title | Improper Input Validation in Content Protection |
| Description | Possible buffer overflow and over read possible due to missing bounds checks for fixed limits if we consider widevine HLOS client as non-trustable |
| Technology Area | Content Protection |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | Kamorta, QCS404, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130 |
| CVE ID | CVE-2019-14124 |
| Title | Access of Uninitialized Pointer in Content Protection |
| Description | Memory failure in content protection module due to not having pointer within the scope |
| Technology Area | Content Protection |
| Vulnerability Type | CWE-824 Access of Uninitialized Pointer |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | Kamorta, QCS404, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130 |
| CVE ID | CVE-2019-14130 |
| Title | Use of Out-of-range Pointer Offset Issue in Content Protection |
| Description | Memory corruption can occurs in trusted application if offset size from HLOS is more than actual mapped buffer size |
| Technology Area | Content Protection |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | Kamorta, QCS404, Rennell, SC7180, SDX55, SM6150, SM7150, SM8250, SXR2130 |
| CVE ID | CVE-2020-3671 |
| Title | Use After Free Issue in Graphics |
| Description | Use-after-free issue could occur due to dangling pointer when generating a frame buffer in OpenGL ES |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 02/25/2020 |
| Customer Notified Date | 06/01/2020 |
| Affected Chipsets* | APQ8009, Nicobar, QCM2150, QCS405, Saipan, SDM845, SM8150, SM8250, SXR2130 |
| CVE ID | CVE-2020-3688 |
| Title | Buffer Over-read issue in Video |
| Description | Possible buffer overflow while parsing mp4 clip with corrupted sample atoms due to improper validation of index |
| Technology Area | Video |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| CVE ID | CVE-2020-3701 |
| Title | Use After Free Issue in Camera Driver |
| Description | Use after free issue while processing error notification from camx driver due to not properly releasing the sequence data |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | Saipan, SM8250, SXR2130 |
| CVE ID | CVE-2019-14101 |
| Title | Improper Input Validation in Diag Services |
| Description | Out of bounds read can happen in diag event set mask command handler when user provided length in the command request is less than expected length |
| Technology Area | Core Services |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 09/10/2019 |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8096, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCN7605, QCS404, QCS405, QCS605, QM215, Rennell, SA415M, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
* Data is generated only at the time of bulletin creation
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-3698 | Critical | WLAN HOST | 11/19/2019 |
| CVE-2020-3699 | Critical | WLAN HOST | 11/19/2019 |
| CVE-2019-10580 | High | HLOS | Internal |
| CVE-2020-3700 | High | WIN WLAN Host | Internal |
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2019-14037 | Medium | Data Network Stack & Connectivity | 08/20/2019 |
| CVE-2019-14093 | Medium | Display | 08/28/2019 |
| CVE-2019-14099 | Medium | Multimedia | 10/18/2019 |
| CVE-2019-14100 | Medium | NPU | 08/25/2019 |
| CVE ID | CVE-2020-3698 |
| Title | Improper Input Validation in WLAN Host |
| Description | Out of bound write while QoS DSCP mapping due to improper input validation for data received from association response frame |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | 11/19/2019 |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QM215, SA6155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX55, SM8150, SM8250, SXR2130 |
| Patch* |
| CVE ID | CVE-2020-3699 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Possible out of bound access while processing assoc response from host due to improper length check before copying into buffer |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | 11/19/2019 |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCM2150, QCN7605, QCS405, QCS605, QM215, SA6155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
| CVE ID | CVE-2019-10580 |
| Title | Use After Free Issue in HLOS |
| Description | When kernel thread unregistered listener, Use after free issue happened as the listener client`s private data has been already freed |
| Technology Area | HLOS |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | MDM9607, MSM8909W, Nicobar, QCM2150, QCS405, QCS605, Saipan, SC8180X, SDM429W, SDX55, SM8150, SM8250, SXR2130 |
| Patch* |
| CVE ID | CVE-2020-3700 |
| Title | Buffer Over-read Issue in WLAN |
| Description | Possible out of bounds read due to a missing bounds check and could lead to local information disclosure in the wifi driver with no additional execution privileges needed |
| Technology Area | WIN WLAN Host |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | APQ8053, APQ8096AU, IPQ4019, IPQ8064, IPQ8074, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCA9531, QCA9558, QCA9980, SC8180X, SDM439, SDX55, SM8150, SM8250, SXR2130 |
| Patch* |
| CVE ID | CVE-2019-14037 |
| Title | Use After Free Issue in HLOS Data |
| Description | Close and bind operations done on a socket can lead to a Use-After-Free condition. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 08/20/2019 |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8996, MSM8996AU, QCN7605, QCN7606, QCS605, SC8180X, SDA660, SDA845, SDM439, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM8150, SXR1130 |
| Patch* |
| CVE ID | CVE-2019-14093 |
| Title | Improper Validation of Array Index in Display |
| Description | Array out of bound access can occur in display module due to lack of bound check on input parcel received |
| Technology Area | Display |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 08/28/2019 |
| Customer Notified Date | 12/02/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, QCM2150, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM636, SDM660, SDX20 |
| Patch* |
| CVE ID | CVE-2019-14099 |
| Title | Use of Out-of-range Pointer Offset in Camera |
| Description | Device misbehavior may be observed when incorrect offset, length or number of buffers is passed by user space |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 10/18/2019 |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | APQ8053, MDM9206, MDM9207C, MDM9607, MSM8909W, MSM8917, MSM8953, Nicobar, QCM2150, QCS405, QCS605, QM215, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
|
| CVE ID | CVE-2019-14100 |
| Title | Use of Out-of-Range Pointer Offset in Neural processing unit |
| Description | Register write via debugfs is disabled by default to prevent register writing via debugfs. |
| Technology Area | NPU |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 08/25/2019 |
| Customer Notified Date | 01/06/2020 |
| Affected Chipsets* | MDM9206, MDM9207C, MDM9607, Nicobar, QCS405, SA6155P, SC8180X, SDX55, SM8150 |
| Patch* |
* Data is generated only at the time of bulletin creation
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
| Version | Date | Comments |
| 1.0 | July 7, 2020 | Bulletin Published |
Version Date Comments 1.0 July 7, 2020 Bulletin Published
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.