Improper access control in Qualcomm Hardware solutions

#VU61864 Improper access control in Qualcomm Hardware solutions

Published: 2022-04-05 | Updated: 2022-04-05

Vulnerability identifier: #VU61864

Vulnerability risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-30345

CWE-ID: CWE-284

Exploitation vector: Local

Exploit availability: No

Vendor: Qualcomm

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper SMMU configuration, which results in RPM secure Stream accessing any secure resource. A local application can gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

AR8035: All versions

QCA9984: All versions

QCM2290: All versions

QCM4290: All versions

QCS2290: All versions

QCS405: All versions

QCS4290: All versions

SD460: All versions

SD480: All versions

SD662: All versions

SD680: All versions

SM6375: All versions

SW5100: All versions

SW5100P: All versions

WCD9370: All versions

WCD9375: All versions

WCD9385: All versions

WCN3910: All versions

WCN3950: All versions

WCN3980: All versions

WCN3988: All versions

WCN3991: All versions

WCN3998: All versions

WCN3999: All versions

WSA8810: All versions

WSA8815: All versions

WSA8830: All versions

WSA8835: All versions

External links
http://www.qualcomm.com/company/product-security/bulletins/april-2022-bulletin

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Google Android

Multiple vulnerabilities in Qualcomm chipsets