May 2020 Security Bulletin
Version 1.1
Published: 05/04/2020
This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.
Please reach out to [email protected] for any questions related to this bulletin.
Table of Contents
| Announcements: |
| Acknowledgements: |
| Proprietary Software Issues: |
| Open Source Software Issues: |
| Industry Coordination: |
| Version History: |
Announcements
None
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2020-3610 | Monk Avel |
| CVE-2020-3680 | Jun Yao ( [email protected] ) |
| CVE-2019-14038, CVE-2019-14039 | Gengjia Chen ( @chengjia4574 ) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2019-14042, CVE-2019-14043 | Arash Tohidi of Solita |
Proprietary Software Issues
The tables below summarize security vulnerabilities that were addressed through proprietary software
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-3641 | Critical | Video | Internal |
| CVE-2019-14054 | High | QTEE | Internal |
| CVE-2019-14066 | High | Technologies | Internal |
| CVE-2019-14067 | High | HLOS | 08/23/2018 |
| CVE-2019-14077 | High | NFC | Internal |
| CVE-2019-14078 | High | NFC | Internal |
| CVE-2020-3616 | High | Display | Internal |
| CVE-2020-3618 | High | WLAN Firmware | Internal |
| CVE-2020-3633 | High | Video | Internal |
| CVE-2020-3645 | High | WLAN Firmware | Internal |
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2019-14042 | Medium | Fingerprint | 07/31/2019 |
| CVE-2019-14043 | Medium | Fingerprint | 08/01/2019 |
CVE-2020-3641
| CVE ID | CVE-2020-3641 |
| Title | Buffer Copy Without Checking Size of input in Video |
| Description | Integer overflow may occur if atom size is less than atom offset as there is improper validation of atom size |
| Technology Area | Video |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, MSM8998, QCA6574AU, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR2130 |
CVE-2019-14054
| CVE ID | CVE-2019-14054 |
| Title | Improper Access Control Issue in QTEE |
| Description | Improper permissions in XBL_SEC region enable user to update XBL_SEC code and data and divert the RAM dump path to normal cold boot path |
| Technology Area | QTEE |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | Kamorta, MSM8998, QCS404, QCS605, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SM8150, SXR1130, SXR2130 |
CVE-2019-14066
| CVE ID | CVE-2019-14066 |
| Title | Integer Overflow Issue in Feature License Queries |
| Description | Integer overflow in calculating estimated output buffer size when getting a list of installed Feature IDs, Serial Numbers or checking Feature ID status |
| Technology Area | Technologies |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | Kamorta, MDM9205, MDM9607, Nicobar, QCS404, QCS405, Rennell, SA6155P, SC7180, SC8180X, SDX55, SM6150, SM7150, SXR2130 |
CVE-2019-14067
| CVE ID | CVE-2019-14067 |
| Title | Information Exposure in QTEE |
| Description | Using non-time-constant functions like memcmp to compare sensitive data can lead to information leakage through timing side channel issue. |
| Technology Area | HLOS |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 08/23/2018 |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9650, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS404, QCS405, QCS605, QM215, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE-2019-14077
| CVE ID | CVE-2019-14077 |
| Title | Incorrect Type Conversion or Cast Issue in Trustzone |
| Description | Out of bound memory access while processing ese transmit command due to passing Response buffer received from user |
| Technology Area | NFC |
| Vulnerability Type | CWE-704 Incorrect Type Conversion or Cast |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8098, IPQ6018, Kamorta, MDM9150, MDM9205, MDM9607, MDM9650, MSM8909, MSM8998, Nicobar, QCS404, QCS405, QCS605, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-14078
| CVE ID | CVE-2019-14078 |
| Title | Incorrect Calculation of Buffer Size in Trustzone Application |
| Description | Out of bound memory access while processing qpay due to not validating length of the response buffer provided by User. |
| Technology Area | NFC |
| Vulnerability Type | CWE-131 Incorrect Calculation of Buffer Size |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8098, MSM8909, MSM8998, SDA660, SDA845, SDM630, SDM636, SDM660, SDM845 |
CVE-2020-3616
| CVE ID | CVE-2020-3616 |
| Title | Buffer Copy Without Checking Size of Input in Display |
| Description | Buffer overflow in display function due to memory copy without checking length of size using strcpy function |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8909W, MSM8917, MSM8953, MSM8996AU, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SM6150, SM7150, SM8150 |
CVE-2020-3618
| CVE ID | CVE-2020-3618 |
| Title | Use After Free Issue in WLAN |
| Description | NULL exception due to accessing bad pointer while posting events on RT FIFO |
| Technology Area | WLAN Firmware |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | IPQ6018, IPQ8074, QCA8081, SC8180X, SXR2130 |
CVE-2020-3633
| CVE ID | CVE-2020-3633 |
| Title | Improper Validation of Array Index in Video |
| Description | Array out of bound may occur while playing mp3 file as no check is there on offset if it is greater than the buffer allocated or not |
| Technology Area | Video |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, MSM8998, QCS405, QCS605, QM215, Rennell, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR2130 |
CVE-2020-3645
| CVE ID | CVE-2020-3645 |
| Title | Reachable Assertion in WLAN Firmware |
| Description | Firmware will hit assert in WLAN firmware If encrypted data length in FILS IE of reassoc response is more than 528 bytes |
| Technology Area | WLAN Firmware |
| Vulnerability Type | CWE-617 Reachable Assertion |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | IPQ6018, IPQ8074, Kamorta, Nicobar, QCA6390, QCA8081, QCN7605, QCS404, QCS405, QCS605, Rennell, SC7180, SC8180X, SDA845, SDM670, SDM710, SDM845, SDM850, SM6150, SM7150, SM8150, SXR1130, SXR2130 |
CVE-2019-14042
| CVE ID | CVE-2019-14042 |
| Title | Buffer Over-read Issue in Biometrics |
| Description | Out of bound read in in fingerprint application due to requested data assigned to a local buffer without length check |
| Technology Area | Fingerprint |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 07/31/2019 |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | Kamorta, MDM9205, Nicobar, QCS404, QCS405, QCS605, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2019-14043
| CVE ID | CVE-2019-14043 |
| Title | Information Exposure Issue in Biometrics |
| Description | Out of bound read in Fingerprint application due to requested data is being used without length check |
| Technology Area | Fingerprint |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 08/01/2019 |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | Kamorta, MDM9150, MDM9205, MDM9650, MSM8998, Nicobar, QCS404, QCS405, QCS605, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDA660, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
* Data is generated only at the time of bulletin creation
Open Source Software Issues
The tables below summarize security vulnerabilities that were addressed through open source software
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2019-14053 | High | Data Network Stack & Connectivity | Internal |
| CVE-2019-14087 | High | Display | Internal |
| CVE-2020-3610 | High | Graphics | 05/28/2019 |
| CVE-2020-3615 | High | WLAN HOST | 10/14/2019 |
| CVE-2020-3623 | High | NPU | Internal |
| CVE-2020-3625 | High | DSP Service | Internal |
| CVE-2020-3630 | High | Video | Internal |
| CVE-2020-3680 | High | DSP Service | 11/27/2019 |
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2019-14038 | Medium | Audio | 07/15/2019 |
| CVE-2019-14039 | Medium | Audio | 07/15/2019 |
CVE-2019-14053
| CVE ID | CVE-2019-14053 |
| Title | Buffer Over-read Issue in HLOS Data |
| Description | When attempting to create a new XFRM policy, a stack out-of-bounds read will occur if the user provides a template where the mode is set to a value that does not resolve to a valid XFRM mode |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ8074, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, QCA4531, QCN7605, QCS605, QM215, SA415M, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2019-14087
| CVE ID | CVE-2019-14087 |
| Title | Use After Free Issue in Display |
| Description | Failure in buffer management while accessing handle for HDR blit when color modes not supported by display |
| Technology Area | Display |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 12/02/2019 |
| Affected Chipsets* | MSM8909W, QCS605 |
| Patch* |
CVE-2020-3610
| CVE ID | CVE-2020-3610 |
| Title | Use After Free Issue in Graphics |
| Description | Possibility of double free of the drawobj that is added to the drawqueue array of the context during IOCTL commands as there is no refcount taken for this object |
| Technology Area | Graphics |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 05/28/2019 |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, APQ8098, MSM8909W, MSM8917, MSM8953, MSM8996AU, Nicobar, QCS405, QCS605, QM215, Rennell, SA415M, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2020-3615
| CVE ID | CVE-2020-3615 |
| Title | Reachable Assertion in WLAN |
| Description | Valid deauth/disassoc frames is dropped in case if RMF is enabled and some rouge peer keep on sending rogue deauth/disassoc frames due to improper enum values used to check the frame subtype |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-617 Reachable Assertion |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | 10/14/2019 |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCN7605, QCS605, SC8180X, SDM630, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8150, SXR1130 |
| Patch* |
|
CVE-2020-3623
| CVE ID | CVE-2020-3623 |
| Title | Improper Input Validation in Neural processing Unit |
| Description | kernel failure due to load failures while running v1 path directly via kernel |
| Technology Area | NPU |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | SM8250, SXR2130 |
| Patch* |
|
CVE-2020-3625
| CVE ID | CVE-2020-3625 |
| Title | Buffer Copy Without Checking Size of Input in DSP Services |
| Description | When making query to DSP capabilities, Stack out of bounds occurs due to wrong buffer length configured for DSP attributes |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | SM8250, SXR2130 |
| Patch* |
|
CVE-2020-3630
| CVE ID | CVE-2020-3630 |
| Title | Improper Validation of Array Index in Video |
| Description | Possibility of out of bound access while processing the responses from video firmware |
| Technology Area | Video |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 02/03/2020 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8917, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS405, QCS605, QM215, Rennell, SA415M, SA6155P, Saipan, SC8180X, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
| Patch* |
CVE-2020-3680
| CVE ID | CVE-2020-3680 |
| Title | Time-of-Check Time-of-Use (TOCTOU) Race Condition in DSP Services |
| Description | A race condition can occur when using the fastrpc memory mapping API. |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 11/27/2019 |
| Customer Notified Date | 03/02/2020 |
| Affected Chipsets* | APQ8009, APQ8053, MSM8909W, MSM8917, MSM8953, QCS605, QM215, SA415M, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SXR1130 |
| Patch* |
CVE-2019-14038
| CVE ID | CVE-2019-14038 |
| Title | Buffer Over-read Issue in Audio |
| Description | Buffer over-read in ADSP parse function due to lack of check for availability of sufficient data payload received in command response |
| Technology Area | Audio |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 07/15/2019 |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, QCS605, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM670, SDM710, SDM845, SDX20, SDX24 |
| Patch* |
CVE-2019-14039
| CVE ID | CVE-2019-14039 |
| Title | Buffer Over-read Issue in Audio |
| Description | Out of bound read in adm call back function due to incorrect boundary check for payload in command response |
| Technology Area | Audio |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 07/15/2019 |
| Customer Notified Date | 11/04/2019 |
| Affected Chipsets* | APQ8053, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, QCS605, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM670, SDM710, SDM845, SDX20, SDX24 |
| Patch* |
* Data is generated only at the time of bulletin creation.
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | May 4, 2020 | Bulletin Published |
| 1.1 | Nov 17, 2020 |
CVE-2020-3615 removed from acknowledgements |
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
- Table of Contents
- Announcements
- Acknowledgements
- Proprietary Software Issues
- CVE-2020-3641
- CVE-2019-14054
- CVE-2019-14066
- CVE-2019-14067
- CVE-2019-14077
- CVE-2019-14078
- CVE-2020-3616
- CVE-2020-3618
- CVE-2020-3633
- CVE-2020-3645
- CVE-2019-14042
- CVE-2019-14043
- Open Source Software Issues
- CVE-2019-14053
- CVE-2019-14087
- CVE-2020-3610
- CVE-2020-3615
- CVE-2020-3623
- CVE-2020-3625
- CVE-2020-3630
- CVE-2020-3680
- CVE-2019-14038
- CVE-2019-14039
- Industry Coordination
- Version History
