SB2021080305 - Multiple vulnerabilities in Qualcomm chipsets
Published: August 3, 2021 Updated: August 3, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 19 secuirty vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2020-11264)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in WLAN Windows Host when processing Non-EAPOL/WAPI plaintext frames during four-way handshake. A remote attacker can bypass authentication process and inject arbitrary network packets, leading to full compromise of the affected device.
2) Improper Authentication (CVE-ID: CVE-2020-11301)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in WIGIG when processing un-encrypted plaintext Wi-Fi frames in an encrypted network. A remote attacker can bypass authentication process and gain access to sensitive information.
3) Buffer Over-read (CVE-ID: CVE-2021-1928)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect check of buffer size while flashing emmc devices. An attacker with physical access to device can perform a denial of service (DoS) attack.
4) Information disclosure (CVE-ID: CVE-2021-1904)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists in kernel graphics driver due to excessive data output by the child process from parent process, when numeric pids are getting compared and later reused. A local user can gain access to sensitive information.
5) Integer overflow (CVE-ID: CVE-2021-30260)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow in WLAN Firmware, when extscan hostlist configuration command is received. A local user can pass specially crafted data to the system, trigger integer overflow and execute arbitrary code with elevated privileges.
6) Use-after-free (CVE-ID: CVE-2021-1947)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in kernel graphics driver. A local user can run a specially crafted program to trigger a use-after-free error and execute arbitrary code elevated privileges.
7) Buffer overflow (CVE-ID: CVE-2021-1972)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing device types during P2P search in WLAN HOST. A remote attacker can pass specially crafted data to the system, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-1929)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to lack of strict validation of bootmode in Android_Core component. A local user can gain access to sensitive information.
9) Out-of-bounds read (CVE-ID: CVE-2021-1930)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within boot subsystem. A local user can trigger an out-of-bounds read error and read contents of memory on the system.
10) Integer overflow (CVE-ID: CVE-2021-1916)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in Data Modem subsystem. A remote attacker can pass specially crafted data to the system, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Integer underflow (CVE-ID: CVE-2021-1919)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer underflow in Data Modem when processing RTCP packets. A remote attacker can send a specially crafted packet to the affected system, trigger integer underflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Integer underflow (CVE-ID: CVE-2021-1920)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer underflow in Data Modem when processing RTCP packets. A remote attacker can send specially crafted traffic to the system, trigger integer underflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
13) Infinite loop (CVE-ID: CVE-2021-1914)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in Data Modem subsystem. A remote attacker can send specially crafted traffic to the system and consume all available system resources, triggering denial of service condition.
14) Type conversion (CVE-ID: CVE-2021-1923)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect pointer argument is passed to trusted application TA in HLOS subsystem. A local user can run a specially crafted program to execute arbitrary code with elevated privileges.
15) Integer overflow (CVE-ID: CVE-2021-30261)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow in WLAN Firmware when handling beacon template update command from HLOS. A local user can run a specially crafted program to trigger heap overflow and execute arbitrary code with elevated privileges.
16) Use-after-free (CVE-ID: CVE-2021-1976)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when handling P2P device address in PD Request frame in WLAN HOST. A remote attacker can send specially crafted traffic to the system, trigger a use-after-free error and execute arbitrary code.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
17) NULL pointer dereference (CVE-ID: CVE-2021-1939)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the kernel graphics driver, when the preemption feature enablement is toggled. A local user can run a specially crafted program and perform a denial of service (DoS) attack.
18) Use-after-free (CVE-ID: CVE-2021-1978)
The vulnerability allows a local attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when handling scheduled QMI callbacks at the time of deinitialization in WLAN HOST. An attacker with physical access to device can trigger a use-after-free error and compromise the affected device.
19) Information disclosure (CVE-ID: CVE-2020-24587)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in Windows Wireless Networking. A remote attacker on the local network can gain unauthorized access to sensitive information on the system.
Remediation
Install update from vendor's website.
References
- https://www.qualcomm.com/company/product-security/bulletins/august-2021-bulletin
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=31fe5bb94f737ed98c41b5293d7e52485131ce32
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=ed4f5794e5652215dd817577b5064e3ad68c54d1
- https://source.codeaurora.org/quic/la/kernel/msm-5.4/commit/?id=c993cbae6e07d3e589221347d856b0cd52cb14ad
- https://source.codeaurora.org/quic/qsdk/oss/system/feeds/wlan-open/commit/?id=2ea9f988b9182a930fdaef1e40d61d49af21d0c8
- https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=183e867d1b648772b6e8cddcd140968f1f8d5ecd
- https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=dc1189fa07e91885a5261435ad1f2fa60abde398
- https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=842c19d464a9bd0f6f1a4bb353e95d1dc067abc7
- https://source.codeaurora.org/quic/le/kernel/msm-4.19/commit/?id=cb82ed90520b6801e6b0ec6bac6821cd347e3de7
- https://source.codeaurora.org/quic/le/kernel/msm-4.19/commit/?id=70c13b73f1ea7a30a730ced48a59d366898677bc
- https://source.codeaurora.org/quic/le/kernel/msm-4.19/commit/?id=a637a43b7995cf905f1d0d059b418ee57e60aa67
- https://source.codeaurora.org/quic/le/kernel/msm-4.19/commit/?id=851a03f61d90566e37408240b2f71ed34f8cc73a
- https://source.codeaurora.org/quic/la/platform/external/wpa_supplicant_8/commit/?id=4f82a47c76b923fd3fd1e780bea9f7fbfd77d150
- https://source.codeaurora.org/quic/la/platform/external/wpa_supplicant_8/commit/?id=a45c1c6d0ea54375c470a5a2d44bc479d0d72e2d
- https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=8f7797dcdc8457fb0fae528efd72bacf2090f380
- https://source.codeaurora.org/quic/la/platform/external/wpa_supplicant_8/commit?id=ddffe981e88146adf777ce64c1c2dac2e1dad05e