SB2022051210 - Multiple vulnerabilities in Qualcomm chipsets
Published: May 12, 2022 Updated: June 14, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 23 secuirty vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2021-35076)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference error in LTE component. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
2) Buffer Over-read (CVE-ID: CVE-2022-22065)
The vulnerability allows a remote attacker to cause a denial of service.The vulnerability exists due to buffer over-read error in the WLAN HOST component. A remote attacker can trigger buffer over-read error and cause a denial of service.
3) Buffer Over-read (CVE-ID: CVE-2022-22064)
The vulnerability allows a remote attacker to cause a denial of service.The vulnerability exists due to buffer over-read error in the WLAN HOST component. A remote attacker can trigger buffer over-read error and cause a denial of service.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-35079)
The vulnerability allows a local application to cause a denial of service.
The vulnerability exists due to lack of size validation while unpacking frame in the WLAN HOST component. A local application can cause a denial of service.
5) Input validation error (CVE-ID: CVE-2021-35116)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the Android Neural Networks component. A local application can load a crafted model into the CDSP and perform a denial of service (DoS) attack.
6) Input validation error (CVE-ID: CVE-2021-35096)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper memory allocation during counter check DLM handling. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
7) Improper Authorization (CVE-ID: CVE-2021-35094)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper verification of timeout-based authentication in the HLOS component. A local application can escalate privileges on the system.
8) NULL pointer dereference (CVE-ID: CVE-2021-35087)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of system information message to be processed in Modem component. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
9) NULL pointer dereference (CVE-ID: CVE-2021-35086)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of SIB type when processing a NR system Information message in Modem component. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
10) Information disclosure (CVE-ID: CVE-2021-35080)
The vulnerability allows a local appliction to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in KERNEL component. A local appliction can gain unauthorized access to sensitive information on the system.
11) Memory leak (CVE-ID: CVE-2021-35078)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due to memory leak while parsing server certificate chain in Data Modem component. A remote attacker can force the application to leak memory and perform denial of service attack.
12) Reachable Assertion (CVE-ID: CVE-2021-35073)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of rank restriction field in Modem component. A remote attacker can pass a specially crafted data and cause a denial of service.
13) Improper Validation of Array Index (CVE-ID: CVE-2021-35072)
The vulnerability allows a local application to escalate privileges on the system.The vulnerability exists due to a boundary error in RFA component when processing external DIAG command. A local application can trigger buffer overflow and execute arbitrary code with elevated privileges.
14) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2021-35090)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to TOC TOU race condition when updating address mappings within KERNEL component. A local appliction can send specially crafted data and execute arbitrary code with elevated privileges.
15) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2021-35082)
The vulnerability allows a remote attacker to compromise the affected device.
The vulnerability exists due to race condition between PDCP and RRC tasks within NB1 component. A remote attacker can send specially crafted traffic after a valid RRC security mode command packet has been received and execute arbitrary code on the system.
16) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2021-35098)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to an improper validation of session id in PCM routing process. A local appliction can trigger a use of out-of-range pointer offset and escalate privileges on the system.
17) Input validation error (CVE-ID: CVE-2021-35092)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input when processing DCB/AVB algorithm with an invalid queue index from IOCTL request. A local application can cause an arbitrary address modification and escalate privileges on the system.
18) Buffer Over-read (CVE-ID: CVE-2021-35085)
The vulnerability allows a local application to cause a denial of service.The vulnerability exists due to buffer over-read error in the WLAN Host Communication component. A local application can trigger buffer over-read error and cause a denial of service.
19) Buffer Over-read (CVE-ID: CVE-2021-35084)
The vulnerability allows a local application to cause a denial of service.The vulnerability exists due to buffer over-read error in Automotive Connectivity component. A local application can trigger buffer over-read error and cause a denial of service.
20) Use-after-free (CVE-ID: CVE-2022-22071)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the Automotive Android OS when process shell memory is freed using IOCTL munmap call and process initialization is in progress. A local application can trigger a use-after-free error and execute arbitrary code with elevated privileges.
21) Use-after-free (CVE-ID: CVE-2022-22068)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in NPU component. A local application can trigger a use-after-free error and execute arbitrary code with elevated privileges.
22) Use-after-free (CVE-ID: CVE-2022-22057)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in graphics fence caused by a race condition while closing fence file descriptor and destroy graphics timeline simultaneously. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
23) Buffer overflow (CVE-ID: CVE-2022-22072)
The vulnerability allows a local application to compromise vulnerable system.
The vulnerability exists due to a buffer overflow in the WLAN Host Communication component caused by an improper validation of NDP application information length. A local application can trigger a buffer overflow and execute arbitrary code with elevated privileges.
Remediation
Install update from vendor's website.
References
- https://docs.qualcomm.com/bundle/publicresource/HD-10000-1/topics/may-2022-bulletin.html
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=d737412829798dd54e8355074f4653662a763c02
- https://source.codeaurora.org/quic/le/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=33a33b2eedc4349d73796f585986cdee7680310c
- https://source.codeaurora.org/quic/le/platform/vendor/qcom-opensource/wlan/prima/commit/?id=edc957bca2d254d202765b7fd131261ad2b75a29
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=9e8dbd5b761e9a152cb77562ec20124b5b69c7cf
- https://source.codeaurora.org/quic/le/platform/vendor/qcom-opensource/wlan/prima/commit/?id=b84f0da6a06d2f4c6f497b1bf3c291e71fb37838
- https://source.codeaurora.org/quic/le/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=6fba8935de694cc61a13bba40fd1251097cdc014
- https://source.codeaurora.org/quic/le/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=ba9e94231a2b072f44ba702682bd0dc23cb37edc
- https://source.codeaurora.org/quic/le/platform/vendor/qcom-opensource/wlan/prima/commit/?id=d2a6e223866ca0de9af3fad7a2ad7a44658f479d
- https://source.codeaurora.org/quic/qsdk/platform/vendor/opensource/audio-kernel/commit/?id=1d3fb0289f8f1c7f53027933ea9b3922dfc58d90
- https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/data-kernel/commit/?id=750c833c5fff296626289fc804a3065b37ce191f
- https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=b48cdc1354929396bdc24194f94349d41e685f76
- https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=e1aea60710fbd4590f78bfc0c7d559f7669f0d4c
- https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=022554eb485fe7ecd251341c6115e5ece40f3927
- https://source.codeaurora.org/quic/la/kernel/msm-5.4/commit/?id=586840fde350d7b8563df9889c8ce397e2c20dda
- https://source.codeaurora.org/quic/la/kernel/msm-5.4/commit/?id=57a6844ba565447f802abecc9e47b39f33187ef2
- https://source.codeaurora.org/quic/le/kernel/msm-4.19/commit/?id=0098ef73cc8d83fce4583252d3fe5e95642e9a9f
- https://source.codeaurora.org/quic/la/kernel/msm-5.4/commit/?id=339824df70a0e9e08f2a7151b776d72421050f04
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=34fa11aeb2d9232d4ed4b4babab0e4760f04aa92
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=18eae871c458008b7b7fcb729a3c9a73e4fdc135
- https://source.codeaurora.org/quic/le/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=36dd3a5a3c4278272cbe2c78392499bee51671c4