SB2022120647 - Multiple vulnerabilities in Qualcomm chipsets
Published: December 6, 2022 Updated: May 4, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 20 vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2022-22063)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Core component caused by improper configuration in boot remapper. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
2) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2022-25682)
CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the User Identity Module when decoding command from card. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.3) Improper Validation of Array Index (CVE-ID: CVE-2022-25695)
CWE-ID: CWE-129 - Improper Validation of Array Index
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the User Identity Module when processing GSTK Proactive commands. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.4) Error Handling (CVE-ID: CVE-2022-25685)
CWE-ID: CWE-388 - Error Handling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling within the Multi-Mode Call Processor. A remote attacker can send specially crafted traffic to the device and perform a denial of service (DoS) attack.
5) Use-after-free (CVE-ID: CVE-2022-25677)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system
The vulnerability exists due to a use-after-free error within the DIAG component when processing dci packets. A local application can trigger a use-after-free error and execute arbitrary code with elevated privileges.
6) Improper Validation of Array Index (CVE-ID: CVE-2022-25711)
CWE-ID: CWE-129 - Improper Validation of Array Index
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Camera driver. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.7) Buffer overflow (CVE-ID: CVE-2022-25712)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Camera driver. A local application can trigger memory corruption and execute arbitrary code on the device.
8) Reachable Assertion (CVE-ID: CVE-2022-25672)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the Modem component when processing SIB1 with invalid Bandwidth. A remote attacker can send specially crafted data to the device and perform a denial of service (DoS) attack.
9) Reachable Assertion (CVE-ID: CVE-2022-25673)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the Modem component when processing configuration from network. A remote attacker can send specially crafted data to the device and perform a denial of service (DoS) attack.10) Buffer overflow (CVE-ID: CVE-2022-25681)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within kernel caused by the hypervisor not correctly invalidating the processor translation caches. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
11) Reachable Assertion (CVE-ID: CVE-2022-25689)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the Modem component. A remote attacker can send specially crafted data to the device and perform a denial of service (DoS) attack.12) Reachable Assertion (CVE-ID: CVE-2022-25691)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the Modem component when processing SIB1 with invalid SCS and bandwidth settings. A remote attacker can send specially crafted data to the device and perform a denial of service (DoS) attack.13) Reachable Assertion (CVE-ID: CVE-2022-25692)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the Modem component when processing common config procedure. A remote attacker can send specially crafted data to the device and perform a denial of service (DoS) attack.
14) Buffer overflow (CVE-ID: CVE-2022-25697)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error in i2c buses when reading address configuration from i2c driver. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
15) Buffer overflow (CVE-ID: CVE-2022-25698)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local application to escalate privileges on the system.
16) Reachable Assertion (CVE-ID: CVE-2022-25702)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the Modem component when processing reconfiguration message. A remote attacker can send specially crafted data to the device and perform a denial of service (DoS) attack.17) Out-of-bounds read (CVE-ID: CVE-2022-33235)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the WLAN firmware when parsing security context info attributes. A remote attacker can send specially crafted traffic to the device, trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.
18) Infinite loop (CVE-ID: CVE-2022-33238)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the WLAN Firmware when processing an incoming FTM frames. A remote attacker can send specially crafted traffic to the device, consume all available system resources and cause denial of service conditions.
19) Reachable Assertion (CVE-ID: CVE-2022-25675)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the Modem component when processing filter rule from application client. A remote attacker can send specially crafted data to the device and perform a denial of service (DoS) attack.20) Out-of-bounds read (CVE-ID: CVE-2022-33268)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the Bluetooth HOST when pairing and connecting A2DP. An attacker with [physical proximity to device can trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2022-bulletin.html
- https://git.codelinaro.org/clo/la/kernel/msm-4.19/-/commit/ad5480621a21951e49def16510ffb028bd0d6095
- https://git.codelinaro.org/clo/la/kernel/msm-4.19/-/commit/2686c0a4020df1cd12adbb1b54e2f0acdf11c625
- https://git.codelinaro.org/clo/la/platform/vendor/opensource/camera-kernel/-/commit/a5cb1135d3b5cffa59dd35610ede066e0c0ad9e9
- https://git.codelinaro.org/clo/la/kernel/msm-4.14/-/commit/c2a6be3561cf99587a4297aea72cf1c955c57713
- https://git.codelinaro.org/clo/la/platform/vendor/opensource/camera-kernel/-/commit/e561ca2a21c48d2d452e114c5bf4867cd0599857
- https://git.codelinaro.org/clo/la/platform/vendor/qcom-opensource/system/bt/-/commit/7a09d0a2c093053e3c8f67de07933518d9137e22_x000D_
- https://git.codelinaro.org/clo/la/platform/system/bt/-/commit/aaeb816fdf46471a417e3c80baf95d4bdf723ec7