SB2021010426 - Multiple vulnerabilities in Qualcomm chipsets



SB2021010426 - Multiple vulnerabilities in Qualcomm chipsets

Published: January 4, 2021 Updated: February 6, 2023

Security Bulletin ID SB2021010426
CSH Severity
High
Patch available
YES
Number of vulnerabilities 24
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 21% Medium 13% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 24 vulnerabilities.


1) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2020-11256)

CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system

The vulnerability exists due to a boundary error in WIN TZ FW, when processing a pointer to buffer in trustzone. A local user can run a specially crafted program to trigger an out-of-bound pointer offset and execute arbitrary code on the system with elevated privileges.


2) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2020-11257)

CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system

The vulnerability exists due to a boundary error in WIN TZ FW, when processing a pointer to buffer in trustzone BSP. A local user can run a specially crafted program to trigger an out-of-bound pointer offset and execute arbitrary code on the system with elevated privileges.

3) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2020-11258)

CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system

The vulnerability exists due to a boundary error in WIN TZ FW, when processing a pointer to buffer in trustzone BSP. A local user can run a specially crafted program to trigger an out-of-bound pointer offset and execute arbitrary code on the system with elevated privileges.

4) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2020-11259)

CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system

The vulnerability exists due to a boundary error in WIN TZ FW, when processing a pointer to buffer in trustzone BSP. A local user can run a specially crafted program to trigger an out-of-bound pointer offset and execute arbitrary code on the system with elevated privileges.

5) Use-after-free (CVE-ID: CVE-2020-11239)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error when importing a DMA buffer by using the CPU address of the buffer within the Graphics component. A local user can run a specially crafted program to trigger a use-after-free error and execute arbitrary code with elevated privileges.


6) Improper Input Validation (CVE-ID: CVE-2020-11261)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear


The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.


7) Buffer over-read (CVE-ID: CVE-2020-11161)

CWE-ID: CWE-126 - Buffer over-read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local application to read and manipulate data.

The vulnerability exists due to improper input validation in Graphics. A local application can read and manipulate data.


8) Use After Free (CVE-ID: CVE-2020-11250)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in DSP Services. A local application can execute arbitrary code.


9) Integer overflow (CVE-ID: CVE-2020-11160)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Diag Services. A local privileged application can execute arbitrary code.


10) Improper Validation of Array Index (CVE-ID: CVE-2020-11134)

CWE-ID: CWE-129 - Improper Validation of Array Index

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise the affected device.

The vulnerability exists due to a boundary error within the WLAN Firmware when validating time bitmap length and bit duration fields of the attributes like NAN ranging setup attribute inside a NAN management frame. A remote attacker can send specially crafted traffic to the device, trigger an out-of-bounds write and execute arbitrary code on the system.


11) Heap-based buffer overflow (CVE-ID: CVE-2020-11182)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when parsing the NAL header. A remote attacker can pass an overly long header to the system, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


12) Buffer over-read (CVE-ID: CVE-2020-11126)

CWE-ID: CWE-126 - Buffer over-read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN. A remote attacker can perform a denial of service (DoS) attack.


13) Input validation error (CVE-ID: CVE-2020-11165)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


14) Buffer over-read (CVE-ID: CVE-2020-11159)

CWE-ID: CWE-126 - Buffer over-read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to read and manipulate data.

The vulnerability exists due to improper input validation in WLAN. A remote attacker can read and manipulate data.


15) Input validation error (CVE-ID: CVE-2020-11178)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


16) Integer overflow (CVE-ID: CVE-2020-11235)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in WLAN. A local application can execute arbitrary code.


17) Buffer over-read (CVE-ID: CVE-2020-11238)

CWE-ID: CWE-126 - Buffer over-read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN. A remote attacker can perform a denial of service (DoS) attack.


18) Buffer over-read (CVE-ID: CVE-2020-11241)

CWE-ID: CWE-126 - Buffer over-read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in WLAN. A remote attacker can perform a denial of service (DoS) attack.


19) Use of Uninitialized Variable (CVE-ID: CVE-2020-11260)

CWE-ID: CWE-457 - Use of Uninitialized Variable

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in DIAG. A local application can execute arbitrary code.


20) Buffer over-read (CVE-ID: CVE-2020-11265)

CWE-ID: CWE-126 - Buffer over-read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local application to read and manipulate data.

The vulnerability exists due to improper input validation in Trustzone. A local application can read and manipulate data.


21) Buffer over-read (CVE-ID: CVE-2020-11266)

CWE-ID: CWE-126 - Buffer over-read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local application to read and manipulate data.

The vulnerability exists due to improper input validation in Trustzone. A local application can read and manipulate data.


22) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2020-11233)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation in Boot. A local application can gain access to sensitive information.


23) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2020-11240)

CWE-ID: CWE-131 - Incorrect Calculation of Buffer Size

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Camera. A local application can execute arbitrary code.


24) Use After Free (CVE-ID: CVE-2020-11262)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.


Remediation

Install update from vendor's website.