October 2020 Security Bulletin

Version 1.0

Published: 10/05/2020

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices..

Please reach out to security bulletin@qti.qualcomm.com for any questions related to this bulletin.

Table of Contents

Announcements:
Acknowledgements:
Proprietary Software Issues:
Open Source Software Issues:
Industry Coordination:
Version History:

 

Announcements

None

Acknowledgements

 

CVE-2020-11114, CVE-2020-3703, CVE-2020-3704 Matheus E. Garbelini; Sudipta Chattopadhyay; Chundong Wang. Singapore University of Technology and Design
CVE-2020-11164 An external reporter reported it to Xiaomi who reported it to us.
CVE-2020-11173, CVE-2020-11174 Jun Yao (姚俊) (@_2freeman) and Guang Gong (@oldfresher) of 360 Alpha Lab working with 360 BugCloud(https://bugcloud.360.cn/)
CVE-2020-3693, CVE-2020-3694 Ben Hutchings of Codethink Ltd
CVE-2020-3696 2freeman

Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.  

Public ID Security Rating Technology Area Date Reported
CVE-2020-11153 Critical BT Controller Internal
CVE-2020-11154 Critical BT Controller Internal
CVE-2020-11155 Critical BT Controller Internal
CVE-2020-3654 Critical Data Network Stack & Connectivity Internal
CVE-2020-3657 Critical Data Network Stack & Connectivity 06/30/2020
CVE-2020-3673 Critical Data Network Stack & Connectivity Internal
CVE-2020-3692 Critical Data Modem Internal
CVE-2020-11114 High BT Controller 02/13/2020
CVE-2020-11141 High BT Controller Internal
CVE-2020-11156 High BT Controller Internal
CVE-2020-11157 High BT Controller Internal
CVE-2020-11164 High Performance 05/08/2020
CVE-2020-11169 High BT Controller Internal
CVE-2020-11172 High WIN WLAN Host Internal
CVE-2020-3638 High Core Internal
CVE-2020-3670 High Multi-Mode Call Processor Internal
CVE-2020-3678 High Core Internal
CVE-2020-3684 High Qualcomm IPC Internal
CVE-2020-3690 High KERNEL Internal
CVE-2020-3703 High BT Controller 02/13/2020
CVE-2020-3704 High BT Controller 02/13/2020

CVE-2020-11153

CVE ID CVE-2020-11153
Title Buffer Copy Without Checking Size of Input in Bluetooth
Description Out of bound memory access while processing GATT data received due to lack of check of pdu data length and leads to remote code execution
Technology Area BT Controller
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 07/06/2020
Affected Chipsets* APQ8053, QCA6390, QCA9379, QCN7605, SC8180X, SDX55

CVE-2020-11154

CVE ID CVE-2020-11154
Title Buffer Copy Without Checking Size of Input in Bluetooth
Description Buffer overflow while processing a crafted PDU data packet in bluetooth due to lack of check of buffer size before copying
Technology Area BT Controller
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 07/06/2020
Affected Chipsets* APQ8009, APQ8053, QCA6390, QCN7605, QCN7606, SA415M, SA515M, SA6155P, SA8155P, SC8180X, SDX55

CVE-2020-11155

CVE ID CVE-2020-11155
Title Buffer Copy Without Checking Size of Input in Bluetooth
Description Buffer overflow while processing PDU packet in bluetooth due to lack of check of buffer length before copying into it.
Technology Area BT Controller
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 07/06/2020
Affected Chipsets* APQ8009, APQ8053, QCA6390, QCN7605, QCN7606, SA415M, SA515M, SA6155P, SA8155P, SC8180X, SDX55

CVE-2020-3654

CVE ID CVE-2020-3654
Title Improper Validation of Array Index in Data HLOS
Description Buffer overflow occurs while processing SIP message packet due to lack of check of index validation before copying into it
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 04/06/2020
Affected Chipsets* Agatti, APQ8053, APQ8096AU, APQ8098, Bitra, Kamorta, MSM8905, MSM8909W, MSM8917, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6390, QCA6574AU, QCM2150, QCS605, QM215, Rennell, SA6155P, SA8155P, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3657

CVE ID CVE-2020-3657
Title Buffer Copy Without Checking Size of Input in HLOS Data
Description Remote code execution can happen by sending a carefully crafted POST query when Device configuration is accessed from a tethered client through webserver due to lack of array bound check.
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported 06/30/2020
Customer Notified Date 04/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8953, MSM8996AU, QCA6574AU, QCS405, QCS610, QRB5165, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8250

CVE-2020-3673

CVE ID CVE-2020-3673
Title Improper Validation of Array Index in HLOS Data
Description Buffer overflow can happen as part of SIP message packet processing while storing values in array due to lack of check to validate the index length
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 04/06/2020
Affected Chipsets* Agatti, APQ8053, APQ8096AU, APQ8098, Bitra, Kamorta, MSM8905, MSM8909W, MSM8917, MSM8940, MSM8953, MSM8996AU, Nicobar, QCA6390, QCA6574AU, QCM2150, QCS605, QM215, Rennell, SA6155P, SA8155P, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3692

CVE ID CVE-2020-3692
Title Buffer Copy Without Checking Size of Input in Data Modem
Description Possible buffer overflow while updating output buffer for IMEI and Gateway Address due to lack of check of input validation for parameters received from server
Technology Area Data Modem
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 04/06/2020
Affected Chipsets* Agatti, Kamorta, Nicobar, QCM6125, QCS610, Rennell, SA415M, Saipan, SC7180, SC8180X, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2020-11114

CVE ID CVE-2020-11114
Title Buffer Over read Issue in Bluetooth Driver(Sweyntooth issue 6.2, 6.3)
Description Bluetooth devices does not properly restrict the L2CAP payload length allowing users in radio range to cause a buffer overflow via a crafted Link Layer packet(Equivalent to CVE-2019-17060,CVE-2019-17061 and CVE-2019-17517 in Sweyntooth paper)
Technology Area BT Controller
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported 02/13/2020
Customer Notified Date 07/06/2020
Affected Chipsets* AR9344

CVE-2020-11141

CVE ID CVE-2020-11141
Title Improper Input Validation in Bluetooth
Description Buffer over-read issue in Bluetooth estack due to lack of check for invalid length of L2cap configuration request received from peer device.
Technology Area BT Controller
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 07/06/2020
Affected Chipsets* APQ8009, APQ8053, QCA6390, QCN7605, SA415M, SA515M, SC8180X, SDX55, SM8250

CVE-2020-11156

CVE ID CVE-2020-11156
Title Improper Input Validation in Bluetooth
Description Buffer over-read issue in Bluetooth estack due to lack of check for invalid length of L2cap packet received from peer device.
Technology Area BT Controller
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 07/06/2020
Affected Chipsets* QCA6390, QCN7605, QCS404, SA415M, SA515M, SC8180X, SDX55, SM8250

CVE-2020-11157

CVE ID CVE-2020-11157
Title Improper Input Validation in Bluetooth
Description Lack of handling unexpected control messages while encryption was in progress can terminate the connection and thus leading to a DoS
Technology Area BT Controller
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 07/06/2020
Affected Chipsets* APQ8053, APQ8076, MDM9640, MDM9650, MSM8905, MSM8917, MSM8937, MSM8940, MSM8953, QCA6174A, QCA9886, QCM2150, QM215, SDM429, SDM439, SDM450, SDM632

CVE-2020-11164

CVE ID CVE-2020-11164
Title Improper access control issue in Android performance
Description Third-party app may also call the broadcasts in Perfdump and cause privilege escalation issue due to improper access control
Technology Area Performance
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported 05/08/2020
Customer Notified Date 07/06/2020
Affected Chipsets* Agatti, APQ8096AU, APQ8098, Bitra, Kamorta, MSM8909W, MSM8917, MSM8940, Nicobar, QCA6390, QCM2150, QCS605, Rennell, SA6155P, SA8155P, Saipan, SDA660, SDM429W, SDM450, SDM630, SDM636, SDM660, SDM670, SDM710, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-11169

CVE ID CVE-2020-11169
Title Buffer Over-read Issue in Bluetooth
Description Buffer over-read while processing received L2CAP packet due to lack of integer overflow check
Technology Area BT Controller
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 07/06/2020
Affected Chipsets* APQ8009, APQ8053, QCA6390, QCN7605, QCN7606, SA415M, SA515M, SA6155P, SA8155P, SC8180X, SDX55

CVE-2020-11172

CVE ID CVE-2020-11172
Title Buffer Copy Without Checking Size of Input in WLAN
Description fscanf reads a string from a file and stores its contents on a statically allocated stack memory which leads to stack overflow
Technology Area WIN WLAN Host
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 07/06/2020
Affected Chipsets* IPQ4019, IPQ6018, IPQ8064, IPQ8074, QCA9531, QCA9980

CVE-2020-3638

CVE ID CVE-2020-3638
Title Improper Access Control Issue in Core
Description An Unaligned address or size can propagate to the database due to improper page permissions and can lead to improper access control
Technology Area Core
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 04/06/2020
Affected Chipsets* Agatti, Bitra, Kamorta, QCA6390, QCS404, QCS610, Rennell, SA515M, SC7180, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130

CVE-2020-3670

CVE ID CVE-2020-3670
Title Buffer Over-read Issue in Multi Mode Call Processor
Description Potential out of bounds read while processing downlink NAS transport message due to improper length check of Information Element(IEI) NAS message container
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 04/06/2020
Affected Chipsets* Agatti, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909W, MSM8917, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCM6125, QCS605, QCS610, QM215, Rennell, SA415M, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2020-3678

CVE ID CVE-2020-3678
Title Buffer Copy Without Checking Size of Input in Core
Description A buffer overflow could occur if the API is improperly used due to UIE init does not contain a buffer size a param
Technology Area Core
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 04/06/2020
Affected Chipsets* Agatti, Kamorta, QCS404, QCS605, SDA845, SDM670, SDM710, SDM845, SXR1130

CVE-2020-3684

CVE ID CVE-2020-3684
Title Permissions, Privileges and Access Control issues in IPC
Description QSEE reads the access permission policy for the SMEM TOC partition from the SMEM TOC contents populated by XBL Loader and applies them without validation
Technology Area Qualcomm IPC
Vulnerability Type CWE-264 Permissions, Privileges, and Access Controls
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 04/06/2020
Affected Chipsets* Agatti, APQ8009, APQ8098, Bitra, IPQ6018, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8905, MSM8998, Nicobar, QCA6390, QCS404, QCS405, QCS605, QCS610, Rennell, SA415M, SA515M, SA6155P, SA8155P, Saipan, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3690

CVE ID CVE-2020-3690
Title Improper Access Control in Core
Description Due to an incorrect SMMU configuration, the modem crypto engine can potentially compromise the hypervisor
Technology Area KERNEL
Vulnerability Type CWE-284 Improper Access Control
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 04/06/2020
Affected Chipsets* Agatti, Bitra, Kamorta, Nicobar, QCA6390, QCS404, QCS605, QCS610, Rennell, SA415M, SA515M, SA6155P, SA8155P, Saipan, SC7180, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3703

CVE ID CVE-2020-3703
Title Buffer Over-read Issue in Bluetooth Firmware(Sweyntooth 6.1,6.4)
Description Buffer over-read issue in Bluetooth peripheral firmware due to lack of check for invalid opcode and length of opcode received from central device(This CVE is equivalent to Link Layer Length Overfow issue (CVE-2019-16336,CVE-2019-17519) and Silent Length Overflow issue(CVE-2019-17518) mentioned in sweyntooth paper)
Technology Area BT Controller
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Remote
Security Rating High
Date Reported 02/13/2020
Customer Notified Date 07/06/2020
Affected Chipsets* APQ8053, APQ8076, AR9344, Bitra, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8917, MSM8937, MSM8940, MSM8953, Nicobar, QCA6174A, QCA9377, QCM2150, QCM6125, QCS404, QCS405, QCS605, QCS610, QM215, Rennell, SC8180X, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SM6150, SM7150, SM8150, SXR1130

CVE-2020-3704

CVE ID CVE-2020-3704
Title Improper Input Validation in Bluetooth Peripheral Firmware(Sweyntooth 6.5)
Description While processing invalid connection request PDU which is nonstandard (interval or timeout is 0) from central device may lead peripheral system enter into dead lock state.(This CVE is equivalent to InvalidConnectionRequest(CVE-2019-19193) mentioned in sweyntooth paper)
Technology Area BT Controller
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Remote
Security Rating High
Date Reported 02/13/2020
Customer Notified Date 07/06/2020
Affected Chipsets* Agatti, APQ8009, APQ8017, APQ8053, AR9344, Bitra, IPQ5018, Kamorta, MDM9607, MDM9640, MDM9650, MSM8996AU, Nicobar, QCA6174A, QCA6390, QCA6574AU, QCA9377, QCA9886, QCM6125, QCN7605, QCS404, QCS405, QCS605, QCS610, QRB5165, Rennell, SA415M, SA515M, Saipan, SC7180, SC8180X, SDA845, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

* Data is generated only at the time of bulletin creation

Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.  

Public ID Security Rating Technology Area Date Reported
CVE-2020-11125 High HWEngines Internal
CVE-2020-11162 High HWEngines Internal
CVE-2020-11173 High DSP Service 03/16/2020
CVE-2020-11174 High DSP Service 02/20/2020





This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.

 

Public ID Security Rating Technology Area Date Reported
CVE-2020-3693 Medium HLOS 06/26/2019
CVE-2020-3694 Medium HLOS 06/26/2019
CVE-2020-3696 Medium Qualcomm IPC 12/19/2019

CVE-2020-11125

CVE ID CVE-2020-11125
Title Buffer Copy Without Checking Size of Input in Hardware Engines
Description Out of bound access can happen in MHI command process due to lack of check of channel id value received from MHI devices
Technology Area HWEngines
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 07/06/2020
Affected Chipsets* Agatti, APQ8009, Bitra, IPQ4019, IPQ5018, IPQ6018, IPQ8064, IPQ8074, Kamorta, MDM9150, MDM9607, MDM9650, MSM8905, MSM8917, MSM8953, Nicobar, QCA6390, QCA9531, QCM2150, QCS404, QCS405, QCS605, QCS610, QM215, QRB5165, Rennell, SA415M, SA515M, SA6155P, SA8155P, Saipan, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM660, SDM670, SDM710, SDM845, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2020-11162

CVE ID CVE-2020-11162
Title Buffer Copy Without Checking Size of Input in Hardware Engines
Description Possible buffer overflow in MHI driver due to lack of input parameter validation of EOT events received from MHI device side
Technology Area HWEngines
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 07/06/2020
Affected Chipsets* Agatti, APQ8009, Bitra, IPQ4019, IPQ5018, IPQ6018, IPQ8064, IPQ8074, Kamorta, MDM9607, MSM8917, MSM8953, Nicobar, QCA6390, QCM2150, QCS404, QCS405, QCS605, QM215, QRB5165, Rennell, SA415M, SA515M, SA6155P, SA8155P, Saipan, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM710, SDM845, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2020-11173

CVE ID CVE-2020-11173
Title Use After Free Issue in DSP Services
Description Two threads running simultaneously from user space can lead to race condition in fastRPC driver
Technology Area DSP Service
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported 03/16/2020
Customer Notified Date 07/06/2020
Affected Chipsets* Agatti, APQ8053, Bitra, IPQ4019, IPQ5018, IPQ6018, IPQ8064, IPQ8074, Kamorta, MDM9607, MSM8953, Nicobar, QCA6390, QCS404, QCS405, QCS610, Rennell, SA515M, SA6155P, SA8155P, Saipan, SC8180X, SDA845, SDM429, SDM429W, SDM632, SDM660, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2020-11174

CVE ID CVE-2020-11174
Title Improper Validation of Array Index in DSP Services
Description Array index underflow issue in adsp driver due to improper check of channel id before used as array index.
Technology Area DSP Service
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported 02/20/2020
Customer Notified Date 07/06/2020
Affected Chipsets* Agatti, APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, Bitra, IPQ4019, IPQ5018, IPQ6018, IPQ8064, IPQ8074, Kamorta, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8953, MSM8996AU, QCA6390, QCA9531, QCM2150, QCS404, QCS405, QCS605, SA415M, SA515M, SA6155P, SA8155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM8150, SM8250, SXR1130, SXR2130
Patch*

CVE-2020-3693

CVE ID CVE-2020-3693
Title Use of Out-of-range Pointer Offset in QSEE
Description Use out of range pointer issue can occur due to incorrect buffer range check during the execution of qseecom.
Technology Area HLOS
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported 06/26/2019
Customer Notified Date 04/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8098, Bitra, MSM8909W, MSM8996AU, Nicobar, QCM2150, QCS605, Saipan, SDM429W, SDX20, SM6150, SM8150, SM8250, SXR2130
Patch*

CVE-2020-3694

CVE ID CVE-2020-3694
Title Use of Out-Of-Range Pointer Offset in HLOS
Description Use out of range pointer issue can occur due to incorrect buffer range check during the execution of qseecom
Technology Area HLOS
Vulnerability Type CWE-823 Use of Out-of-range Pointer Offset
Access Vector Local
Security Rating Medium
Date Reported 06/26/2019
Customer Notified Date 04/06/2020
Affected Chipsets* Bitra, Nicobar, Saipan, SM6150, SM8150, SM8250, SXR2130
Patch*

CVE-2020-3696

CVE ID CVE-2020-3696
Title Use After Free Issue in WLAN Host
Description Use after free while installing new security rule in ipcrtr as old one is deleted and this rule could still be in use for checking security permission for particular process
Technology Area Qualcomm IPC
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 12/19/2019
Customer Notified Date 04/06/2020
Affected Chipsets* APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8996AU, QCA4531, QCA6574AU, QCA9531, QCM2150, QCS605, SDM429W, SDX20, SDX24
Patch*

* Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

     

  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 October 5, 2020 Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

 

©2020 Qualcomm Technologies, Inc. and/or its affiliated companies.

References to "Qualcomm" may mean Qualcomm Incorporated, or subsidiaries or business units within the Qualcomm corporate structure, as applicable.

Qualcomm Incorporated includes Qualcomm's licensing business, QTL, and the vast majority of its patent portfolio. Qualcomm Technologies, Inc., a wholly-owned subsidiary of Qualcomm Incorporated, operates, along with its subsidiaries, substantially all of Qualcomm's engineering, research and development functions, and substantially all of its products and services businesses. Qualcomm products referenced on this page are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Materials that are as of a specific date, including but not limited to press releases, presentations, blog posts and webcasts, may have been superseded by subsequent events or disclosures.

Nothing in these materials is an offer to sell any of the components or devices referenced herein.