September 2020 Security Bulletin

Version 1.0

Published: 09/08/2020

This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.>

Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.

Table of Contents

Acknowledgements:
Proprietary Software Issues:
Open Source Software Issues:
Industry Coordination:
Version History:

Announcements

None

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.  

CVE-2020-3674 Yanfeng Wang of C0RE Team, Qihoo 360 Technology Co. Ltd..
CVE-2020-3679 Hayawardh Vijayakumar ;Lee Harrison

Proprietary Software Issues

The tables below summarize security vulnerabilities that were addressed through proprietary software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.

Public ID Security Rating Technology Area Date Reported
CVE-2020-3634 Critical Multi-Mode Call Processor Internal
CVE-2020-11129 High Camera Driver Internal
CVE-2020-11135 High Audio Internal
CVE-2020-3617 High Core Internal

This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.  

Public ID Security Rating Technology Area Date Reported
CVE-2020-3679 Medium QTEE 10/16/2019

CVE-2020-3634

CVE ID CVE-2020-3634
Title Integer Underflow Issue in Multi Mode Call Processor
Description Multiple Read overflows issue due to improper length check while decoding Generic NAS transport/EMM info
Technology Area Multi-Mode Call Processor
Vulnerability Type CWE-191 Integer Underflow (Wrap or Wraparound)
Access Vector Remote
Security Rating Critical
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QCS610, QM215, Rennell, SA415M, Saipan, SC7180, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130

CVE-2020-11129

CVE ID CVE-2020-11129
Title Use After Free Issues in Camera
Description During the error occurrence in capture request, the buffer is freed and later accessed causing the camera APP to fail due to memory use-after-free
Technology Area Camera Driver
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 06/01/2020
Affected Chipsets* Bitra, Kamorta, QCS605, Saipan, SDM710, SM8250, SXR2130

CVE-2020-11135

CVE ID CVE-2020-11135
Title Reachable Assertion Issues in Audio
Description Reachable assertion when wrong data size is returned by parser for ape clips
Technology Area Audio
Vulnerability Type CWE-617 Reachable Assertion
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 06/01/2020
Affected Chipsets* APQ8098, Kamorta, MSM8917, MSM8953, Nicobar, QCM2150, QCS605, QM215, Rennell, SA6155P, SA8155P, Saipan, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

CVE-2020-3617

CVE ID CVE-2020-3617
Title Buffer Over-read Issue in Q6 testbus framework
Description Buffer over-read Issue in Q6 testbus framework due to diag packet length is not completely validated before accessing the field and leads to Information disclosure.
Technology Area Core
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 03/02/2020
Affected Chipsets* Kamorta, Nicobar, QCS605, QCS610, Rennell, SC7180, SDA660, SDM630, SDM636, SDM660, SDM670, SDM710, SM6150, SM7150, SM8150, SXR1130

CVE-2020-3679

CVE ID CVE-2020-3679
Title Information Exposure in QTEE
Description During execution after Address Space Layout Randomization is turned on for QTEE, part of code is still mapped at known address including code segments
Technology Area QTEE
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 10/16/2019
Customer Notified Date 03/02/2020
Affected Chipsets* Bitra, Kamorta, Nicobar, QCS404, QCS610, Rennell, SA6155P, SA8155P, Saipan, SC7180, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130

* Data is generated only at the time of bulletin creation.

Open Source Software Issues

The tables below summarize security vulnerabilities that were addressed through open source software

This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.  

Public ID Security Rating Technology Area Date Reported
CVE-2020-11124 High Core Services Internal
CVE-2020-3656 High HWEngines Internal

This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.  

Public ID Security Rating Technology Area Date Reported
CVE-2020-3674 Medium DSP Service 11/07/2019

CVE-2020-11124

CVE ID CVE-2020-11124
Title Use After Free Issues in Diag Services
Description Possible use-after-free while accessing diag client map table since list can be reallocated due to exceeding max client limit.
Technology Area Core Services
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 06/01/2020
Affected Chipsets* MDM9607, Nicobar, QCS404, QCS405, QCS610, Rennell, SA6155P, SA8155P, Saipan, SC8180X, SDM660, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2020-3656

CVE ID CVE-2020-3656
Title Buffer Copy Without Checking Size of Input in Hardware Engines
Description Out of bound access can happen in MHI command process due to lack of check of command channel id value received from MHI devices
Technology Area HWEngines
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 06/01/2020
Affected Chipsets* APQ8009, Kamorta, MDM9607, MSM8917, MSM8953, Nicobar, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, SA8155P, Saipan, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM710, SDM845, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130
Patch*

CVE-2020-3674

CVE ID CVE-2020-3674
Title Information Exposure in DSP Services
Description Information can leak into user space due to improper transfer of data from kernel to userspace
Technology Area DSP Service
Vulnerability Type CWE-200 Information Exposure
Access Vector Local
Security Rating Medium
Date Reported 11/07/2019
Customer Notified Date 03/02/2020
Affected Chipsets* Nicobar, QCS405, Saipan, SC8180X, SDX55, SM8150, SM8250, SXR2130
Patch*

* Data is generated only at the time of bulletin creation

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms
  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 September 8, 2020 Bulletin Published

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.

This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.

©2020 Qualcomm Technologies, Inc. and/or its affiliated companies.

References to "Qualcomm" may mean Qualcomm Incorporated, or subsidiaries or business units within the Qualcomm corporate structure, as applicable.

Qualcomm Incorporated includes Qualcomm's licensing business, QTL, and the vast majority of its patent portfolio. Qualcomm Technologies, Inc., a wholly-owned subsidiary of Qualcomm Incorporated, operates, along with its subsidiaries, substantially all of Qualcomm's engineering, research and development functions, and substantially all of its products and services businesses. Qualcomm products referenced on this page are products of Qualcomm Technologies, Inc. and/or its subsidiaries.

Materials that are as of a specific date, including but not limited to press releases, presentations, blog posts and webcasts, may have been superseded by subsequent events or disclosures.

Nothing in these materials is an offer to sell any of the components or devices referenced herein.