SB2021040501 - Multiple vulnerabilities in Qualcomm chipsets
Published: April 5, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2020-11234)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in Data HLOS when sending a socket event message to a user application. A malicious application can pass invalid information, if socket is freed by another thread, trigger a use-after-free error and escalate privileges on the system.
2) Double Free (CVE-ID: CVE-2020-11246)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in Digital Rights Management when the device moves to suspend mode during secure playback. A malicious application can can trigger a double free error and execute arbitrary code with elevated privileges.
3) Buffer overflow (CVE-ID: CVE-2021-1892)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error while processing nonstandard IO control in WLAN. A malicious application can trigger memory corruption and execute arbitrary code with elevated privileges.
4) Double Free (CVE-ID: CVE-2020-11231)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in GPS HLOS Driver. Two threads call one or both functions concurrently leading to
corruption of pointers and reference counters which in turn can lead to
heap corruption. A malicious application can trigger double free error and execute arbitrary code with elevated privileges.
5) Buffer overflow (CVE-ID: CVE-2020-11210)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in RPM region due to improper XPU configuration. A malicious application can trigger memory corruption and execute arbitrary code with elevated privileges.
6) Out-of-bounds read (CVE-ID: CVE-2020-11191)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.The vulnerability exists due to a boundary condition when processing SDP packets in Data Modem. A remote attacker can send specially crafted SDP packets to the system, trigger out-of-bounds read error and read contents of memory on the system or crash it.
7) Buffer overflow (CVE-ID: CVE-2020-11236)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to invalid value of total dimension in the non-histogram type KPI in Modem. A malicious application can trigger memory corruption and execute arbitrary code with elevated privileges.
8) Buffer overflow (CVE-ID: CVE-2020-11237)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in Modem when accessing histogram type KPI input received due to lack of check of histogram definition before accessing it. A malicious application can trigger memory corruption and execute arbitrary code with elevated privileges.
9) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2020-11242)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect argument into address range validation api used in SDI to capture requested contents. A local user can gain access to secure memory and elevate privileges on the system.
10) Detection of Error Condition Without Action (CVE-ID: CVE-2020-11243)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in LTE module due to RRC sends a connection establishment success to NAS even though connection setup validation returns failure. A remote attacker can perform a denial of service attack.
11) Integer overflow (CVE-ID: CVE-2020-11245)
The vulnerability allows a local user to escalate privileges on the system
The vulnerability exists due to unintended reads and writes by NS EL2 in access control driver. A malicious application can trigger integer overflow and execute arbitrary code with elevated privileges.
12) Out-of-bounds read (CVE-ID: CVE-2020-11247)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.The vulnerability exists due to a boundary condition while unpacking data in Data Modem. A remote attacker can send specially crafted packets to the system, trigger out-of-bounds read error and read contents of memory on the system or crash it.
13) Out-of-bounds read (CVE-ID: CVE-2020-11251)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.The vulnerability exists due to a boundary condition when processing DTMF payload in Data Modem. A remote attacker can send specially crafted data to the system, trigger out-of-bounds read error and read contents of memory on the system or crash it.
14) Improper access control (CVE-ID: CVE-2020-11252)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to improper access restrictions during trustzone initialization, as xPU get disabled when memory dumps are enabled. A local user can gain access to sensitive information on the system.
15) Memory leak (CVE-ID: CVE-2020-11255)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak when processing RTCP packets containing multiple SDES reports in Data Modem. A remote attacker can send specially crafted RTCP packets to the system and perform denial of service attack.
Remediation
Install update from vendor's website.
References
- https://www.qualcomm.com/company/product-security/bulletins/april-2021-bulletin
- https://source.codeaurora.org/quic/la/kernel/msm-4.19/commit/?id=76a699e746c9b3a1494597a6756ff21fc84b48e4
- https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=82561910f1048593dced3f44243494596972586b
- https://source.codeaurora.org/quic/le/platform/hardware/qcom/gps/commit/?id=a06bbe8aa633e00c195866a8416ac9181c1fb652