June 2020

June 2020 Security Bulletin

Version 1.0

Published: 06/01/2020

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Table of Contents

Announcements:
Acknowledgements:
Proprietary Software Issues:
Open Source Software Issues:
Industry Coordination:
Version History:

Announcements

None

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2020-3628 Shupeng Gao
CVE-2020-3676 Maksymilian Motyl, Security Consultant for Trustwave SpiderLabs
CVE-2019-10626 Gengjia Chen (chengjia4574)
CVE-2019-14091 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2019-14094 Arash Tohidi (h4ul4)

Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating Technology Area Date Reported
CVE-2019-14073 Critical Data Modem Internal
CVE-2019-14080 Critical Data Modem Internal
CVE-2019-10597 High KERNEL Internal
CVE-2019-14062 High Multi-Mode Call Processor Internal
CVE-2019-14076 High Content Protection 07/16/2019
CVE-2020-3614 High WLAN Firmware Internal
CVE-2020-3626 High RIL Internal
CVE-2020-3628 High On-device Logging 07/30/2019
CVE-2020-3635 High Performance 02/04/2020
CVE-2020-3642 High Camera Driver Internal
CVE-2020-3658 High Video Internal
CVE-2020-3660 High Video Internal
CVE-2020-3661 High Video Internal
CVE-2020-3662 High Video Internal
CVE-2020-3663 High Video Internal
CVE-2020-3676 High Performance 02/04/2020

Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating Technology Area Date Reported
CVE-2019-14092 Medium Telephony 10/22/2019
CVE-2019-14094 Medium Core Services 09/12/2019

CVE-2019-14073

CVE ID CVE-2019-14073
Title Buffer Copy Without Checking Size of Input in Modem Data
Description Copying RTCP messages into the output buffer without checking the destination buffer size which could lead to a remote stack overflow when processing large data or non-standard feedback messages
Technology Area Data Modem
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SA415M, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14080

CVE ID CVE-2019-14080
Title Improper Validation of Array Index in Modem Data
Description Out of bound write can happen due to lack of check of array index value while parsing SDP attribute for SAR
Technology Area Data Modem
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8053, APQ8096AU, Kamorta, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS605, QM215, Rennell, SA415M, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150, SXR1130

CVE-2019-10597

CVE ID CVE-2019-10597
Title Improper Input Validation in Kernel
Description kernel writes to user passed address without any checks can lead to arbitrary memory write
Technology Area KERNEL
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* IPQ6018, IPQ8074, MSM8996, MSM8996AU, Nicobar, QCS605, Rennell, Saipan, SC7180, SC8180X, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14062

CVE ID CVE-2019-14062
Title Buffer Copy Without Checking Size of Input in Multi Mode Call Processor
Description Buffer overflows while decoding setup message from Network due to lack of check of IE message length received from network
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SA415M, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130

CVE-2019-14076

CVE ID CVE-2019-14076
Title Buffer Copy Without Checking Size of Input in TrustZone
Description Buffer overflow occurs while processing an subsample data length out of range due to lack of user input validation
Technology Area Content Protection
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported 07/16/2019
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8998, Nicobar, QCS404, QCS405, QCS605, Rennell, SA415M, SC7180, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3614

CVE ID CVE-2020-3614
Title Buffer Copy Without Checking Size of Input in WLAN
Description Possible buffer overflow while copying the frame to local buffer due to lack of check of length before copying
Technology Area WLAN Firmware
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8076, APQ8096, APQ8096AU, APQ8098, IPQ6018, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6174A, QCA6574AU, QCA6584AU, QCA9377, QCA9379, QCA9886, QCM2150, QCS405, QCS605, QM215, Rennell, SC7180, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130

CVE-2020-3626

CVE ID CVE-2020-3626
Title Permissions, privileges and Access Controls issues in RIL
Description Any application can bind to it and exercise the APIs due to no protection for AIDL uimlpaservice
Technology Area RIL
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8053, APQ8096AU, APQ8098, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS605, QM215, Rennell, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3628

CVE ID CVE-2020-3628
Title Improper Access Control Issue in On-Device Logging
Description Improper access due to socket opened by the logging application without specifying localhost address
Technology Area On-device Logging
Vulnerability Type CWE-284 Improper Access Control
Access Vector Remote
Security Rating High
Date Reported 07/30/2019
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8053, Rennell, SDX20

CVE-2020-3635

CVE ID CVE-2020-3635
Title Stack Based Buffer Overflow in Performance
Description Stack based overflow If the maximum number of arguments allowed per request in perflock exceeds
Technology Area Performance
Vulnerability Type CWE-121 Stack-based Buffer Overflow
Access Vector Local
Security Rating High
Date Reported 02/04/2020
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8053, APQ8096AU, APQ8098, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, Saipan, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3642

CVE ID CVE-2020-3642
Title Use After Free Issue in Camera
Description Use after free issue in camera applications when used randomly over multiple operations due to pointer not set to NULL after free/destroy of the object
Technology Area Camera Driver
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* Kamorta, QCS605, Rennell, Saipan, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3658

CVE ID CVE-2020-3658
Title Buffer Over Read Issue in Video
Description Possible null-pointer dereference can occur while parsing mp4 clip with corrupted sample table atoms
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCA6574AU, QCS405, QCS605, QM215, Rennell, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3660

CVE ID CVE-2020-3660
Title Improper Validation of Array Index in Video
Description Possible null-pointer dereference can occur while parsing mp4 clip with corrupted sample table atoms
Technology Area Video
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996, MSM8996AU, MSM8998, QCA6574AU, QCS405, QCS605, QM215, Rennell, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2020-3661

CVE ID CVE-2020-3661
Title Buffer over-read Issue in Video
Description Buffer overflow will happen while parsing mp4 clip with corrupted sample atoms values which exceeds MAX_UINT32 range due to lack of validation checks
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCA6574AU, QCS405, QCS605, QM215, Rennell, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3662

CVE ID CVE-2020-3662
Title Buffer Over-read Issue in Video
Description Buffer overflow can occur while parsing eac3 header while playing the clip which is nonstandard
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MSM8909W, MSM8917, MSM8953, MSM8996, MSM8996AU, MSM8998, QCA6574AU, QCS405, QCS605, QM215, Rennell, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2020-3663

CVE ID CVE-2020-3663
Title Buffer Copy Without Checking Size of Input in Video
Description Buffer over-write may occur during fetching track decoder specific information if cb size exceeds buffer size
Technology Area Video
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCA6574AU, QCS405, QCS605, QM215, Rennell, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3676

CVE ID CVE-2020-3676
Title Improper Validation of Array Index in Android Performance
Description Possible memory corruption in perfservice due to improper validation array length taken from user application.
Technology Area Performance
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 02/04/2020
Customer Notified Date 04/06/2020
Affected Chipsets* APQ8096AU, APQ8098, Kamorta, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, Saipan, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14092

CVE ID CVE-2019-14092
Title Information Exposure Issue in Telephony
Description System Services exports services without permission protect and can lead to information exposure
Technology Area Telephony
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 10/22/2019
Customer Notified Date 12/02/2019
Affected Chipsets* MDM9206, MDM9207C, MDM9607, Rennell, Saipan, SM8150, SM8250, SXR2130

CVE-2019-14094

CVE ID CVE-2019-14094
Title Buffer Over read Issue in Diag Services
Description Integer overflow in diag command handler when user inputs a large value for number of tasks field in the request packet
Technology Area Core Services
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 09/12/2019
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, APQ8098, IPQ6018, IPQ8074, Kamorta, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA8081, QCM2150, QCN7605, QCS404, QCS405, QCS605, QM215, Rennell, SA415M, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

* Data is generated only at the time of bulletin creation

Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating Technology Area Date Reported
CVE-2019-14047 High Data Network Stack & Connectivity Internal
CVE-2020-3613 High DSP Service Internal
CVE-2020-3665 High WLAN HOST Internal

This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

Public ID Security Rating Technology Area Date Reported
CVE-2019-10626 Medium Audio 07/16/2019
CVE-2019-14091 Medium NPU 08/11/2019

CVE-2019-14047

CVE ID CVE-2019-14047
Title Improper Input Validation in HLOS Data
Description While IPA driver processes route add rule IOCTL, there is no input validation of the rule ID prior to adding the rule to the IPA HW commit list
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8053, APQ8096AU, MDM9607, MSM8909W, MSM8996, MSM8996AU, QCN7605, QCS605, SC8180X, SDA845, SDX20, SDX24, SDX55, SM8150, SXR1130
Patch*

CVE-2020-3613

CVE ID CVE-2020-3613
Title Double Free Issue in DSP Services
Description Double free issue in kernel memory mapping due to lack of memory protection mechanism
Technology Area DSP Service
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* SM8150
Patch*

CVE-2020-3665

CVE ID CVE-2020-3665
Title Improper Validation of Array Index in WLAN HOST
Description A possible buffer overflow would occur while processing command from firmware due to the group_id obtained from the firmware being out of range
Technology Area WLAN HOST
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909W, MSM8996, MSM8996AU, QCA6174A, QCA9377, QCA9379, SDM439, SDM636, SDM660, SDX20, SDX24, SM8150
Patch*

CVE-2019-10626

CVE ID CVE-2019-10626
Title Information Exposure Issue inVideo
Description Payload size is not validated before reading memory that may cause issue of accessing invalid pointer or some garbage data
Technology Area Audio
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 07/16/2019
Customer Notified Date 12/02/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Rennell, Saipan, SC8180X, SDA660, SDA845, SDM429W, SDM439, SDM670, SDM710, SDX20, SDX24, SDX55, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2019-14091

CVE ID CVE-2019-14091
Title Double Free Issue in Neural Processing Unit
Description Double free issue in NPU due to lack of resource locking mechanism to avoid race condition
Technology Area NPU
Vulnerability Type CWE-415 Double Free
Access Vector Local
Security Rating Medium
Date Reported 08/11/2019
Customer Notified Date 12/02/2019
Affected Chipsets* MDM9607, QCS405, Rennell, Saipan, SC8180X, SDX55, SM8150, SM8250, SXR2130
Patch*

* Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 June 1, 2020 Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

©2020 Qualcomm Technologies, Inc. and/or its affiliated companies.

References to "Qualcomm" may mean Qualcomm Incorporated, or subsidiaries or business units within the Qualcomm corporate structure, as applicable.

Qualcomm Incorporated includes Qualcomm's licensing business, QTL, and the vast majority of its patent portfolio. Qualcomm Technologies, Inc., a wholly-owned subsidiary of Qualcomm Incorporated, operates, along with its subsidiaries, substantially all of Qualcomm's engineering, research and development functions, and substantially all of its products and services businesses. Qualcomm products referenced on this page are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Materials that are as of a specific date, including but not limited to press releases, presentations, blog posts and webcasts, may have been superseded by subsequent events or disclosures.

Nothing in these materials is an offer to sell any of the components or devices referenced herein.