SB2021050316 - Multiple vulnerabilities in Qualcomm chipsets
Published: May 3, 2021 Updated: May 20, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 20 secuirty vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2021-1895)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow during system boot when flushing an image. A local user can execute arbitrary code with elevated privileges.
2) Buffer overflow (CVE-ID: CVE-2020-11284)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in QTEE. Locked memory can be unlocked and modified by non secure boot loader through improper system call sequence making the memory region untrusted source of input for secure boot loader.
3) Detection of Error Condition Without Action (CVE-ID: CVE-2021-1906)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling within the Graphics component. A local user can trigger a new GPU address allocation failure and perform a denial of service attack.
Note, the vulnerability is being used in limited targeted attacks.
4) Use-after-free (CVE-ID: CVE-2021-1905)
The vulnerability allows a local user to escalate privileges on the system
The vulnerability exists due to a use-after-free error in Graphics component when handling memory mapping of multiple processes simultaneously. A local user can escalate privileges on the system.
Note, the vulnerability is being used in limited targeted attacks.
5) Use-after-free (CVE-ID: CVE-2021-1891)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the Audio component. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.
6) Double Free (CVE-ID: CVE-2021-1910)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Video component. A remote attacker can trick the victim to play a specially crafted video file, trigger a double free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Out-of-bounds write (CVE-ID: CVE-2020-11289)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in TZ command handler within the Content Protection feature. A local user can pass a specially crafted command ID, trigger an out-of-bounds write and execute arbitrary code with elevated privileges.
8) Out-of-bounds write (CVE-ID: CVE-2020-11288)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in Content Protection feature while processing commands. A local user can trigger an out-of-bounds write error in playready and escalate privileges on the system.
9) Out-of-bounds read (CVE-ID: CVE-2020-11285)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the Data Modem component when processing RTCP packets. A remote attacker can create a specially crafted RTCP packets to the system, trigger out-of-bounds read error and read contents of memory on the system.
10) Integer overflow (CVE-ID: CVE-2020-11279)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to integer overflow within the Modem component when processing crafted SDES packets. A remote attacker can pass specially crafted SDES packets to the system, trigger integer overflow and gain access to sensitive information.
11) Buffer overflow (CVE-ID: CVE-2021-1915)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in WLAN component when processing NDP. A local user can trigger buffer overflow and escalate privileges on the system.
12) Reachable Assertion (CVE-ID: CVE-2020-11274)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the Modem component due to invalid configuration. A remote attacker can perform a denial of service (DoS) attack.
13) Reachable Assertion (CVE-ID: CVE-2020-11273)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the Modem component. Histogram type KPI was teardown with the assumption of the existence of histogram binning info and will lead to null pointer access when histogram binning info is missing due to lack of null check.
14) Input validation error (CVE-ID: CVE-2020-11268)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in LTE implementation. Potential UE reset while decoding a crafted Sib1 or SIB1 that schedules unsupported SIBs and can lead to a remote denial of service.
15) Use-after-free (CVE-ID: CVE-2021-1927)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in DSP Services within FastRPC driver. A local user can execute arbitrary code with elevated privileges.
16) Reachable Assertion (CVE-ID: CVE-2021-1925)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion in WLAN when handling group management action frame. A remote attacker can send specially crafted traffic to the system and perform a denial of service attack.
17) Buffer Over-read (CVE-ID: CVE-2020-11293)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a buffer over-read in Content Protection within Widevine TA. A local privileged user can gain access to sensitive information.
18) Improper Validation of Array Index (CVE-ID: CVE-2020-11294)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper validation of array index in radio interface layer when logging data. A local user can escalate privileges on the system.
19) Use-after-free (CVE-ID: CVE-2020-11295)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in camera If the threadmanager is being cleaned up while the worker thread is processing objects. A local user can escalate privileges on the system.
20) NULL pointer dereference (CVE-ID: CVE-2020-11254)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in DSP. A local user can dereference the session ctx pointer and perform a denial of service attack.
Remediation
Install update from vendor's website.
References
- https://www.qualcomm.com/company/product-security/bulletins/may-2021-bulletin
- https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=6dcf0c38be38b659405a618e2066c7abd218ef21
- https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit?id=2a576c81c8dfb800a239e60a1ee3352a0fb7...
- https://source.android.com/security/bulletin/2021-05-01
- https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=d236d315145f8250523ce9e14897d62e5d66...
- https://source.codeaurora.org/quic/qsdk/platform/vendor/opensource/audio-kernel/commit/?id=ee913fe2a44fce7f0e4b0a9ad261416eabcd4add
- https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=9e9faefbf372e00bbdb9752e3c48a96f1e0e4b81
- https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=85ecf9f98b520aa18e68ec426dc20fb63d02fd78
- https://source.codeaurora.org/quic/la/kernel/msm-5.4/commit/?id=9900d61a478ba8403b0e3bf22cf50b18973bc3c1