SB2022090806 - Multiple vulnerabilities in Qualcomm chipsets
Published: September 8, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 23 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2022-25686)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the video component when processing WAV files. A remote attacker can create a specially crafted WAV file, trick the victim into playing it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Buffer overflow (CVE-ID: CVE-2022-25654)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing ION commands within kernel. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
3) Out-of-bounds read (CVE-ID: CVE-2022-25706)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within Bluetooth HOST when reading l2cap length. A remote attacker with physical proximity to the device can send specially crafted traffic to the system, trigger an out-of-bounds read error and read contents of memory or perform a denial of service (DoS) attack.
4) Use-after-free (CVE-ID: CVE-2022-25693)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Graphics component. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
5) Out-of-bounds read (CVE-ID: CVE-2022-25670)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the HOST WLAN component when unpacking frames. A remote attacker can send specially crafted traffic to the system, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
6) Integer overflow (CVE-ID: CVE-2022-25656)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to integer overflow within the kernel component. A local application can trigger an integer overflow and execute arbitrary code with elevated privileges.
7) Use-after-free (CVE-ID: CVE-2022-22095)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the synx driver of Multimedia Frameworks. A local application can trigger a use-after-free error and execute arbitrary code with elevated privileges.
8) Out-of-bounds read (CVE-ID: CVE-2022-25653)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when processing AVI files. A remote attacker can create a specially crafted AVI file, trick the victim into playing it, trigger an out-of-bounds read error and read contents of memory on the system or crash the application.
9) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2022-25696)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a race condition during map or unmap operations within the Display component. A local application can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
10) Improper Validation of Array Index (CVE-ID: CVE-2022-25690)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a boundary error in WLAN firmware when parsing ANQP action frames. A remote attacker on the local network can send specially crafted packets to the affected device and gain access to sensitive information.
11) Buffer overflow (CVE-ID: CVE-2022-25688)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the video component when processing PS files. A remote attacker can create a specially crafted PS file, trick the victim into playing it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Buffer overflow (CVE-ID: CVE-2022-25669)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the video component when processing MP4 files. A remote attacker can create a specially crafted MP4 file, trick the victim into playing it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
13) Integer overflow (CVE-ID: CVE-2022-22105)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in Automotive Connectivity component when processing HFP-UNIT profile. A attacker with physical proximity to device can send specially crafted data to the system, trigger an integer overflow and execute arbitrary code.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
14) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2022-22094)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a race condition when getting mapping reference within the kernel component. A local application can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
15) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2022-22093)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a race condition when handling concurrent hypervisor operations to attach or detach IRQs from virtual interrupt sources. A local application can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
16) Use-after-free (CVE-ID: CVE-2022-22092)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the kernel component. A local application can trigger a use-after-free error and execute arbitrary code with elevated privileges.
17) Improper Authorization (CVE-ID: CVE-2022-22091)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists within the LTE component due to improper authorization of a replayed LTE security mode command. A remote attacker can send specially crafted packets to the affected device and perform a denial of service (DoS) attack.
18) Integer overflow (CVE-ID: CVE-2022-22089)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the audio module when processing records. A remote attacker can trick the victim to play a specially crafted file, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
19) Integer overflow (CVE-ID: CVE-2022-22081)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the audio module. A remote attacker can trick the victim to play a specially crafted media file, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
20) Integer overflow (CVE-ID: CVE-2022-22074)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in Audio component when processing WMA files. A remote attacker can trick the victim to open a specially crafted WMA file, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
21) Buffer Over-read (CVE-ID: CVE-2022-22066)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a buffer over-read in the content protection feature when processing command received from HLOS. A local application can trigger a boundary error and execute arbitrary code with elevated privileges.
22) Buffer overflow (CVE-ID: CVE-2022-25708)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WLAN Firmware when processing keys. A remote attacker on the local network can send specially crafted input to the affected device, trigger memory corruption and execute arbitrary code on the target system.
23) Improper Authentication (CVE-ID: CVE-2022-25652)
The vulnerability allows a local application to bypass authentication process.
The vulnerability exists due to improper hash verification in WIN CoreBSP implementation. A local application can bypass authentication process and escalate privileges on the system.
Remediation
Install update from vendor's website.
References
- https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2022-bulletin.html
- https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-msm/commit/?id=940ac530d84408d1ec308c16ac777334c722fc91
- https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/system/bt/-/commit/d4e26243378796cd6aa997d5e45bb87954ffc859
- https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/commit/c0d2d03debbedc696561cd7b3c503c4aeaabfa1a
- https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/a04ffeff1199e6d34864389624b92b9acf8c8fb3
- https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/-/commit/f0b0920c43f0744b6562bfa38278e38cb9c8b010
- https://git.codelinaro.org/clo/la/kernel/msm-5.4/-/commit/31ff75796c8ce7474080bc121c25491d36a075ba
- https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/commit/7a671fab89802eaebce00e3858698b4bdc9595de
- https://git.codelinaro.org/clo/la/kernel/msm-5.4/-/commit/501d0efe7525de1456b444a6f7f30b50a0d22582
- https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/commit/470047b5c89944fe84737b1f529edd5b1c185782
- https://source.codeaurora.org/quic/le/kernel/msm-4.19/commit/?id=7084d65ae1a81ea81fba243420f7f79dea13d76f
- https://git.codelinaro.org/clo/la/kernel/msm-4.19/-/commit/f7cafe03ab52465acfba2e62c6b4da354723cee3