SB2021070507 - Multiple vulnerabilities in Qualcomm chipsets

Description

This security bulletin contains information about 23 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2021-1965)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to lack of parameter length check during MBSSID scan IE parse in WLAN Host Communication. A remote attacker can send specially crafted traffic to the device, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Out-of-bounds read (CVE-ID: CVE-2021-1899)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition caused by lack of length check while flashing meta images in the Boot subsystem. An attacker with physical access to device can perform a denial of service attack.

3) Out-of-bounds read (CVE-ID: CVE-2021-1898)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition caused by incorrect overflow check when loading splash image in the Boot subsystem. An attacker with physical access to device can perform a denial of service attack.

4) Reachable Assertion (CVE-ID: CVE-2021-1907)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion caused by lack of length check in BA request in WLAN HOST. A remote attacker can send specially crafted traffic to the device and perform a denial of service attack.

5) Buffer overflow (CVE-ID: CVE-2021-1890)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error caused by improper length check of public exponent in RSA import key function in HLOS. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

6) Buffer overflow (CVE-ID: CVE-2021-1889)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error in Trusted Application component in HLOS. A malicious application can trigger memory corruption and execute arbitrary code with elevated privileges.

7) Double Free (CVE-ID: CVE-2021-1888)

The vulnerability allows a malicious application to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the Trusted Application implementation in HLOS. A malicious application can pass specially crafted data to the system, trigger double free error and execute arbitrary code with elevated privileges.

8) Untrusted Pointer Dereference (CVE-ID: CVE-2021-1886)

The vulnerability allows a malicious application to escalate privileges on the system.

The vulnerability exists due to untrusted pointer dereference within the in Key Management component in HLOS. A malicious application can trigger memory corruption and execute arbitrary code with elevated privileges.

9) Integer overflow (CVE-ID: CVE-2020-11307)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in Data HLOS component. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

10) Insecure configuration (CVE-ID: CVE-2021-1896)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to weak configuration in WLAN, which can cause forwarding of unencrypted packets from one client to another. A remote attacker on the local network can intercept traffic and gain access to sensitive information.

11) Out-of-bounds read (CVE-ID: CVE-2021-1901)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition caused by lack of length check while flashing meta images in the Boot subsystem. An attacker with physical access to device can perform a denial of service attack.

12) Out-of-bounds read (CVE-ID: CVE-2021-1897)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition caused by lack of validation of boundary checks when loading splash image in the Boot subsystem. An attacker with physical access to device can perform a denial of service attack.

13) Out-of-bounds read (CVE-ID: CVE-2021-1970)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing FT sub-elements in WLAN HOST. A remote attacker can send specially crafted traffic to the device, trigger out-of-bounds read error and read contents of memory on the system.

14) Out-of-bounds read (CVE-ID: CVE-2021-1964)

The vulnerability allows a remote attacker to perform a DoS attack.

The vulnerability exists due to a boundary condition caused by improper validation of IE size while parsing beacon from peer device in WLAN Host Communication subsystem. A remote attacker can send specially crafted traffic to the device, trigger an out-of-bounds read error and perform a denial of service attack.

15) Out-of-bounds read (CVE-ID: CVE-2021-1954)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary condition caused by improper validation of data pointer while parsing FILS indication IE in WLAN Host Communication subsystem. A remote attacker can send specially crafted traffic to the device, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

16) Out-of-bounds read (CVE-ID: CVE-2021-1945)

The vulnerability allows a remote attacker to perform a denial of service attack

The vulnerability exists due to a boundary condition caused by lack of length check of Bandwidth-NSS IE in WLAN Host Communication system. A remote attacker can send specially crafted traffic to the device, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

17) Out-of-bounds read (CVE-ID: CVE-2021-1943)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition caused by the improper validation of TBTT count and length while parsing the beacon response in WLAN Host Communication component. A remote attacker can send specially crafted traffic to the device, trigger out-of-bounds read error and perform a denial of service attack.

18) Use-after-free (CVE-ID: CVE-2021-1940)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in neural processing when handling firmware responses. A malicious application can trigger a use-after-free error and escalate privileges on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

19) Reachable Assertion (CVE-ID: CVE-2021-1955)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in SAP case due to improper handling of connections when association is rejected. A remote attacker can send specially crafted traffic to the device and perform a denial of service attack.

20) Reachable Assertion (CVE-ID: CVE-2021-1953)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion caused by improper handling of received malformed FTMR request frame while responding with FTM1 frame. A remote attacker can send specially crafted traffic to the device and perform DoS attack.

21) Reachable Assertion (CVE-ID: CVE-2021-1938)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion while creating and deleting the peer in WLAN Firmware. A remote attacker can send specially crafted traffic to the device and perform a denial of service attack.

22) Buffer overflow (CVE-ID: CVE-2021-1931)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to improper validation of buffer length while processing fast boot commands. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

23) Reachable Assertion (CVE-ID: CVE-2021-1887)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion in the WLAN subsystem while using the Wi-Fi Fine Timing Measurement protocol. A remote attacker can send specially crafted traffic to the device and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://www.qualcomm.com/company/product-security/bulletins/july-2021-bulletin
• https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=a426e5e1668fff3dfe8bde777a9340cbc129f8df
• https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=f713c280f3175b51b8c56d912f4f130cf9ed6b1b
• https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=ce39f484a61a805563fc90eaaf3960be79c471a6
• https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=617c89ade15899cdffa76fc8bd5e1f491137a519
• https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=21494e19e8496d43f620c44fc94cde9d84c0044c
• https://source.codeaurora.org/quic/le/kernel/lk/commit/?id=eab60c6f27ea5b23f77db084f18b104508119b5f
• https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=7404c2c964712f8888070227d88e573a65969262
• https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=a910e9cb6cde077646c391e206f1fed3a5f58f06
• https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=819a3a588817ca2073cac200d79f5c60f4102964
• https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=5338e791d9362d2dc37a30f8445dd4c62be3e382
• https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=67129820f7352fbf96415e632f7cd746bfbc6185
• https://source.codeaurora.org/quic/la/kernel/msm-4.14/commit/?id=8001ee96d68c2ba22f7eced2f44393f93a3917c0
• https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=e3731bc5080eb91349d3adc6aaf6b9f43481d2df
• https://source.codeaurora.org/quic/le/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=c275fefd8ce11ea9414dcafd54793fdae7caccd1
• https://source.codeaurora.org/quic/le/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=55974aef92f38a46d5143a1dc436edf6c2fcc3dd
• https://source.codeaurora.org/quic/le/abl/tianocore/edk2/commit/?id=0727b7b0d4cafb091397b76f75a3a4f66852a361