SB2021090616 - Multiple vulnerabilities in Qualcomm chipsets
Published: September 6, 2021 Updated: September 14, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 20 secuirty vulnerabilities.
1) Buffer Over-read (CVE-ID: CVE-2021-1941)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper length check on WPA IE string sent by peer within the WLAN Host Communication component. A remote attacker can send specially crafted data to the system and perform a denial of service (DoS) attack.
2) Buffer Over-read (CVE-ID: CVE-2021-1948)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to lack of length check of data while parsing the beacon or probe response within the WLAN Host Communication component. A remote attacker can send specially crafted data to the system and perform a denial of service (DoS) attack.
3) Buffer Over-read (CVE-ID: CVE-2021-1971)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to lack of physical layer state validation within the WLAN HAL. A remote attacker can send specially crafted data to the system and perform a denial of service (DoS) attack.
4) Buffer Over-read (CVE-ID: CVE-2021-1974)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to lack of alignment between map or unmap length of IPA SMMU and WLAN SMMU within the WLAN Host Communication component. A remote attacker can send specially crafted data to the system and perform a denial of service (DoS) attack.
5) Buffer overflow (CVE-ID: CVE-2021-30295)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of local variable while storing current task information locally within the DSP Service. A local user can perform a denial of service attack or corrupt files on the system.
6) Buffer overflow (CVE-ID: CVE-2021-1961)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to lack of offset length check while updating the buffer value within the HLOS component. A local user can execute arbitrary code with elevated privileges.
7) Buffer overflow (CVE-ID: CVE-2021-1962)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error while processing IOCTL for getting peripheral endpoint information within the Data Network Stack & Connectivity component. A local user can execute arbitrary code with elevated privileges.
8) Use-after-free (CVE-ID: CVE-2021-1963)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error caused by the lack of validation for the rule count in filter table in IPA driver in Data Network Stack & Connectivity component. A local user can escalate privileges on the system.
9) Improper Validation of Array Index (CVE-ID: CVE-2021-1933)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper validation of invite message with SDP body within the Data Modem component. A remote attacker can send specially crafted data to the system, trigger memory corruption and execute arbitrary code on the system.
10) NULL pointer dereference (CVE-ID: CVE-2021-1946)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a NULL pointer dereference error while processing crafted SDP body within the Data Modem component. A remote attacker can send specially crafted data to the system and execute arbitrary code.
11) Buffer overflow (CVE-ID: CVE-2021-1909)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to lack of length check of parameters passed from trusted applications within the Core component. A local application can trigger a buffer overflow and execute arbitrary code with elevated privileges.
12) Double Free (CVE-ID: CVE-2021-1934)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists within Digital Rights Management in Content Protection due to improper check when application loader object is explicitly destructed while application is unloading. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
13) NULL pointer dereference (CVE-ID: CVE-2021-1935)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error during key import in HLOS component. A local user can pass specially crafted data to the system and perform a denial of service (DoS) attack.
14) Buffer overflow (CVE-ID: CVE-2021-1952)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in Boot subsystem. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
15) Improper access control (CVE-ID: CVE-2021-1956)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of ASB-U packet with L2CAP channel ID by slave host. A remote attacker with physical proximity to device can interference with piconet and perform a denial of service attack.
16) Input validation error (CVE-ID: CVE-2021-1960)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of ASB-C broadcast packets with crafted opcode in LMP in BT Controller. A remote attacker can pass specially crafted input to the system and perform a denial of service (DoS) attack.
17) NULL pointer dereference (CVE-ID: CVE-2021-30290)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error caused by race condition between timeline fence signal and time line fence destroy in Graphics subsystem. A local user can perform a denial of service (DoS) attack.
18) NULL pointer dereference (CVE-ID: CVE-2021-30294)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in KGSL GPU auxiliary command within the Graphics subsystem. A local user can perform a denial of service (DoS) attack.
19) Improper access control (CVE-ID: CVE-2021-1957)
The vulnerability allows a local user to perform a denial of service attack.
The vulnerability exists due improper Access Control when ACL link encryption is failed and ACL link
is not disconnected during reconnection with paired device. A local user can per form a denial of service (DoS) attack.
20) Use-after-free (CVE-ID: CVE-2021-1958)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error caused by a race condition in fastrpc kernel driver for dynamic process creation in DSP Service. A local user can escalate privileges on the system.
Remediation
Install update from vendor's website.
References
- https://www.qualcomm.com/company/product-security/bulletins/september-2021-bulletin
- https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commi...
- https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=26811bdd06af486d49ce37c4cd9c2ba72c85fa2c
- https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=b4462910f414ffa2ad40e19d400e389c13ac6001
- https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=d10dd6666567d84d7c753931059d827014442ebf
- https://source.codeaurora.org/quic/le/kernel/msm-4.19/commit/?id=edc0db63de9a0a7375bf05fafda3d47b558fd9ff
- https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=5e61390954d13d1747acb1d8b25e2f3bd454d0e6
- https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=df756eb12f5dacddefffd163f80d902c6a792262
- https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=77d80f4d6092c9319ccf47d5c10c58dc43fbed22
- https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=cd91e17ce72ee9a0c13f35b81143c26054632e85
- https://source.codeaurora.org/quic/la/kernel/msm-5.4/commit/?id=08481e28e2b16467b3ee35dbce3289c38624ea48
- https://source.codeaurora.org/quic/la/kernel/msm-5.4/commit/?id=d6876813add62f3cac7c429a41cc8710005d69e8
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/system/bt/commit/?id=91aad9e40bc8332a0241e88c2e100eff8851cc98
- https://source.codeaurora.org/quic/le/platform/system/bt/commit/?id=0e713342ba8e9f96a0ffcc7accb631e41d10aa0f
- https://source.codeaurora.org/quic/la/kernel/msm-5.4/commit/?id=ac2db530fb55334be2f5cb3950ad89fb59cc6b75