SB2022110730 - Multiple vulnerabilities in Qualcomm chipsets
Published: November 7, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2022-25667)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by Kernel when handling ICMP requests. A remote attacker can gain unauthorized access to sensitive information on the system.
2) Use-after-free (CVE-ID: CVE-2022-25743)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the Graphics component in drivers/gpu/msm/kgsl.c while importing graphics buffer. A local application can trigger a use-after-free error and execute arbitrary code with elevated privileges.
3) Out-of-bounds read (CVE-ID: CVE-2022-25676)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when processing avi files within the Video component. A remote attacker can create a specially crafted avi file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
4) Cryptographic issues (CVE-ID: CVE-2022-25674)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to an error in WLAN during the group key handshake of the WPA/WPA2 protocol. A remote attacker can perform MitM attack.
5) Improper access control (CVE-ID: CVE-2022-25679)
The vulnerability allows a local application to perform a denial of service (DoS) attack.
The vulnerability exists due to improper access restrictions to broadcast receivers within the Video component. A local application can perform a denial of service (DoS) attack.
6) Buffer overflow (CVE-ID: CVE-2022-25727)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing network traffic within the modem component. A remote attacker can send specially crafted traffic to the device, trigger memory corruption and execute arbitrary code on the target system.
7) Reachable Assertion (CVE-ID: CVE-2022-25671)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the modem component. A remote attacker can send specially crafted traffic to the device and perform a denial of service (DoS) attack.
8) NULL pointer dereference (CVE-ID: CVE-2022-25710)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in Automotive Connectivity when GATT is disconnected. A remote attacker can pass specially crafted data to the device and perform a denial of service (DoS) attack.
9) Infinite loop (CVE-ID: CVE-2022-25742)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in modem when parsing IGMPv2 packets. A remote attacker can send specially crafted traffic to the device and consume all available system resources.
10) Buffer overflow (CVE-ID: CVE-2022-33234)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Video component. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Out-of-bounds read (CVE-ID: CVE-2022-33236)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the WLAN Firmware when parsing cipher suite info attributes. A remote attacker can send specially crafted data to the device, trigger an out-of-bounds read error and perform a denial of service (DoS) attack
12) Out-of-bounds read (CVE-ID: CVE-2022-33237)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the WLAN Firmware when processing PPE threshold. A remote attacker can send specially crafted data to the device, trigger an out-of-bounds read error and perform a denial of service (DoS) attack
13) Infinite loop (CVE-ID: CVE-2022-33239)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the WLAN Firmware when parsing IPV6 extension header. A remote attacker can send specially crafted IPv6 packets to the device and consume all available system resources.
14) Buffer overflow (CVE-ID: CVE-2022-25724)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the graphics component. A remote attacker can trick the victim to open a specially crafted file, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
15) NULL pointer dereference (CVE-ID: CVE-2022-25741)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within WLAN HOST in core/mac/src/pe/lim/lim_assoc_utils.c. A remote attacker can pass specially crafted data to the device and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2022-bulletin.html
- https://git.codelinaro.org/clo/la/kernel/msm-3.18/-/commit/7ada2c15e39e5288b67ed5ae94b0a8dcb181b911
- https://git.codelinaro.org/clo/la/kernel/msm-4.14/-/commit/d3a79f61ced88351381a881d15c715658e9066c7
- https://git.codelinaro.org/clo/la/kernel/msm-3.18/-/commit/c9b3b88b767cca85fe504289edf31eb1599c21f4
- https://git.codelinaro.org/clo/la/kernel/msm-5.4/-/commit/ac7349dd70e6d8612c16f282b9f42e6a2d0742a8
- https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/-/commit/c1dba00faf5661f3053f4d021ebd6794136f4eb5