Version 1.0
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
CVE-2018-11955, CVE-2019-2279, CVE-2019-2287 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin. |
CVE-2019-2277 | Hao Chen(@flankersky) and Guang Gong(@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd. |
Table of vulnerabilities
Public ID | Security Rating | Technology Area | Date Reported |
CVE-2018-11955 | High | WLAN HOST | 5/3/2018 |
CVE-2019-2260 | High | Kernel | Internal |
CVE-2019-2264 | Medium | Qualcomm IPC | Internal |
CVE-2019-2269 | Critical | WLAN HOST | Internal |
CVE-2019-2277 | Medium | WLAN HOST | 10/31/2018 |
CVE-2019-2279 | Critical | Video | 10/10/2018 |
CVE-2019-2287 | Critical | Video | 10/10/2018 |
CVE-2019-2292 | High | WLAN HOST | Internal |
CVE-2018-11955
CVE ID | CVE-2018-11955 |
Title | Buffer Over-read in WLAN |
Description | Lack of check on length of reason-code fetched from payload may lead driver access the memory not allocated to the frame and results in OOB read |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-126 Buffer Over-read |
Access Vector | Remote |
Security Rating | High |
Date Reported | 5/3/2018 |
Customer Notified Date | 8/6/2018 |
Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM439, SDM660, SDX20, SDX24 |
Patch |
|
CVE-2019-2260
CVE ID | CVE-2019-2260 |
Title | Use After Free Vulnerability in Core |
Description | A race condition occurs while processing perf-event can lead to a use after free condition |
Technology Area | Kernel |
Vulnerability Type | CWE-416 Use After Free |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 12/3/2018 |
Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM439, SDM630, SDM660, SDX20, SDX24, Snapdragon_High_Med_2016, SXR1130 |
Patch |
CVE-2019-2264
CVE ID | CVE-2019-2264 |
Title | Use After Free Issue in Kernel |
Description | Null pointer dereference occurs for channel context while opening glink channel |
Technology Area | Qualcomm IPC |
Vulnerability Type | CWE-416 Use After Free |
Access Vector | Local |
Security Rating | Medium |
Date Reported | Internal |
Customer Notified Date | 3/4/2019 |
Affected Chipsets | MDM9607, MDM9640, MSM8909W, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SDM439, SDM630, SDM660, SDX24 |
Patch |
CVE-2019-2269
CVE ID | CVE-2019-2269 |
Title | Stack-based Buffer Overflow in WLAN |
Description | Possible buffer overflow while processing the high level lim process action frame due to improper buffer length validation |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | Internal |
Customer Notified Date | 3/4/2019 |
Affected Chipsets | MDM9150, MDM9650, MSM8996AU, QCS405, QCS605, SD 625, SD 636, SD 665, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24, SXR1130 |
Patch |
CVE-2019-2277
CVE ID | CVE-2019-2277 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | OOB read due to lack of NULL termination on user controlled data in WLAN |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 10/31/2018 |
Customer Notified Date | 3/4/2019 |
Affected Chipsets | MSM8996AU, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX24 |
Patch |
CVE-2019-2279
CVE ID | CVE-2019-2279 |
Title | Use of Out-of-Range pointer Offset in Video Firmware |
Description | Shared memory gets updated with invalid data and may lead to access beyond the allocated memory. |
Technology Area | Video |
Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | 10/10/2018 |
Customer Notified Date | 3/4/2019 |
Affected Chipsets | MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, Snapdragon_High_Med_2016 |
Patch |
CVE-2019-2287
CVE ID | CVE-2019-2287 |
Title | Use of Out-of-range Pointer Offset in Video |
Description | Improper input validation for inputs received from firmware can lead to an out of bound write issue in video driver. |
Technology Area | Video |
Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
Access Vector | Remote |
Security Rating | Critical |
Date Reported | 10/10/2018 |
Customer Notified Date | 3/4/2019 |
Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 |
Patch |
CVE-2019-2292
CVE ID | CVE-2019-2292 |
Title | Buffer Copy Without Checking Size of Input in WLAN |
Description | OOB access can occur due to buffer copy without checking size of input received from WLAN FW |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 3/4/2019 |
Affected Chipsets | MDM9150, MDM9650, MSM8996AU, QCA6574AU, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 665, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24 |
Patch |
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
Version | Date | Comments |
1.0 | June 3, 2019 | Bulletin Published |