November 2019

November 2019 Security Bulletin

Version 1.0

Published: 11/04/2019

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Announcements

We have discontinued publication of the open source public bulletin at https://www.codeaurora.org/security-advisories/security-bulletins. Starting from September 2019, we will have one single monthly bulletin listing both open-source and closed-source vulnerabilities

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2019-10494 Pengfei Ding(丁鹏飞) of Huawei
CVE-2019-10592, CVE-2019-2310 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2019-10618 David Wells
CVE-2019-2321 %i%s%n\nAAA (derrek)

This table summarizes security vulnerabilities that were addressed through proprietary software

Table of Vulnerabilities

 

Public ID Security Rating Technology Area Date Reported
CVE-2019-10484 High Secure Processor Internal
CVE-2019-10485 High GERAN Internal
CVE-2019-10493 Critical GPS Internal
CVE-2019-10511 Critical GERAN Internal
CVE-2019-10559 High Video Internal
CVE-2019-10592 Medium Display 05/22/2019
CVE-2019-10618 Medium WLAN Windows Host 08/16/2019
CVE-2019-2288 Critical QTEE 01/01/2019
CVE-2019-2319 High Core Internal
CVE-2019-2320 Critical Multi-Mode Call Processor Internal
CVE-2019-2321 Critical QTEE 12/19/2018
CVE-2019-2337 High Multi-Mode Call Processor Internal
CVE-2019-2338 High QTEE Internal

CVE-2019-10484

CVE ID CVE-2019-10484
Title Use After Free issue in Secure Processor NVM handler
Description while Commit or Open Partition command destructors access dynamically allocated response buffer, but the buffer itself is already deallocated during previous command teardown sequence
Technology Area Secure Processor
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets* APQ8098, MSM8909W, Nicobar, QCS405, QCS605, SDA845, SDM660, SDM670, SDM710, SDM845, SDX24, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2019-10485

CVE ID CVE-2019-10485
Title Loop With Unreachable Exit Condition in GSM EDGE Radio Access Network
Description Infinite loop while decoding compressed data can lead to overrun condition
Technology Area GERAN
Vulnerability Type CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130

CVE-2019-10493

CVE ID CVE-2019-10493
Title Buffer Copy Without Checking Size of Input in GPS Module
Description Position determination accuracy may be degraded due to wrongly decoded information
Technology Area GPS
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets* APQ8053, MDM9206, MDM9207C, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130

CVE-2019-10511

CVE ID CVE-2019-10511
Title Improper Validation of Array Index in GSM EDGE Radio Access Network
Description Possibility of memory overflow while decoding GSNDCP compressed mode PDU
Technology Area GERAN
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130

CVE-2019-10559

CVE ID CVE-2019-10559
Title Access of uninitialized Pointer issue in Video
Description Accessing data buffer beyond the available data while parsing ogg clip can lead to null-pointer dereference and then memory corruption
Technology Area Video
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 07/01/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8939, MSM8953, MSM8996, MSM8996AU, Nicobar, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10592

CVE ID CVE-2019-10592
Title Integer Overflow to Buffer Overflow Issue in Display
Description Possible integer overflow while multiplying two integers of 32 bit in QDCM API of get display modes as there is no check on the maximum mode count
Technology Area Display
Vulnerability Type CWE-680 Integer Overflow to Buffer Overflow
Access Vector Local
Security Rating Medium
Date Reported 05/22/2019
Customer Notified Date 08/05/2019
Affected Chipsets* APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2019-10618

CVE ID CVE-2019-10618
Title Information Exposure Issue in WLAN Host
Description Driver may access an invalid address while processing IO control due to lack of check of address validation
Technology Area WLAN Windows Host
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 08/16/2019
Customer Notified Date 09/09/2019
Affected Chipsets*  

CVE-2019-2288

CVE ID CVE-2019-2288
Title Buffer Copy Without Checking Size of Input in QTEE
Description Out of bound write in TZ while copying the secure dump structure on HLOS provided buffer as a part of memory dump
Technology Area QTEE
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating Critical
Date Reported 01/01/2019
Customer Notified Date 05/06/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8976, MSM8996, MSM8996AU, MSM8998, QCA8081, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, Snapdragon_High_Med_2016, SXR1130

CVE-2019-2319

CVE ID CVE-2019-2319
Title Improper Access Control During Memory Assignment
Description HLOS could corrupt CPZ page table memory for S1 managed VMs
Technology Area Core
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets* MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130

CVE-2019-2320

CVE ID CVE-2019-2320
Title Possible out of bounds write issue in NAS
Description Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130

CVE-2019-2321

CVE ID CVE-2019-2321
Title Buffer Overflow Issue in QTEE Logging Mechanism
Description Incorrect length used while validating the qsee log buffer sent from HLOS which could then lead to remap conflict
Technology Area QTEE
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating Critical
Date Reported 12/19/2018
Customer Notified Date 05/06/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, IPQ4019, IPQ8074, MDM9150, MDM9205, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QCA8081, QCS404, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150, Snapdragon_High_Med_2016, SXR1130, SXR2130

CVE-2019-2337

CVE ID CVE-2019-2337
Title Buffer Over-read Issue in NAS
Description While Skipping unknown IES, EMM is reading the buffer even if the no of bytes to read are more than message length which may cause device to shutdown
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets* APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9640, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8976, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, SC8180X, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, Snapdragon_High_Med_2016, SXR1130, SXR2130

CVE-2019-2338

CVE ID CVE-2019-2338
Title Use of Out-of-range Pointer Offset in QTEE
Description Crafted image that has a valid signature from a non-QC entity can be loaded which can read/write memory that belongs to the secure world
Technology Area QTEE
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets* MDM9205, MSM8998, QCS404, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150, SXR1130, SXR2130

* Data is generated only at the time of bulletin creation

 

This table summarizes security vulnerabilities that were addressed through open source software located at the corresponding open source project links

Table of Vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2019-10494 Medium Multimedia 12/13/2018
CVE-2019-10545 High Graphics Internal
CVE-2019-10555 Medium Display 10/11/2018
CVE-2019-10571 High Graphics Internal
CVE-2019-2310 High WLAN HOST 05/04/2018

CVE-2019-10494

CVE ID CVE-2019-10494
Title Time-of-Check Time-of-Use Race Condition in Camera
Description Race condition between the camera functions due to lack of resource lock which will lead to memory corruption and UAF issue
Technology Area Multimedia
Vulnerability Type CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector Local
Security Rating Medium
Date Reported 12/13/2018
Customer Notified Date 08/05/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150
Patch*

CVE-2019-10545

CVE ID CVE-2019-10545
Title Null Pointer Dereference Issue in Graphics
Description Null pointer dereference issue in kernel due to missing check related to LLC support in GPU
Technology Area Graphics
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 08/05/2019
Affected Chipsets* QCS605, SDM670, SDM710, SM6150, SM7150, SM8150
Patch*

CVE-2019-10555

CVE ID CVE-2019-10555
Title Buffer Copy Without Checking Size of Input in Display
Description Buffer overflow can occur due to usage of wrong datatype and missing length check before copying into buffer
Technology Area Display
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating Medium
Date Reported 10/11/2018
Customer Notified Date 08/05/2019
Affected Chipsets* APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150
Patch*

CVE-2019-10571

CVE ID CVE-2019-10571
Title Buffer Copy Without Checking Size of Input in Graphics
Description Snapshot of IB can lead to invalid address access due to missing check for size in the related function
Technology Area Graphics
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 08/05/2019
Affected Chipsets* APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, Nicobar, QCN7605, QCS405, QCS605, QM215, SA6155P, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2019-2310

CVE ID CVE-2019-2310
Title Buffer Over-read Issue in WLAN
Description Out of bound read would occur while trying to read action category and action ID without validating the action length of the Rx Frame body
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported 05/04/2018
Customer Notified Date 04/01/2019
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS605, SDA660, SDA845, SDM450, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM8150
Patch*

* Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

 

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

 

Version History

Version Date Comments
1.0 November 4, 2019 Bulletin Published

 

 

 

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

 

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

 

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

See all of our security bulletins