#VU112428 Improper Validation of Array Index in Qualcomm products - CVE-2020-3632


Vulnerability identifier: #VU112428

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-3632

CWE-ID: CWE-129

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
QSM8350
Mobile applications / Mobile firmware & hardware
SC7180
Mobile applications / Mobile firmware & hardware
SDX55M
Mobile applications / Mobile firmware & hardware
SM6250
Mobile applications / Mobile firmware & hardware
SM6250P
Mobile applications / Mobile firmware & hardware
SM7125
Mobile applications / Mobile firmware & hardware
SM7150P
Mobile applications / Mobile firmware & hardware
SM7250
Mobile applications / Mobile firmware & hardware
SM7250P
Mobile applications / Mobile firmware & hardware
SM8150P
Mobile applications / Mobile firmware & hardware
SM8350
Mobile applications / Mobile firmware & hardware
SM8350P
Mobile applications / Mobile firmware & hardware
SXR2130P
Mobile applications / Mobile firmware & hardware
SDX55
Hardware solutions / Firmware
SM6150
Hardware solutions / Firmware
SM7150
Hardware solutions / Firmware
SM8150
Hardware solutions / Firmware
SM8250
Hardware solutions / Firmware
SXR2130
Hardware solutions / Firmware

Vendor: Qualcomm

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in MHI Ring Validation. A local application can execute arbitrary code.

Mitigation
Install security update from vendor's website.

Vulnerable software versions

QSM8350: All versions

SC7180: All versions

SDX55: All versions

SDX55M: All versions

SM6150: All versions

SM6250: All versions

SM6250P: All versions

SM7125: All versions

SM7150: All versions

SM7150P: All versions

SM7250: All versions

SM7250P: All versions

SM8150: All versions

SM8150P: All versions

SM8250: All versions

SM8350: All versions

SM8350P: All versions

SXR2130: All versions

SXR2130P: All versions

External links
https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2020-security-bulletin.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Qualcomm chipsets