Qualcomm Vulnerabilities

A bunch of CVE’s has just been published for the software vendor Qualcomm

Qualcomm logo

This exploit of the day, Today(2019-07-29) our system picked up a bunch of Qualcomm vulnerabilities:
* Medium CVE-2019-2263: Qualcomm Mdm9650 firmware * Medium CVE-2019-2272: Qualcomm Sd 205 firmware * High CVE-2019-2273: Qualcomm Sd 212 firmware
* High CVE-2019-2276: Qualcomm Qca9379 firmware
* Medium CVE-2019-2281: Qualcomm Sd 675 firmware
* Medium CVE-2019-2290: Qualcomm Msm8996au firmware * Medium CVE-2019-2298: Qualcomm Msm8909w firmware * Medium CVE-2019-2299: Qualcomm Mdm9607 firmware * Medium CVE-2019-2301: Qualcomm Qcs605 firmware * Medium CVE-2019-2305: Qualcomm Msm8996au firmware * Medium CVE-2019-2306: Qualcomm Sdm630 firmware

Qualcomm is an American based smart device and IoT(Internet of things) manufacture. Mostly famous for producing the widely used Snapdragon system on a chip which comes with a graphics processing unit (GPU), a global positioning system (GPS) and a cellular modem integrated directly into the chip.

Qualcomm Snapdragon

Affecting:

CVE-2019-2254

An interesting one recently published is CVE-2019-2254 which was classified by Qualcomm as a critical Vulnerability.

The CVE is described by Mitre as:

Position determination accuracy may be degraded 
due to wrongly decoded information in Snapdragon Auto, 
Snapdragon Compute, Snapdragon Consumer IOT, 
Snapdragon Industrial IOT, Snapdragon IoT, 
Snapdragon Mobile, Snapdragon Voice & Music, 
Snapdragon Wearable in MDM9150, MDM9206, MDM9607, 
MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, 
MSM8909W, MSM8996AU, QCS605, Qualcomm 215, 
SD 210/SD 212/SD 205, SD 425, SD 427, SD 430,
SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, 
SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 675, 
SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, 
SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, 
SDM439, SDM630, SDM660, SDX20, Snapdragon_High_Med_2016, SXR1130 

Information published by Qualcomm:

Title: Use of Out-of-range Pointer Offset in GPS
Description: Position determination accuracy may be degraded due to wrongly decoded information
Technology Area: GPS
Vulnerability Type: CWE-823 Use of Out-of-range Pointer Offset
Access Vector: Remote
Security Rating: Critical
Customer Notified Date: 1/7/2019

We have reached out to Qualcomm regard getting a more in dept explanation about this Vulnerability, but we have not received any response.

Summary of CVE-2019-2254:

A vulnerability has been found in the GPS position decoding function that
can allow a malicious third party to read and write data that the program
uses. If this is successfully exploited, it will lead to a remote code execution.

Speculations:

Since several Qualcomm manufactured chip-sets come with a GPS built-in, it may
affect third parties running vulnerable versions of snapdragon firmware,
This would included phones and other smart devices.

Another interesting one is the High CVE-2019-2273: Qualcomm Sd 212 firmware
This also a pretty interesting one and is mostly due to not validating the size of the data that gets stored in to memory.

Information from Qualcomm:

Buffer Over-read Issue in Video Driver
Description: IOMMU page fault playing h265 video file leads to denial of service issue
Technology Area: Video
Vulnerability Type: CWE-126 Buffer Over-read
Access Vector: Remote
Security Rating: High
Customer Notified Date: 4/1/2019

Example of Vulnerable code related to this type of attack, published by Mitre:

int processMessageFromSocket(int socket) {
int success;

char buffer[BUFFER_SIZE];
char message[MESSAGE_SIZE];

// get message from socket and store into buffer

//Ignoring possibliity that buffer > BUFFER_SIZE
if (getMessage(socket, buffer, BUFFER_SIZE) > 0) {

// place contents of the buffer into message structure
ExMessage *msg = recastBuffer(buffer);

// copy message body into string for processing
int index;
for (index = 0; index < msg->msgLength; index++) {
message[index] = msg->msgBody[index];
}
message[index] = '\0';

// process message
success = processMessage(message);
}
return success;
}

This code snippet demonstrate a simple program where the author is not validating the size of a variable. Which will lead to the program eating to much memory which is never good.

Link to sources:
Wikipedia Qualcomm Snapdragon Qualcomm’s security bulletin
Firo Medium CVE-2019-2263: Qualcomm Mdm9650 firmware
Firo Medium CVE-2019-2272: Qualcomm Sd 205 firmware
Firo High CVE-2019-2273: Qualcomm Sd 212 firmware
Firo High CVE-2019-2276: Qualcomm Qca9379 firmware
Firo Medium CVE-2019-2281: Qualcomm Sd 675 firmware
Firo Medium CVE-2019-2290: Qualcomm Msm8996au firmware

Stay up to date with Vulnerability Management and build cool things with our API