Security Bulletin

August 2019 Code Aurora Security Bulletin

By August 5, 2019 No Comments

Version 1.0

This document describes security vulnerabilities that were addressed through software changes. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2019-10497 Daxing Guo of Tencent Security Xuanwu Lab
CVE-2019-10501, CVE-2019-10508, CVE-2019-10538 Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. For issues rated medium or lower, the individual credit information may appear in a future Android major release bulletin.
CVE-2019-10507 Jianqiang Zhao (jianqiangzhao)
CVE-2019-2284 Pengfei Ding(丁鹏飞) of Huawei Mobile Security Lab
CVE-2019-2333 Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360
CVE-2019-2341 Xiaodong Wang (wisedd@gmail.com) and Mingjian Zhou (https://twitter.com/Mingjian_Zhou) of C0RE Team (http://c0reteam.org)

Table of vulnerabilities

Public ID Security Rating Technology Area Date Reported
CVE-2019-10492 Critical HLOS Internal
CVE-2019-10497 Medium Audio 01/08/2019
CVE-2019-10499 High Qualcomm IPC Internal
CVE-2019-10501 Medium Audio 02/02/2019
CVE-2019-10506 Medium WLAN HOST Internal
CVE-2019-10507 Medium WLAN HOST 01/17/2018
CVE-2019-10508 Medium WLAN HOST 07/19/2018
CVE-2019-10509 High Bluetooth HOST Internal
CVE-2019-10510 High Bluetooth HOST Internal
CVE-2019-10538 High WLAN HOST 05/07/2019
CVE-2019-2284 Medium Multimedia 11/27/2018
CVE-2019-2333 Medium Data Network Stack & Connectivity 12/22/2018
CVE-2019-2341 Medium Audio 01/28/2019

CVE-2019-10492

CVE ID CVE-2019-10492
Title Cryptographic Issues in HLOS
Description Boot image not getting verified by AVB
Technology Area HLOS
Vulnerability Type CWE-310 Cryptographic Issues
Access Vector Local
Security Rating Critical
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets MDM9607, MSM8909W, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 820, SD 820A, SDM439
Patch

CVE-2019-10497

CVE ID CVE-2019-10497
Title Use After Free Issue in Audio
Description Use after free issue occurs If another instance of open for voice_svc node has been called from application without closing the previous one.
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 01/08/2019
Customer Notified Date 05/06/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2019-10499

CVE ID CVE-2019-10499
Title Improper Input Validation in QuRT Kernel
Description Improper validation of read and write index of tx and rx fifo`s before using for data copy from fifo can lead to out-of-bound access.
Technology Area Qualcomm IPC
Vulnerability Type CWE-129 Improper Validation of Array Index
Access Vector Local
Security Rating High
Date Reported Internal
Customer Notified Date 06/03/2019
Affected Chipsets IPQ4019, IPQ8064, IPQ8074, QCS405, SD 665, SD 675, SD 730, SD 855
Patch

CVE-2019-10501

CVE ID CVE-2019-10501
Title Use After Free Issue in Audio
Description Possible use after free issue due to improper input validation in volume listener library
Technology Area Audio
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 02/02/2019
Customer Notified Date 05/06/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2019-10506

CVE ID CVE-2019-10506
Title Improper Input Validation in WLAN
Description While processing QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY vendor command, driver does not validate the data obtained from the user space which could be invalid and thus leads to an undesired behaviour
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating Medium
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets MDM9206, MDM9607, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS605, SD 600, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX24
Patch

CVE-2019-10507

CVE ID CVE-2019-10507
Title Buffer Over-read in WLAN
Description Lack of check of extscan change results received from firmware can lead to an out of buffer read
Technology Area WLAN HOST
Vulnerability Type CWE-126 Buffer Over-read
Access Vector Local
Security Rating Medium
Date Reported 01/17/2018
Customer Notified Date 05/06/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS605, SD 210/SD 212/SD 205, SD 425, SD 430, SD 600, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2019-10508

CVE ID CVE-2019-10508
Title Buffer Copy Without Checking Size of Input in WLAN
Description Lack of input validation for data received from user space can lead to OOB access in WLAN
Technology Area WLAN HOST
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 07/19/2018
Customer Notified Date 05/06/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 425, SD 430, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820A, SDX20
Patch

CVE-2019-10509

CVE ID CVE-2019-10509
Title Memory Corruption in Bluetooth
Description Device record of the pairing device used after free during ACL disconnection
Technology Area Bluetooth HOST
Vulnerability Type CWE-416 Use After Free
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016
Patch

CVE-2019-10510

CVE ID CVE-2019-10510
Title Null Pointer Dereference in Bluetooth
Description BT process died and BT toggled due to null pointer dereference when invalid vendor pass through command sent from remote
Technology Area Bluetooth HOST
Vulnerability Type CWE-476 NULL Pointer Dereference
Access Vector Remote
Security Rating High
Date Reported Internal
Customer Notified Date 05/06/2019
Affected Chipsets QCS405, QCS605, SD 636, SD 675, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660
Patch

CVE-2019-10538

CVE ID CVE-2019-10538
Title Improper Input Validation Issue in WLAN HOST
Description Lack of check of address range received from firmware response allows modem to respond arbitrary pages into its address range which can leads to a compromise of HLOS
Technology Area WLAN HOST
Vulnerability Type CWE-20 Improper Input Validation
Access Vector Local
Security Rating High
Date Reported 05/07/2019
Customer Notified Date 06/03/2019
Affected Chipsets MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM660, SDX20, SDX24
Patch

CVE-2019-2284

CVE ID CVE-2019-2284
Title Use After Free in Camera
Description Possible use-after-free issue due to a race condition while calling camera ioctl concurrently
Technology Area Multimedia
Vulnerability Type CWE-416 Use After Free
Access Vector Local
Security Rating Medium
Date Reported 11/27/2018
Customer Notified Date 05/06/2019
Affected Chipsets MSM8909W, QCS405, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 845 / SD 850, SD 855, SDM439, SDX24
Patch

CVE-2019-2333

CVE ID CVE-2019-2333
Title Buffer Copy Without Checking Size of Input in IPA driver
Description Buffer overflow due to improper validation of buffer size while IPA driver processing to perform read operation
Technology Area Data Network Stack & Connectivity
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 12/22/2018
Customer Notified Date 05/06/2019
Affected Chipsets MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
Patch

CVE-2019-2341

CVE ID CVE-2019-2341
Title Buffer Copy Without Checking Size of Input in Audio
Description Buffer overflow when the audio buffer size provided by user is larger than the maximum allowable audio buffer size.
Technology Area Audio
Vulnerability Type CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector Local
Security Rating Medium
Date Reported 01/28/2019
Customer Notified Date 05/06/2019
Affected Chipsets MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24
Patch

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

  • Consideration of security protections such as SELinux not enforced on some platforms

  • Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version Date Comments
1.0 August 5, 2019 Bulletin Published