October 2020 Security Bulletin
Version 1.0
Published: 10/05/2020
This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices..
Please reach out to security [email protected] for any questions related to this bulletin.
Table of Contents
| Announcements: |
| Acknowledgements: |
| Proprietary Software Issues: |
| Open Source Software Issues: |
| Industry Coordination: |
| Version History: |
Announcements
None
Acknowledgements
| CVE-2020-11114, CVE-2020-3703, CVE-2020-3704 | Matheus E. Garbelini; Sudipta Chattopadhyay; Chundong Wang. Singapore University of Technology and Design |
| CVE-2020-11164 | An external reporter reported it to Xiaomi who reported it to us. |
| CVE-2020-11173, CVE-2020-11174 | Jun Yao (姚俊) (@_2freeman) and Guang Gong (@oldfresher) of 360 Alpha Lab working with 360 BugCloud( https://bugcloud.360.cn/ ) |
| CVE-2020-3693, CVE-2020-3694 | Ben Hutchings of Codethink Ltd |
| CVE-2020-3696 | 2freeman |
Proprietary Software Issues
The tables below summarize security vulnerabilities that were addressed through proprietary software
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-11153 | Critical | BT Controller | Internal |
| CVE-2020-11154 | Critical | BT Controller | Internal |
| CVE-2020-11155 | Critical | BT Controller | Internal |
| CVE-2020-3654 | Critical | Data Network Stack & Connectivity | Internal |
| CVE-2020-3657 | Critical | Data Network Stack & Connectivity | 06/30/2020 |
| CVE-2020-3673 | Critical | Data Network Stack & Connectivity | Internal |
| CVE-2020-3692 | Critical | Data Modem | Internal |
| CVE-2020-11114 | High | BT Controller | 02/13/2020 |
| CVE-2020-11141 | High | BT Controller | Internal |
| CVE-2020-11156 | High | BT Controller | Internal |
| CVE-2020-11157 | High | BT Controller | Internal |
| CVE-2020-11164 | High | Performance | 05/08/2020 |
| CVE-2020-11169 | High | BT Controller | Internal |
| CVE-2020-11172 | High | WIN WLAN Host | Internal |
| CVE-2020-3638 | High | Core | Internal |
| CVE-2020-3670 | High | Multi-Mode Call Processor | Internal |
| CVE-2020-3678 | High | Core | Internal |
| CVE-2020-3684 | High | Qualcomm IPC | Internal |
| CVE-2020-3690 | High | KERNEL | Internal |
| CVE-2020-3703 | High | BT Controller | 02/13/2020 |
| CVE-2020-3704 | High | BT Controller | 02/13/2020 |
CVE-2020-11153
| CVE ID | CVE-2020-11153 |
| Title | Buffer Copy Without Checking Size of Input in Bluetooth |
| Description | Out of bound memory access while processing GATT data received due to lack of check of pdu data length and leads to remote code execution |
| Technology Area | BT Controller |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (' Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | APQ8053, QCA6390, QCA9379, QCN7605, SC8180X, SDX55 |
CVE-2020-11154
| CVE ID | CVE-2020-11154 |
| Title | Buffer Copy Without Checking Size of Input in Bluetooth |
| Description | Buffer overflow while processing a crafted PDU data packet in bluetooth due to lack of check of buffer size before copying |
| Technology Area | BT Controller |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (' Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | APQ8009, APQ8053, QCA6390, QCN7605, QCN7606, SA415M, SA515M, SA6155P, SA8155P, SC8180X, SDX55 |
CVE-2020-11155
| CVE ID | CVE-2020-11155 |
| Title | Buffer Copy Without Checking Size of Input in Bluetooth |
| Description | Buffer overflow while processing PDU packet in bluetooth due to lack of check of buffer length before copying into it. |
| Technology Area | BT Controller |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (' Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | APQ8009, APQ8053, QCA6390, QCN7605, QCN7606, SA415M, SA515M, SA6155P, SA8155P, SC8180X, SDX55 |
CVE-2020-3654
| CVE ID | CVE-2020-3654 |
| Title | Improper Validation of Array Index in Data HLOS |
| Description | Buffer overflow occurs while processing SIP message packet due to lack of check of index validation before copying into it |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | Agatti, APQ8053, APQ8096AU, APQ8098, Bitra, Kamorta, MSM8905, MSM8909W, MSM8917, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6390, QCA6574AU, QCM2150, QCS605, QM215, Rennell, SA6155P, SA8155P, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-3657
| CVE ID | CVE-2020-3657 |
| Title | Buffer Copy Without Checking Size of Input in HLOS Data |
| Description | Remote code execution can happen by sending a carefully crafted POST query when Device configuration is accessed from a tethered client through webserver due to lack of array bound check. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (' Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | 06/30/2020 |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8953, MSM8996AU, QCA6574AU, QCS405, QCS610, QRB5165, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8250 |
CVE-2020-3673
| CVE ID | CVE-2020-3673 |
| Title | Improper Validation of Array Index in HLOS Data |
| Description | Buffer overflow can happen as part of SIP message packet processing while storing values in array due to lack of check to validate the index length |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | Agatti, APQ8053, APQ8096AU, APQ8098, Bitra, Kamorta, MSM8905, MSM8909W, MSM8917, MSM8940, MSM8953, MSM8996AU, Nicobar, QCA6390, QCA6574AU, QCM2150, QCS605, QM215, Rennell, SA6155P, SA8155P, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-3692
| CVE ID | CVE-2020-3692 |
| Title | Buffer Copy Without Checking Size of Input in Data Modem |
| Description | Possible buffer overflow while updating output buffer for IMEI and Gateway Address due to lack of check of input validation for parameters received from server |
| Technology Area | Data Modem |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (' Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | Agatti, Kamorta, Nicobar, QCM6125, QCS610, Rennell, SA415M, Saipan, SC7180, SC8180X, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
CVE-2020-11114
| CVE ID | CVE-2020-11114 |
| Title | Buffer Over read Issue in Bluetooth Driver(Sweyntooth issue 6.2, 6.3) |
| Description | Bluetooth devices does not properly restrict the L2CAP payload length allowing users in radio range to cause a buffer overflow via a crafted Link Layer packet(Equivalent to CVE-2019-17060,CVE-2019-17061 and CVE-2019-17517 in Sweyntooth paper) |
| Technology Area | BT Controller |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 02/13/2020 |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | AR9344 |
CVE-2020-11141
| CVE ID | CVE-2020-11141 |
| Title | Improper Input Validation in Bluetooth |
| Description | Buffer over-read issue in Bluetooth estack due to lack of check for invalid length of L2cap configuration request received from peer device. |
| Technology Area | BT Controller |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | APQ8009, APQ8053, QCA6390, QCN7605, SA415M, SA515M, SC8180X, SDX55, SM8250 |
CVE-2020-11156
| CVE ID | CVE-2020-11156 |
| Title | Improper Input Validation in Bluetooth |
| Description | Buffer over-read issue in Bluetooth estack due to lack of check for invalid length of L2cap packet received from peer device. |
| Technology Area | BT Controller |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | QCA6390, QCN7605, QCS404, SA415M, SA515M, SC8180X, SDX55, SM8250 |
CVE-2020-11157
| CVE ID | CVE-2020-11157 |
| Title | Improper Input Validation in Bluetooth |
| Description | Lack of handling unexpected control messages while encryption was in progress can terminate the connection and thus leading to a DoS |
| Technology Area | BT Controller |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | APQ8053, APQ8076, MDM9640, MDM9650, MSM8905, MSM8917, MSM8937, MSM8940, MSM8953, QCA6174A, QCA9886, QCM2150, QM215, SDM429, SDM439, SDM450, SDM632 |
CVE-2020-11164
| CVE ID | CVE-2020-11164 |
| Title | Improper access control issue in Android performance |
| Description | Third-party app may also call the broadcasts in Perfdump and cause privilege escalation issue due to improper access control |
| Technology Area | Performance |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 05/08/2020 |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | Agatti, APQ8096AU, APQ8098, Bitra, Kamorta, MSM8909W, MSM8917, MSM8940, Nicobar, QCA6390, QCM2150, QCS605, Rennell, SA6155P, SA8155P, Saipan, SDA660, SDM429W, SDM450, SDM630, SDM636, SDM660, SDM670, SDM710, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-11169
| CVE ID | CVE-2020-11169 |
| Title | Buffer Over-read Issue in Bluetooth |
| Description | Buffer over-read while processing received L2CAP packet due to lack of integer overflow check |
| Technology Area | BT Controller |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | APQ8009, APQ8053, QCA6390, QCN7605, QCN7606, SA415M, SA515M, SA6155P, SA8155P, SC8180X, SDX55 |
CVE-2020-11172
| CVE ID | CVE-2020-11172 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | fscanf reads a string from a file and stores its contents on a statically allocated stack memory which leads to stack overflow |
| Technology Area | WIN WLAN Host |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (' Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | IPQ4019, IPQ6018, IPQ8064, IPQ8074, QCA9531, QCA9980 |
CVE-2020-3638
| CVE ID | CVE-2020-3638 |
| Title | Improper Access Control Issue in Core |
| Description | An Unaligned address or size can propagate to the database due to improper page permissions and can lead to improper access control |
| Technology Area | Core |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | Agatti, Bitra, Kamorta, QCA6390, QCS404, QCS610, Rennell, SA515M, SC7180, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
CVE-2020-3670
| CVE ID | CVE-2020-3670 |
| Title | Buffer Over-read Issue in Multi Mode Call Processor |
| Description | Potential out of bounds read while processing downlink NAS transport message due to improper length check of Information Element(IEI) NAS message container |
| Technology Area | Multi-Mode Call Processor |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | Agatti, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909W, MSM8917, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCM6125, QCS605, QCS610, QM215, Rennell, SA415M, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE-2020-3678
| CVE ID | CVE-2020-3678 |
| Title | Buffer Copy Without Checking Size of Input in Core |
| Description | A buffer overflow could occur if the API is improperly used due to UIE init does not contain a buffer size a param |
| Technology Area | Core |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (' Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | Agatti, Kamorta, QCS404, QCS605, SDA845, SDM670, SDM710, SDM845, SXR1130 |
CVE-2020-3684
| CVE ID | CVE-2020-3684 |
| Title | Permissions, Privileges and Access Control issues in IPC |
| Description | QSEE reads the access permission policy for the SMEM TOC partition from the SMEM TOC contents populated by XBL Loader and applies them without validation |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | Agatti, APQ8009, APQ8098, Bitra, IPQ6018, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8998, Nicobar, QCA6390, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA515M, SA6155P, SA8155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-3690
| CVE ID | CVE-2020-3690 |
| Title | Improper Access Control in Core |
| Description | Due to an incorrect SMMU configuration, the modem crypto engine can potentially compromise the hypervisor |
| Technology Area | KERNEL |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | Agatti, Bitra, Kamorta, Nicobar, QCA6390, QCS404, QCS605, QCS610, Rennell, SA415M, SA515M, SA6155P, SA8155P, Saipan, SC7180, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-3703
| CVE ID | CVE-2020-3703 |
| Title | Buffer Over-read Issue in Bluetooth Firmware(Sweyntooth 6.1,6.4) |
| Description | Buffer over-read issue in Bluetooth peripheral firmware due to lack of check for invalid opcode and length of opcode received from central device(This CVE is equivalent to Link Layer Length Overfow issue (CVE-2019-16336,CVE-2019-17519) and Silent Length Overflow issue(CVE-2019-17518) mentioned in sweyntooth paper) |
| Technology Area | BT Controller |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 02/13/2020 |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | APQ8053, APQ8076, AR9344, Bitra, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8917, MSM8937, MSM8940, MSM8953, Nicobar, QCA6174A, QCA9377, QCM2150, QCM6125, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SC8180X, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130 |
CVE-2020-3704
| CVE ID | CVE-2020-3704 |
| Title | Improper Input Validation in Bluetooth Peripheral Firmware(Sweyntooth 6.5) |
| Description | While processing invalid connection request PDU which is nonstandard (interval or timeout is 0) from central device may lead peripheral system enter into dead lock state.(This CVE is equivalent to InvalidConnectionRequest(CVE-2019-19193) mentioned in sweyntooth paper) |
| Technology Area | BT Controller |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 02/13/2020 |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | Agatti, APQ8009, APQ8017, APQ8053, AR9344, Bitra, IPQ5018, Kamorta, MDM9607, MDM9640, MDM9650, MSM8996AU, Nicobar, QCA6174A, QCA6390, QCA6574AU, QCA9377, QCA9886, QCM6125, QCN7605, QCS404, QCS405, QCS605, QCS610, QRB5165, Rennell, SA415M, SA515M, Saipan, SC7180, SC8180X, SDA845, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
* Data is generated only at the time of bulletin creation
Open Source Software Issues
The tables below summarize security vulnerabilities that were addressed through open source software
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-11125 | High | HWEngines | Internal |
| CVE-2020-11162 | High | HWEngines | Internal |
| CVE-2020-11173 | High | DSP Service | 03/16/2020 |
| CVE-2020-11174 | High | DSP Service | 02/20/2020 |
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-3693 | Medium | HLOS | 06/26/2019 |
| CVE-2020-3694 | Medium | HLOS | 06/26/2019 |
| CVE-2020-3696 | Medium | Qualcomm IPC | 12/19/2019 |
CVE-2020-11125
| CVE ID | CVE-2020-11125 |
| Title | Buffer Copy Without Checking Size of Input in Hardware Engines |
| Description | Out of bound access can happen in MHI command process due to lack of check of channel id value received from MHI devices |
| Technology Area | HWEngines |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (' Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | Agatti, APQ8009, Bitra, IPQ4019, IPQ5018, IPQ6018, IPQ8064, IPQ8074, Kamorta, MDM9150, MDM9607, MDM9650, MSM8905, MSM8917, MSM8953, Nicobar, QCA6390, QCA9531, QCM2150, QCS404, QCS405, QCS605, QCS610, QM215, QRB5165, Rennell, SA415M, SA515M, SA6155P, SA8155P, Saipan, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM660, SDM670, SDM710, SDM845, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
CVE-2020-11162
| CVE ID | CVE-2020-11162 |
| Title | Buffer Copy Without Checking Size of Input in Hardware Engines |
| Description | Possible buffer overflow in MHI driver due to lack of input parameter validation of EOT events received from MHI device side |
| Technology Area | HWEngines |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (' Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | Agatti, APQ8009, Bitra, IPQ4019, IPQ5018, IPQ6018, IPQ8064, IPQ8074, Kamorta, MDM9607, MSM8917, MSM8953, Nicobar, QCA6390, QCM2150, QCS404, QCS405, QCS605, QM215, QRB5165, Rennell, SA415M, SA515M, SA6155P, SA8155P, Saipan, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM710, SDM845, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2020-11173
| CVE ID | CVE-2020-11173 |
| Title | Use After Free Issue in DSP Services |
| Description | Two threads running simultaneously from user space can lead to race condition in fastRPC driver |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 03/16/2020 |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | Agatti, APQ8053, Bitra, IPQ4019, IPQ5018, IPQ6018, IPQ8064, IPQ8074, Kamorta, MDM9607, MSM8953, Nicobar, QCA6390, QCS404, QCS405, QCS610, Rennell, SA515M, SA6155P, SA8155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM632, SDM660, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2020-11174
| CVE ID | CVE-2020-11174 |
| Title | Improper Validation of Array Index in DSP Services |
| Description | Array index underflow issue in adsp driver due to improper check of channel id before used as array index. |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 02/20/2020 |
| Customer Notified Date | 07/06/2020 |
| Affected Chipsets* | Agatti, APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ4019, IPQ5018, IPQ6018, IPQ8064, IPQ8074, Kamorta, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8953, MSM8996AU, QCA6390, QCA9531, QCM2150, QCS404, QCS405, QCS605, SA415M, SA515M, SA6155P, SA8155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
CVE-2020-3693
| CVE ID | CVE-2020-3693 |
| Title | Use of Out-of-range Pointer Offset in QSEE |
| Description | Use out of range pointer issue can occur due to incorrect buffer range check during the execution of qseecom. |
| Technology Area | HLOS |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 06/26/2019 |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8098, Bitra, MSM8909W, MSM8996AU, Nicobar, QCM2150, QCS605, Saipan, SDM429W, SDX20, SM6150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2020-3694
| CVE ID | CVE-2020-3694 |
| Title | Use of Out-Of-Range Pointer Offset in HLOS |
| Description | Use out of range pointer issue can occur due to incorrect buffer range check during the execution of qseecom |
| Technology Area | HLOS |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 06/26/2019 |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | Bitra, Nicobar, Saipan, SM6150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2020-3696
| CVE ID | CVE-2020-3696 |
| Title | Use After Free Issue in WLAN Host |
| Description | Use after free while installing new security rule in ipcrtr as old one is deleted and this rule could still be in use for checking security permission for particular process |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/19/2019 |
| Customer Notified Date | 04/06/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8996AU, QCA4531, QCA6574AU, QCA9531, QCM2150, QCS605, SDM429W, SDX20, SDX24 |
| Patch* |
* Data is generated only at the time of bulletin creation
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | October 5, 2020 | Bulletin Published |
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
- Table of Contents
- Announcements
- Acknowledgements
- Proprietary Software Issues
- CVE-2020-11153
- CVE-2020-11154
- CVE-2020-11155
- CVE-2020-3654
- CVE-2020-3657
- CVE-2020-3673
- CVE-2020-3692
- CVE-2020-11114
- CVE-2020-11141
- CVE-2020-11156
- CVE-2020-11157
- CVE-2020-11164
- CVE-2020-11169
- CVE-2020-11172
- CVE-2020-3638
- CVE-2020-3670
- CVE-2020-3678
- CVE-2020-3684
- CVE-2020-3690
- CVE-2020-3703
- CVE-2020-3704
- Open Source Software Issues
- CVE-2020-11125
- CVE-2020-11162
- CVE-2020-11173
- CVE-2020-11174
- CVE-2020-3693
- CVE-2020-3694
- CVE-2020-3696
- Industry Coordination
- Version History
