#VU112433 Buffer overflow in Qualcomm products - CVE-2020-11130

Vulnerability identifier: #VU112433

Vulnerability risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-11130

CWE-ID: CWE-120

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
QCM4290
Mobile applications / Mobile firmware & hardware
QCS4290
Mobile applications / Mobile firmware & hardware
QSM8350
Mobile applications / Mobile firmware & hardware
SA6145P
Mobile applications / Mobile firmware & hardware
SA6155
Mobile applications / Mobile firmware & hardware
SA8155
Mobile applications / Mobile firmware & hardware
SA8155P
Mobile applications / Mobile firmware & hardware
SC8180XP
Mobile applications / Mobile firmware & hardware
SDX55M
Mobile applications / Mobile firmware & hardware
SM4250
Mobile applications / Mobile firmware & hardware
SM4250P
Mobile applications / Mobile firmware & hardware
SM6115
Mobile applications / Mobile firmware & hardware
SM6115P
Mobile applications / Mobile firmware & hardware
SM6125
Mobile applications / Mobile firmware & hardware
SM6250
Mobile applications / Mobile firmware & hardware
SM6350
Mobile applications / Mobile firmware & hardware
SM7125
Mobile applications / Mobile firmware & hardware
SM7225
Mobile applications / Mobile firmware & hardware
SM7250
Mobile applications / Mobile firmware & hardware
SM7250P
Mobile applications / Mobile firmware & hardware
SM8150P
Mobile applications / Mobile firmware & hardware
SM8350
Mobile applications / Mobile firmware & hardware
SM8350P
Mobile applications / Mobile firmware & hardware
SXR2130P
Mobile applications / Mobile firmware & hardware
QM215
Hardware solutions / Firmware
SA6155P
Hardware solutions / Firmware
SC8180X
Hardware solutions / Firmware
SDX55
Hardware solutions / Firmware
SM8150
Hardware solutions / Firmware
SM8250
Hardware solutions / Firmware
SXR2130
Hardware solutions / Firmware

Vendor: Qualcomm

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in WLAN. A local privileged application can execute arbitrary code.

Mitigation
Install security update from vendor's website.

Vulnerable software versions

QCM4290: All versions

QCS4290: All versions

QM215: All versions

QSM8350: All versions

SA6145P: All versions

SA6155: All versions

SA6155P: All versions

SA8155: All versions

SA8155P: All versions

SC8180X: All versions

SC8180XP: All versions

SDX55: All versions

SDX55M: All versions

SM4250: All versions

SM4250P: All versions

SM6115: All versions

SM6115P: All versions

SM6125: All versions

SM6250: All versions

SM6350: All versions

SM7125: All versions

SM7225: All versions

SM7250: All versions

SM7250P: All versions

SM8150: All versions

SM8150P: All versions

SM8250: All versions

SM8350: All versions

SM8350P: All versions

SXR2130: All versions

SXR2130P: All versions

---

External links
https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2020-security-bulletin.html

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.