A bunch of CVE’s has just been published for the software vendor Qualcomm

This exploit of the day, Today(2019-07-29) our system picked up a bunch of Qualcomm vulnerabilities:

* Medium CVE-2019-2263: Qualcomm Mdm9650 firmware * Medium CVE-2019-2272: Qualcomm Sd 205 firmware * High CVE-2019-2273: Qualcomm Sd 212 firmware

* High CVE-2019-2276: Qualcomm Qca9379 firmware

* Medium CVE-2019-2281: Qualcomm Sd 675 firmware

* Medium CVE-2019-2290: Qualcomm Msm8996au firmware * Medium CVE-2019-2298: Qualcomm Msm8909w firmware * Medium CVE-2019-2299: Qualcomm Mdm9607 firmware * Medium CVE-2019-2301: Qualcomm Qcs605 firmware * Medium CVE-2019-2305: Qualcomm Msm8996au firmware * Medium CVE-2019-2306: Qualcomm Sdm630 firmware

Qualcomm is an American based smart device and IoT(Internet of things) manufacture. Mostly famous for producing the widely used Snapdragon system on a chip which comes with a graphics processing unit (GPU), a global positioning system (GPS) and a cellular modem integrated directly into the chip.

Affecting:

Snapdragon wearable

Snapdragon Auto

Snapdragon Compute

Snapdragon Consumer IOT

Snapdragon Industrial IoT

Snapdragon IoT

Snapdragon Mobile

Snapdragon Voice & Music

X amount of Snapdragon System on chip firmwares

CVE-2019-2254

An interesting one recently published is CVE-2019-2254 which was classified by Qualcomm as a critical Vulnerability.

The CVE is described by Mitre as:

Position determination accuracy may be degraded due to wrongly decoded information in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearable in MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, Snapdragon_High_Med_2016, SXR1130

Information published by Qualcomm:

Title: Use of Out-of-range Pointer Offset in GPS

Description: Position determination accuracy may be degraded due to wrongly decoded information

Technology Area: GPS

Vulnerability Type: CWE-823 Use of Out-of-range Pointer Offset

Access Vector: Remote

Security Rating: Critical

Customer Notified Date: 1/7/2019

We have reached out to Qualcomm regard getting a more in dept explanation about this Vulnerability, but we have not received any response.

Summary of CVE-2019-2254:

A vulnerability has been found in the GPS position decoding function that

can allow a malicious third party to read and write data that the program

uses. If this is successfully exploited, it will lead to a remote code execution.

Speculations:

Since several Qualcomm manufactured chip-sets come with a GPS built-in, it may

affect third parties running vulnerable versions of snapdragon firmware,

This would included phones and other smart devices.

Another interesting one is the High CVE-2019-2273: Qualcomm Sd 212 firmware

This also a pretty interesting one and is mostly due to not validating the size of the data that gets stored in to memory.

Information from Qualcomm:

Buffer Over-read Issue in Video Driver

Description: IOMMU page fault playing h265 video file leads to denial of service issue

Technology Area: Video

Vulnerability Type: CWE-126 Buffer Over-read

Access Vector: Remote

Security Rating: High

Customer Notified Date: 4/1/2019

Example of Vulnerable code related to this type of attack, published by Mitre:

int processMessageFromSocket(int socket) { int success; char buffer[BUFFER_SIZE]; char message[MESSAGE_SIZE]; // get message from socket and store into buffer //Ignoring possibliity that buffer > BUFFER_SIZE if (getMessage(socket, buffer, BUFFER_SIZE) > 0) { // place contents of the buffer into message structure ExMessage *msg = recastBuffer(buffer); // copy message body into string for processing int index; for (index = 0; index < msg->msgLength; index++) { message[index] = msg->msgBody[index]; } message[index] = '\0'; // process message success = processMessage(message); } return success; }

This code snippet demonstrate a simple program where the author is not validating the size of a variable. Which will lead to the program eating to much memory which is never good.

Link to sources:

Wikipedia Qualcomm Snapdragon Qualcomm’s security bulletin

Firo Medium CVE-2019-2263: Qualcomm Mdm9650 firmware

Firo Medium CVE-2019-2272: Qualcomm Sd 205 firmware

Firo High CVE-2019-2273: Qualcomm Sd 212 firmware

Firo High CVE-2019-2276: Qualcomm Qca9379 firmware

Firo Medium CVE-2019-2281: Qualcomm Sd 675 firmware

Firo Medium CVE-2019-2290: Qualcomm Msm8996au firmware

Stay up to date with Vulnerability Management and build cool things with our API