November 2020 Security Bulletin
Version 1.0
Published: 11/02/2020
This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.
Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.
Table of Contents
| Announcements: |
| Acknowledgements: |
| Proprietary Software Issues: |
| Open Source Software Issues: |
| Industry Coordination: |
| Version History: |
Announcements
We plan to publish CVSS scores, ratings and string values for all CVEs published in bulletins from November 2020 onwards.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2020-11123 | Anonymous: Researcher requested not to be named |
| CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207 | Slava Makkaveev Of Checkpoint |
| CVE-2020-11121, CVE-2020-11130 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin. |
| CVE-2020-11131 | Yang Xiao @ VARAS_IIE |
| CVE-2020-11132 | Qi Zhao and Guang Gong 360 Alpha Lab working with 360 BugCloud( https://bugcloud.360.cn/ ) |
Proprietary Software Issues
The tables below summarize security vulnerabilities that were addressed through proprietary software
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
| CVE-2020-3639 | Critical | Critical | Data Modem | Internal |
| CVE-2020-11123 | High | High | HLOS | 12/04/2019 |
| CVE-2020-11127 | High | High | QTEE | Internal |
| CVE-2020-11168 | High | High | Video | Internal |
| CVE-2020-11175 | High | High | Bluetooth HOST | Internal |
| CVE-2020-11184 | High | High | Video | Internal |
| CVE-2020-11193 | High | High | Video | Internal |
| CVE-2020-11196 | High | High | Video | Internal |
| CVE-2020-11201 | High | High | Video | 02/21/2020 |
| CVE-2020-11202 | High | High | Video | 02/12/2020 |
| CVE-2020-11205 | High | High | BT Controller | Internal |
| CVE-2020-11206 | High | High | ComputerVision | 02/14/2020 |
| CVE-2020-11207 | High | High | ComputerVision | 02/21/2020 |
| CVE-2020-3632 | High | High | HWEngines | Internal |
| CVE-2020-11208 | High | High | DSP | Internal |
| CVE-2020-11209 | High | High | DSP | Internal |
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
| CVE-2020-11132 | Medium | Medium | Boot | 01/20/2020 |
CVE-2020-3639
| CVE ID | CVE-2020-3639 |
| Title | Improper Validation of Array Index in Modem Data |
| Description | When a non standard SIP sigcomp message is received from the network, then there may be chances of using more UDVM cycle or memory overflow |
| Technology Area | Data Modem |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Remote |
| Security Rating | Critical |
| CVSS Rating | Critical |
| CVSS Score | 9.8 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | APQ8009, APQ8017, APQ8037, APQ8053, MDM9250, MDM9607, MDM9628, MDM9640, MDM9650, MSM8108, MSM8208, MSM8209, MSM8608, MSM8905, MSM8909, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, QCM4290, QCM6125, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QM215, QSM8350, SA415M, SA6145P, SA6150P, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SC8180X, SC8180X+SDX55, SC8180XP, SDA429W, SDA640, SDA660, SDA670, SDA845, SDA855, SDM1000, SDM429, SDM429W, SDM439, SDM450, SDM455, SDM630, SDM632, SDM636, SDM640, SDM660, SDM670, SDM710, SDM712, SDM845, SDM850, SDX24, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM7250, SM7250P, SM8150, SM8150P, SM8350, SM8350P, SXR1120, SXR1130 |
CVE-2020-11123
| CVE ID | CVE-2020-11123 |
| Title | Cryptographic Issue in HLOS |
| Description | information disclosure in gatekeeper trustzone implementation as the throttling mechanism to prevent brute force attempts at getting user`s lock-screen password can be bypassed by performing the standard gatekeeper operations. |
| Technology Area | HLOS |
| Vulnerability Type | CWE-310 Cryptographic Issues |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.1 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| Date Reported | 12/04/2019 |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | APQ8009, APQ8009W, APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096, APQ8096AU, APQ8096SG, APQ8098, MDM8207, MDM9150, MDM9205, MDM9206, MDM9207, MDM9250, MDM9607, MDM9628, MDM9640, MDM9650, MDM9655, MSM8108, MSM8208, MSM8209, MSM8608, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8996SG, MSM8998, QCM4290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QM215, QSM8250, QSM8350, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SC8180X, SC8180XP, SDA429W, SDA640, SDA660, SDA670, SDA845, SDA855, SDM1000, SDM429, SDM429W, SDM439, SDM450, SDM455, SDM630, SDM632, SDM636, SDM640, SDM660, SDM670, SDM710, SDM712, SDM830, SDM845, SDM850, SDW2500, SDX24, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR1120, SXR1130, SXR2130, SXR2130P, WCD9330 |
CVE-2020-11127
| CVE ID | CVE-2020-11127 |
| Title | Integer Overflow to Buffer Overflow in QTEE |
| Description | Integer overflow can cause a buffer overflow due to lack of table length check in the extensible boot Loader during the validation of security metadata while processing objects to be loaded |
| Technology Area | QTEE |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | MDM9205, QCM4290, QCS405, QCS410, QCS4290, QCS610, QSM8250, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SC8180X, SC8180X+SDX55, SC8180XP, SDA640, SDA845, SDA855, SDM1000, SDM640, SDM830, SDM845, SDM850, SDX24, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR2130, SXR2130P |
CVE-2020-11168
| CVE ID | CVE-2020-11168 |
| Title | Untrusted Pointer Dereference Issue in Video |
| Description | Null-pointer dereference can occur while accessing data buffer beyond its size that leads to access the buffer beyond its range |
| Technology Area | Video |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.3 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| Date Reported | Internal |
| Customer Notified Date | 08/03/2020 |
| Affected Chipsets* | APQ8009, APQ8009W, APQ8017, APQ8053, APQ8064AU, APQ8096AU, APQ8098, MDM9206, MDM9650, MSM8909W, MSM8953, MSM8996AU, QCM4290, QCS405, QCS4290, QCS603, QCS605, QM215, QSM8350, SA6155, SA6155P, SA8155, SA8155P, SDA429W, SDA640, SDA660, SDA845, SDA855, SDM1000, SDM429, SDM429W, SDM450, SDM632, SDM640, SDM830, SDM845, SDW2500, SDX20, SDX20M, SDX50M, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6250, SM6350, SM7125, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P, WCD9330 |
CVE-2020-11175
| CVE ID | CVE-2020-11175 |
| Title | Use After Free Issue in Bluetooth Host |
| Description | Use after free issue in Bluetooth transport driver when a method in the object is accessed after the object has been deleted due to improper timer handling. |
| Technology Area | Bluetooth HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 08/03/2020 |
| Affected Chipsets* | APQ8009W, MSM8909W, QCS605, QM215, SA6155, SA6155P, SA8155, SA8155P, SDA640, SDA670, SDA855, SDM1000, SDM640, SDM670, SDM710, SDM845, SDX50M, SDX55, SDX55M, SM6125, SM6350, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR1120, SXR1130, SXR2130, SXR2130P |
CVE-2020-11184
| CVE ID | CVE-2020-11184 |
| Title | Integer Overflow to Buffer Overflow in Video |
| Description | Possible buffer overflow will occur in video while parsing mp4 clip with crafted esds atom size. |
| Technology Area | Video |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.3 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| Date Reported | Internal |
| Customer Notified Date | 08/03/2020 |
| Affected Chipsets* | QCM4290, QCS4290, QM215, QSM8350, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6250, SM6350, SM7125, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P |
CVE-2020-11193
| CVE ID | CVE-2020-11193 |
| Title | Integer Overflow to Buffer Overflow Issue in Video |
| Description | Buffer over read can happen while parsing mkv clip due to improper typecasting of data returned from atomsize |
| Technology Area | Video |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.3 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| Date Reported | Internal |
| Customer Notified Date | 08/03/2020 |
| Affected Chipsets* | APQ8009, APQ8009W, APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096, APQ8096AU, APQ8096SG, APQ8098, MDM9206, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8996SG, MSM8998, QCM4290, QCM6125, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QM215, QSM8350, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDA429W, SDA640, SDA660, SDA670, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM455, SDM630, SDM632, SDM636, SDM640, SDM660, SDM670, SDM710, SDM830, SDM845, SDW2500, SDX20, SDX20M, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR1120, SXR1130, SXR2130, SXR2130P, WCD9330 |
CVE-2020-11196
| CVE ID | CVE-2020-11196 |
| Title | Integer Overflow to Buffer Overflow in Video |
| Description | Integer overflow to buffer overflow occurs while playback of ASF clip having unexpected number of codec entries |
| Technology Area | Video |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Remote |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 7.3 |
| CVSS String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| Date Reported | Internal |
| Customer Notified Date | 08/03/2020 |
| Affected Chipsets* | APQ8009, APQ8009W, APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096, APQ8096AU, APQ8096SG, APQ8098, MDM9206, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8996SG, MSM8998, QCM4290, QCM6125, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QM215, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SDA429W, SDA640, SDA660, SDA670, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM455, SDM630, SDM632, SDM636, SDM640, SDM660, SDM670, SDM710, SDM830, SDM845, SDW2500, SDX20, SDX20M, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR1120, SXR1130, SXR2130, SXR2130P, WCD9330 |
CVE-2020-11201
| CVE ID | CVE-2020-11201 |
| Title | Untrusted Pointer Dereference in Video |
| Description | Arbitrary access to DSP memory due to improper check in loaded library for data received from CPU side |
| Technology Area | Video |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 02/21/2020 |
| Customer Notified Date | 07/24/2020 |
| Affected Chipsets* | QCM6125, QCS410, QCS603, QCS605, QCS610, QCS6125, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDA640, SDA845, SDM640, SDM830, SDM845, SDX50M, SDX55, SDX55M, SM6125, SM6150, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM8150, SM8150P |
CVE-2020-11202
| CVE ID | CVE-2020-11202 |
| Title | Improper Input Validation in Video |
| Description | Buffer overflow/underflow occurs when typecasting the buffer passed by CPU internally in the library which is not aligned with the actual size of the structure |
| Technology Area | Video |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 02/12/2020 |
| Customer Notified Date | 07/24/2020 |
| Affected Chipsets* | QCM6125, QCS410, QCS603, QCS605, QCS610, QCS6125, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDA640, SDA670, SDA845, SDM640, SDM670, SDM710, SDM830, SDM845, SDX50M, SDX55, SDX55M, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM8150, SM8150P |
CVE-2020-11205
| CVE ID | CVE-2020-11205 |
| Title | Integer Overflow or Wraparound issues in Bluetooth SOC |
| Description | Possible integer overflow to heap overflow while processing command due to lack of check of packet length received |
| Technology Area | BT Controller |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 08/03/2020 |
| Affected Chipsets* | QSM8350, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155P, SA8195P, SDX55M, SM8250, SM8350, SM8350P, SXR2130, SXR2130P |
CVE-2020-11206
| CVE ID | CVE-2020-11206 |
| Title | Untrusted Pointer Dereference in ComputerVision |
| Description | Possible buffer overflow in Fastrpc while handling received parameters due to lack of validation on input parameters |
| Technology Area | ComputerVision |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 02/14/2020 |
| Customer Notified Date | 07/24/2020 |
| Affected Chipsets* | APQ8098, MSM8998, QCM4290, QCM6125, QCS410, QCS4290, QCS610, QCS6125, QSM8250, QSM8350, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SDA640, SDA660, SDA845, SDA855, SDM640, SDM660, SDM830, SDM845, SDM850, SDX50M, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P |
CVE-2020-11207
| CVE ID | CVE-2020-11207 |
| Title | Buffer Copy Without Checking Size of Input in Computer Vision |
| Description | Buffer overflow in LibFastCV library due to improper size checks with respect to buffer length |
| Technology Area | ComputerVision |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 02/21/2020 |
| Customer Notified Date | 07/24/2020 |
| Affected Chipsets* | APQ8052, APQ8056, APQ8076, APQ8096, APQ8096SG, APQ8098, MDM9655, MSM8952, MSM8956, MSM8976, MSM8976SG, MSM8996, MSM8996SG, MSM8998, QCM4290, QCM6125, QCS410, QCS4290, QCS610, QCS6125, QSM8250, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SDA640, SDA660, SDA845, SDA855, SDM640, SDM660, SDM830, SDM845, SDM850, SDX50M, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR2130, SXR2130P |
CVE-2020-3632
| CVE ID | CVE-2020-3632 |
| Title | Improper Validation of Array Index in MHI Ring Validation |
| Description | Incorrect validation of ring context fetched from host memory can lead to memory overflow |
| Technology Area | HWEngines |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | QSM8350, SC7180, SDX55, SDX55M, SM6150, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P |
CVE-2020-11132
| CVE ID | CVE-2020-11132 |
| Title | Buffer Over read Issue in Boot |
| Description | Buffer over read in boot due to size check ignored before copying GUID attribute from request to response |
| Technology Area | Boot |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 5.1 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L |
| Date Reported | 01/20/2020 |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | APQ8009, APQ8096AU, APQ8098, MDM8207, MDM9150, MDM9205, MDM9206, MDM9207, MDM9250, MDM9607, MDM9628, MDM9650, MSM8108, MSM8208, MSM8209, MSM8608, MSM8905, MSM8909, MSM8998, QCM4290, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QSM8250, SA415M, SA515M, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SC8180X, SC8180X+SDX55, SC8180XP, SDA640, SDA670, SDA845, SDA855, SDM1000, SDM640, SDM670, SDM710, SDM712, SDM830, SDM845, SDM850, SDX24, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR1120, SXR1130, SXR2130, SXR2130P, WCD9330 |
CVE-2020-11208
| CVE ID | CVE-2020-11208 |
| Title | Buffer Overflow in DSP Process |
| Description | Out of Bound issue in DSP services while processing received arguments due to improper validation of length received as an argument |
| Technology Area | DSP |
| Vulnerability Type | CWE-191 Integer Underflow (Wrap or Wraparound) |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 07/24/2020 |
| Affected Chipsets* | SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439 |
CVE-2020-11209
| CVE ID | CVE-2020-11209 |
| Title | Improper Authorization in DSP Process |
| Description | Improper authorization in DSP process could allow unauthorized users to downgrade the library versions |
| Technology Area | DSP |
| Vulnerability Type | CWE-285 Improper Authorization |
| Access Vector | Local |
| Security Rating | High |
| CVSS Rating | High |
| CVSS Score | 8.4 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | Internal |
| Customer Notified Date | 07/24/2020 |
| Affected Chipsets* | SD820, SD821, SD820, QCS603, QCS605, SDA855, SA6155P, SA6145P, SA6155, SA6155P, SD855, SD 675, SD660, SD429, SD439 |
* Data is generated only at the time of bulletin creation
Open Source Software Issues
The tables below summarize security vulnerabilities that were addressed through open source software
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | CVSS Rating | Technology Area | Date Reported |
| CVE-2020-11121 | Medium | Medium | WLAN HOST | 01/03/2020 |
| CVE-2020-11130 | Medium | Medium | WLAN HOST | 01/03/2020 |
| CVE-2020-11131 | Medium | Medium | WLAN HOST | 10/01/2019 |
CVE-2020-11121
| CVE ID | CVE-2020-11121 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Possible buffer overflow in WIFI hal process due to usage of memcpy without checking length of destination buffer |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 01/03/2020 |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | QCM4290, QCS4290, QM215, QSM8350, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SC8180X, SC8180XP, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6250, SM6350, SM7125, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P |
| Patch* |
CVE-2020-11130
| CVE ID | CVE-2020-11130 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Possible buffer overflow in WIFI hal process due to copying data without checking the buffer length |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 01/03/2020 |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | QCM4290, QCS4290, QM215, QSM8350, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SC8180X, SC8180XP, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6250, SM6350, SM7125, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P |
| Patch* |
CVE-2020-11131
| CVE ID | CVE-2020-11131 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | Possible buffer overflow in WMA message processing due to integer overflow occurs when processing command received from user space |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| CVSS Rating | Medium |
| CVSS Score | 6.7 |
| CVSS String | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Date Reported | 10/01/2019 |
| Customer Notified Date | 05/04/2020 |
| Affected Chipsets* | APQ8009, APQ8053, APQ8096AU, MDM9206, MDM9250, MDM9628, MDM9640, MDM9650, MSM8996AU, QCS405, SDA845, SDX20, SDX20M, WCD9330 |
| Patch* |
* Data is generated only at the time of bulletin creation
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | November 2, 2020 | Bulletin Published |
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer ("export") laws. Diversion contrary to U.S. and international law is strictly prohibited.
Qualcomm Technologies, Inc.
5775 Morehouse Drive
San Diego, CA 92121
U.S.A.
© 2020 Qualcomm Technologies, Inc. and/or its subsidiaries. All rights reserved.
- Table of Contents
- Announcements
- Acknowledgements
- Proprietary Software Issues
- CVE-2020-3639
- CVE-2020-11123
- CVE-2020-11127
- CVE-2020-11168
- CVE-2020-11175
- CVE-2020-11184
- CVE-2020-11193
- CVE-2020-11196
- CVE-2020-11201
- CVE-2020-11202
- CVE-2020-11205
- CVE-2020-11206
- CVE-2020-11207
- CVE-2020-3632
- CVE-2020-11132
- CVE-2020-11208
- CVE-2020-11209
- Open Source Software Issues
- CVE-2020-11121
- CVE-2020-11130
- CVE-2020-11131
- Industry Coordination
- Version History
