May 2020

May 2020 Security Bulletin

Version 1.0d

Published: 05/04/2020

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Table of Contents

Announcements:
Acknowledgements:
Proprietary Software Issues:
Open Source Software Issues:
Industry Coordination:
Version History:

Announcements

None

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2020-3610 Monk Avel
CVE-2020-3615 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2020-3680 Jun Yao (yaojun8558363@gmail.com)
CVE-2019-14038, CVE-2019-14039 Gengjia Chen ( @chengjia4574 ) of IceSword Lab, Qihoo 360 Technology Co. Ltd.
CVE-2019-14042, CVE-2019-14043 Arash Tohidi of Solita

Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating Technology Area Date Reported
CVE-2020-3641 Critical Video Internal
CVE-2019-14054 High QTEE Internal
CVE-2019-14066 High Technologies Internal
CVE-2019-14067 High HLOS 08/23/2018
CVE-2019-14077 High NFC Internal
CVE-2019-14078 High NFC Internal
CVE-2020-3616 High Display Internal
CVE-2020-3618 High WLAN Firmware Internal
CVE-2020-3633 High Video Internal
CVE-2020-3645 High WLAN Firmware Internal

This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

Public ID Security Rating Technology Area Date Reported
CVE-2019-14042 Medium Fingerprint 07/31/2019
CVE-2019-14043 Medium Fingerprint 08/01/2019

CVE-2020-3641

CVE ID CVE-2020-3641
Title Buffer Copy Without Checking Size of input in Video
Description Integer overflow may occur if atom size is less than atom offset as there is improper validation of atom size
Technology Area Video
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, MSM8998, QCA6574AU, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2019-14054

CVE ID CVE-2019-14054
Title Improper Access Control Issue in QTEE
Description Improper permissions in XBL_SEC region enable user to update XBL_SEC code and data and divert the RAM dump path to normal cold boot path
Technology Area QTEE
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* Kamorta, MSM8998, QCS404, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM8150, SXR1130, SXR2130

CVE-2019-14066

CVE ID CVE-2019-14066
Title Integer Overflow Issue in Feature License Queries
Description Integer overflow in calculating estimated output buffer size when getting a list of installed Feature IDs, Serial Numbers or checking Feature ID status
Technology Area Technologies
Vulnerability Type CWE-190 Integer Overflow or Wraparound
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* Kamorta, MDM9205, MDM9607, Nicobar, QCS404, QCS405, Rennell, SA6155P, SC7180, SC8180X, SDX55, SM6150, SM7150, SXR2130

CVE-2019-14067

CVE ID CVE-2019-14067
Title Information Exposure in QTEE
Description Using non-time-constant functions like memcmp to compare sensitive data can lead to information leakage through timing side channel issue.
Technology Area HLOS
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating High
Date Reported 08/23/2018
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS404, QCS405, QCS605, QM215, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14077

CVE ID CVE-2019-14077
Title Incorrect Type Conversion or Cast Issue in Trustzone
Description Out of bound memory access while processing ese transmit command due to passing Response buffer received from user
Technology Area NFC
Vulnerability Type CWE-704 Incorrect Type Conversion or Cast
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8098, IPQ6018, Kamorta, MDM9150, MDM9205, MDM9607, MDM9650, MSM8909, MSM8998, Nicobar, QCS404, QCS405, QCS605, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14078

CVE ID CVE-2019-14078
Title Incorrect Calculation of Buffer Size in Trustzone Application
Description Out of bound memory access while processing qpay due to not validating length of the response buffer provided by User.
Technology Area NFC
Vulnerability Type CWE-131 Incorrect Calculation of Buffer Size
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8098, MSM8909, MSM8998, SDA660, SDA845, SDM630, SDM636, SDM660, SDM845

CVE-2020-3616

CVE ID CVE-2020-3616
Title Buffer Copy Without Checking Size of Input in Display
Description Buffer overflow in display function due to memory copy without checking length of size using strcpy function
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8909W, MSM8917, MSM8953, MSM8996AU, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SM6150, SM7150, SM8150

CVE-2020-3618

CVE ID CVE-2020-3618
Title Use After Free Issue in WLAN
Description NULL exception due to accessing bad pointer while posting events on RT FIFO
Technology Area WLAN Firmware
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* IPQ6018, IPQ8074, QCA8081, SC8180X, SXR2130

CVE-2020-3633

CVE ID CVE-2020-3633
Title Improper Validation of Array Index in Video
Description Array out of bound may occur while playing mp3 file as no check is there on offset if it is greater than the buffer allocated or not
Technology Area Video
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, MSM8998, QCS405, QCS605, QM215, Rennell, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2020-3645

CVE ID CVE-2020-3645
Title Reachable Assertion in WLAN Firmware
Description Firmware will hit assert in WLAN firmware If encrypted data length in FILS IE of reassoc response is more than 528 bytes
Technology Area WLAN Firmware
Vulnerability Type CWE-617 Reachable Assertion
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* IPQ6018, IPQ8074, Kamorta, Nicobar, QCA6390, QCA8081, QCN7605, QCS404, QCS405, QCS605, Rennell, SC7180, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-14042

CVE ID CVE-2019-14042
Title Buffer Over-read Issue in Biometrics
Description Out of bound read in in fingerprint application due to requested data assigned to a local buffer without length check
Technology Area Fingerprint
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 07/31/2019
Customer Notified Date 11/04/2019
Affected Chipsets* Kamorta, MDM9205, Nicobar, QCS404, QCS405, QCS605, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-14043

CVE ID CVE-2019-14043
Title Information Exposure Issue in Biometrics
Description Out of bound read in Fingerprint application due to requested data is being used without length check
Technology Area Fingerprint
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 08/01/2019
Customer Notified Date 11/04/2019
Affected Chipsets* Kamorta, MDM9150, MDM9205, MDM9650, MSM8998, Nicobar, QCS404, QCS405, QCS605, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDA660, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

* Data is generated only at the time of bulletin creation

Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating Technology Area Date Reported
CVE-2019-14053 High Data Network Stack & Connectivity Internal
CVE-2019-14087 High Display Internal
CVE-2020-3610 High Graphics 05/28/2019
CVE-2020-3615 High WLAN HOST 10/14/2019
CVE-2020-3623 High NPU Internal
CVE-2020-3625 High DSP Service Internal
CVE-2020-3630 High Video Internal
CVE-2020-3680 High DSP Service 11/27/2019

This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

Public ID Security Rating Technology Area Date Reported
CVE-2019-14038 Medium Audio 07/15/2019
CVE-2019-14039 Medium Audio 07/15/2019

CVE-2019-14053

CVE ID CVE-2019-14053
Title Buffer Over-read Issue in HLOS Data
Description When attempting to create a new XFRM policy, a stack out-of-bounds read will occur if the user provides a template where the mode is set to a value that does not resolve to a valid XFRM mode
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, QCA4531, QCN7605, QCS605, QM215, SA415M, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2019-14087

CVE ID CVE-2019-14087
Title Use After Free Issue in Display
Description Failure in buffer management while accessing handle for HDR blit when color modes not supported by display
Technology Area Display
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 12/02/2019
Affected Chipsets* MSM8909W, QCS605
Patch*

CVE-2020-3610

CVE ID CVE-2020-3610
Title Use After Free Issue in Graphics
Description Possibility of double free of the drawobj that is added to the drawqueue array of the context during IOCTL commands as there is no refcount taken for this object
Technology Area Graphics
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 05/28/2019
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, APQ8098, MSM8909W, MSM8917, MSM8953, MSM8996AU, Nicobar, QCS405, QCS605, QM215, Rennell, SA415M, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2020-3615

CVE ID CVE-2020-3615
Title Reachable Assertion in WLAN
Description Valid deauth/disassoc frames is dropped in case if RMF is enabled and some rouge peer keep on sending rogue deauth/disassoc frames due to improper enum values used to check the frame subtype
Technology Area WLAN HOST
Vulnerability Type CWE-617 Reachable Assertion
Access Vector Remote
Security Rating High
Date Reported 10/14/2019
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS605, SC8180X, SDM630, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8150, SXR1130
Patch*

CVE-2020-3623

CVE ID CVE-2020-3623
Title Improper Input Validation in Neural processing Unit
Description kernel failure due to load failures while running v1 path directly via kernel
Technology Area NPU
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* SM8250, SXR2130
Patch*
  • CAF link unavailable

CVE-2020-3625

CVE ID CVE-2020-3625
Title Buffer Copy Without Checking Size of Input in DSP Services
Description When making query to DSP capabilities, Stack out of bounds occurs due to wrong buffer length configured for DSP attributes
Technology Area DSP Service
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* SM8250, SXR2130
Patch*
  • CAF link unavailable

CVE-2020-3630

CVE ID CVE-2020-3630
Title Improper Validation of Array Index in Video
Description Possibility of out of bound access while processing the responses from video firmware
Technology Area Video
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 02/03/2020
Affected Chipsets* APQ8009, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8917, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS405, QCS605, QM215, Rennell, SA415M, SA6155P, Saipan, SC8180X, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2020-3680

CVE ID CVE-2020-3680
Title Time-of-Check Time-of-Use (TOCTOU) Race Condition in DSP Services
Description A race condition can occur when using the fastrpc memory mapping API.
Technology Area DSP Service
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating High
Date Reported 11/27/2019
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8009, APQ8053, MSM8909W, MSM8917, MSM8953, QCS605, QM215, SA415M, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SXR1130
Patch*

CVE-2019-14038

CVE ID CVE-2019-14038
Title Buffer Over-read Issue in Audio
Description Buffer over-read in ADSP parse function due to lack of check for availability of sufficient data payload received in command response
Technology Area Audio
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 07/15/2019
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8009, APQ8053, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, QCS605, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM670, SDM710, SDM845, SDX20, SDX24
Patch*

CVE-2019-14039

CVE ID CVE-2019-14039
Title Buffer Over-read Issue in Audio
Description Out of bound read in adm call back function due to incorrect boundary check for payload in command response
Technology Area Audio
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 07/15/2019
Customer Notified Date 11/04/2019
Affected Chipsets* APQ8053, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, QCS605, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM670, SDM710, SDM845, SDX20, SDX24
Patch*

* Data is generated only at the time of bulletin creation.

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 May 4, 2020 Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

©2020 Qualcomm Technologies, Inc. and/or its affiliated companies.

References to "Qualcomm" may mean Qualcomm Incorporated, or subsidiaries or business units within the Qualcomm corporate structure, as applicable.

Qualcomm Incorporated includes Qualcomm's licensing business, QTL, and the vast majority of its patent portfolio. Qualcomm Technologies, Inc., a wholly-owned subsidiary of Qualcomm Incorporated, operates, along with its subsidiaries, substantially all of Qualcomm's engineering, research and development functions, and substantially all of its products and services businesses. Qualcomm products referenced on this page are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Materials that are as of a specific date, including but not limited to press releases, presentations, blog posts and webcasts, may have been superseded by subsequent events or disclosures.

Nothing in these materials is an offer to sell any of the components or devices referenced herein.