September 2020 Security Bulletin
Version 1.0
Published: 09/08/2020
This security bulletin is intended to help Qualcomm Technologies, Inc. (QTI) customers incorporate security updates in launched or upcoming devices. This document includes (i) a description of security vulnerabilities that have been addressed in QTI’s proprietary code and (ii) links to related code that has been contributed to Code Aurora Forum (CAF), a Linux Foundation Collaborative Project, to address security vulnerabilities for customers who incorporate Linux-based software from CAF into their devices.>
Please reach out to securitybulletin@qti.qualcomm.com for any questions related to this bulletin.
Table of Contents
| Announcements: |
| Acknowledgements: |
| Proprietary Software Issues: |
| Open Source Software Issues: |
| Industry Coordination: |
| Version History: |
Announcements
None
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2020-3674 | Yanfeng Wang of C0RE Team, Qihoo 360 Technology Co. Ltd.. |
| CVE-2020-3679 | Hayawardh Vijayakumar |
Proprietary Software Issues
The tables below summarize security vulnerabilities that were addressed through proprietary software
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-3634 | Critical | Multi-Mode Call Processor | Internal |
| CVE-2020-11129 | High | Camera Driver | Internal |
| CVE-2020-11135 | High | Audio | Internal |
| CVE-2020-3617 | High | Core | Internal |
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-3679 | Medium | QTEE | 10/16/2019 |
CVE-2020-3634
| CVE ID | CVE-2020-3634 |
| Title | Integer Underflow Issue in Multi Mode Call Processor |
| Description | Multiple Read overflows issue due to improper length check while decoding Generic NAS transport/EMM info |
| Technology Area | Multi-Mode Call Processor |
| Vulnerability Type | CWE-191 Integer Underflow (Wrap or Wraparound) |
| Access Vector | Remote |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 03/02/2020 |
| Affected Chipsets* | APQ8053, APQ8096AU, APQ8098, Kamorta, MDM9150, MDM9205, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QCS610, QM215, Rennell, SA415M, Saipan, SC7180, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130 |
CVE-2020-11129
| CVE ID | CVE-2020-11129 |
| Title | Use After Free Issues in Camera |
| Description | During the error occurrence in capture request, the buffer is freed and later accessed causing the camera APP to fail due to memory use-after-free |
| Technology Area | Camera Driver |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 06/01/2020 |
| Affected Chipsets* | Bitra, Kamorta, QCS605, Saipan, SDM710, SM8250, SXR2130 |
CVE-2020-11135
| CVE ID | CVE-2020-11135 |
| Title | Reachable Assertion Issues in Audio |
| Description | Reachable assertion when wrong data size is returned by parser for ape clips |
| Technology Area | Audio |
| Vulnerability Type | CWE-617 Reachable Assertion |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 06/01/2020 |
| Affected Chipsets* | APQ8098, Kamorta, MSM8917, MSM8953, Nicobar, QCM2150, QCS605, QM215, Rennell, SA6155P, SA8155P, Saipan, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130 |
CVE-2020-3617
| CVE ID | CVE-2020-3617 |
| Title | Buffer Over-read Issue in Q6 testbus framework |
| Description | Buffer over-read Issue in Q6 testbus framework due to diag packet length is not completely validated before accessing the field and leads to Information disclosure. |
| Technology Area | Core |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 03/02/2020 |
| Affected Chipsets* | Kamorta, Nicobar, QCS605, QCS610, Rennell, SC7180, SDA660, SDM630, SDM636, SDM660, SDM670, SDM710, SM6150, SM7150, SM8150, SXR1130 |
CVE-2020-3679
| CVE ID | CVE-2020-3679 |
| Title | Information Exposure in QTEE |
| Description | During execution after Address Space Layout Randomization is turned on for QTEE, part of code is still mapped at known address including code segments |
| Technology Area | QTEE |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 10/16/2019 |
| Customer Notified Date | 03/02/2020 |
| Affected Chipsets* | Bitra, Kamorta, Nicobar, QCS404, QCS610, Rennell, SA6155P, SA8155P, Saipan, SC7180, SC8180X, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
* Data is generated only at the time of bulletin creation.
Open Source Software Issues
The tables below summarize security vulnerabilities that were addressed through open source software
This table list high impact security vulnerabilities. Patches have been released for affected products. OEMs have been notified and strongly recommended to release patches on end devices.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-11124 | High | Core Services | Internal |
| CVE-2020-3656 | High | HWEngines | Internal |
This table list moderate security vulnerabilities. OEMs have been notified and encouraged to patch these issues.
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2020-3674 | Medium | DSP Service | 11/07/2019 |
CVE-2020-11124
| CVE ID | CVE-2020-11124 |
| Title | Use After Free Issues in Diag Services |
| Description | Possible use-after-free while accessing diag client map table since list can be reallocated due to exceeding max client limit. |
| Technology Area | Core Services |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 06/01/2020 |
| Affected Chipsets* | MDM9607, Nicobar, QCS404, QCS405, QCS610, Rennell, SA6155P, SA8155P, Saipan, SC8180X, SDM660, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2020-3656
| CVE ID | CVE-2020-3656 |
| Title | Buffer Copy Without Checking Size of Input in Hardware Engines |
| Description | Out of bound access can happen in MHI command process due to lack of check of command channel id value received from MHI devices |
| Technology Area | HWEngines |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 06/01/2020 |
| Affected Chipsets* | APQ8009, Kamorta, MDM9607, MSM8917, MSM8953, Nicobar, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, SA8155P, Saipan, SC8180X, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM710, SDM845, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130 |
| Patch* |
CVE-2020-3674
| CVE ID | CVE-2020-3674 |
| Title | Information Exposure in DSP Services |
| Description | Information can leak into user space due to improper transfer of data from kernel to userspace |
| Technology Area | DSP Service |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/07/2019 |
| Customer Notified Date | 03/02/2020 |
| Affected Chipsets* | Nicobar, QCS405, Saipan, SC8180X, SDX55, SM8150, SM8250, SXR2130 |
| Patch* |
* Data is generated only at the time of bulletin creation
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | September 8, 2020 | Bulletin Published |
All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.