Version 1.0
This document describes security vulnerabilities that were addressed through software changes. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2019-10497 | Daxing Guo of Tencent Security Xuanwu Lab |
| CVE-2019-10501, CVE-2019-10508, CVE-2019-10538 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin. |
| CVE-2019-10507 | Jianqiang Zhao (jianqiangzhao) |
| CVE-2019-2284 | Pengfei Ding(丁鹏飞) of Huawei Mobile Security Lab |
| CVE-2019-2333 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
| CVE-2019-2341 | Xiaodong Wang (wisedd@gmail.com) and Mingjian Zhou (https://twitter.com/Mingjian_Zhou) of C0RE Team (http://c0reteam.org) |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2019-10492 | Critical | HLOS | Internal |
| CVE-2019-10497 | Medium | Audio | 01/08/2019 |
| CVE-2019-10499 | High | Qualcomm IPC | Internal |
| CVE-2019-10501 | Medium | Audio | 02/02/2019 |
| CVE-2019-10506 | Medium | WLAN HOST | Internal |
| CVE-2019-10507 | Medium | WLAN HOST | 01/17/2018 |
| CVE-2019-10508 | Medium | WLAN HOST | 07/19/2018 |
| CVE-2019-10509 | High | Bluetooth HOST | Internal |
| CVE-2019-10510 | High | Bluetooth HOST | Internal |
| CVE-2019-10538 | High | WLAN HOST | 05/07/2019 |
| CVE-2019-2284 | Medium | Multimedia | 11/27/2018 |
| CVE-2019-2333 | Medium | Data Network Stack & Connectivity | 12/22/2018 |
| CVE-2019-2341 | Medium | Audio | 01/28/2019 |
CVE-2019-10492
| CVE ID | CVE-2019-10492 |
| Title | Cryptographic Issues in HLOS |
| Description | Boot image not getting verified by AVB |
| Technology Area | HLOS |
| Vulnerability Type | CWE-310 Cryptographic Issues |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets | MDM9607, MSM8909W, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 820, SD 820A, SDM439 |
| Patch |
CVE-2019-10497
| CVE ID | CVE-2019-10497 |
| Title | Use After Free Issue in Audio |
| Description | Use after free issue occurs If another instance of open for voice_svc node has been called from application without closing the previous one. |
| Technology Area | Audio |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 01/08/2019 |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-10499
| CVE ID | CVE-2019-10499 |
| Title | Improper Input Validation in QuRT Kernel |
| Description | Improper validation of read and write index of tx and rx fifo`s before using for data copy from fifo can lead to out-of-bound access. |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 06/03/2019 |
| Affected Chipsets | IPQ4019, IPQ8064, IPQ8074, QCS405, SD 665, SD 675, SD 730, SD 855 |
| Patch |
CVE-2019-10501
| CVE ID | CVE-2019-10501 |
| Title | Use After Free Issue in Audio |
| Description | Possible use after free issue due to improper input validation in volume listener library |
| Technology Area | Audio |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 02/02/2019 |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-10506
| CVE ID | CVE-2019-10506 |
| Title | Improper Input Validation in WLAN |
| Description | While processing QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY vendor command, driver does not validate the data obtained from the user space which could be invalid and thus leads to an undesired behaviour |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets | MDM9206, MDM9607, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS605, SD 600, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX24 |
| Patch |
CVE-2019-10507
| CVE ID | CVE-2019-10507 |
| Title | Buffer Over-read in WLAN |
| Description | Lack of check of extscan change results received from firmware can lead to an out of buffer read |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 01/17/2018 |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS605, SD 210/SD 212/SD 205, SD 425, SD 430, SD 600, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-10508
| CVE ID | CVE-2019-10508 |
| Title | Buffer Copy Without Checking Size of Input in WLAN |
| Description | Lack of input validation for data received from user space can lead to OOB access in WLAN |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 07/19/2018 |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 430, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820A, SDX20 |
| Patch |
CVE-2019-10509
| CVE ID | CVE-2019-10509 |
| Title | Memory Corruption in Bluetooth |
| Description | Device record of the pairing device used after free during ACL disconnection |
| Technology Area | Bluetooth HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets | MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016 |
| Patch |
CVE-2019-10510
| CVE ID | CVE-2019-10510 |
| Title | Null Pointer Dereference in Bluetooth |
| Description | BT process died and BT toggled due to null pointer dereference when invalid vendor pass through command sent from remote |
| Technology Area | Bluetooth HOST |
| Vulnerability Type | CWE-476 NULL Pointer Dereference |
| Access Vector | Remote |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets | QCS405, QCS605, SD 636, SD 675, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660 |
| Patch |
CVE-2019-10538
| CVE ID | CVE-2019-10538 |
| Title | Improper Input Validation Issue in WLAN HOST |
| Description | Lack of check of address range received from firmware response allows modem to respond arbitrary pages into its address range which can leads to a compromise of HLOS |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 05/07/2019 |
| Customer Notified Date | 06/03/2019 |
| Affected Chipsets | MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM660, SDX20, SDX24 |
| Patch |
CVE-2019-2284
| CVE ID | CVE-2019-2284 |
| Title | Use After Free in Camera |
| Description | Possible use-after-free issue due to a race condition while calling camera ioctl concurrently |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 11/27/2018 |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets | MSM8909W, QCS405, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM439, SDX24 |
| Patch |
CVE-2019-2333
| CVE ID | CVE-2019-2333 |
| Title | Buffer Copy Without Checking Size of Input in IPA driver |
| Description | Buffer overflow due to improper validation of buffer size while IPA driver processing to perform read operation |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 12/22/2018 |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets | MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 |
| Patch |
|
CVE-2019-2341
| CVE ID | CVE-2019-2341 |
| Title | Buffer Copy Without Checking Size of Input in Audio |
| Description | Buffer overflow when the audio buffer size provided by user is larger than the maximum allowable audio buffer size. |
| Technology Area | Audio |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 01/28/2019 |
| Customer Notified Date | 05/06/2019 |
| Affected Chipsets | MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | August 5, 2019 | Bulletin Published |