CVE-2020-11201 HIGH

Published: 2020-11-12 | Last Modified: 2024-11-21 | Status: Modified

Description

Arbitrary access to DSP memory due to improper check in loaded library for data received from CPU side' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in QCM6125, QCS410, QCS603, QCS605, QCS610, QCS6125, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDA640, SDA845, SDM640, SDM830, SDM845, SDX50M, SDX55, SDX55M, SM6125, SM6150, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM8150, SM8150P

Additional Descriptions (1)

Un acceso arbitrario a la memoria del DSP debido a una comprobación incorrecta en la biblioteca cargada de los datos recibidos del lado de la CPU' en Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile en QCM6125, QCS410, QCS603, QCS605, QCS610, QCS6125, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDA640, SDA845, SDM640, SDM830, SDM845, SDX50M, SDX55, SDX55M, SM6125, SM6150, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM8150, SM8150P

CVSS Metrics

Base Score: 7.8 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector	LOCAL
Attack Complexity	LOW
Privileges Required	LOW
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 5.9

Base Score: 7.2 (HIGH)

AV:L/AC:L/Au:N/C:C/I:C/A:C

Access Vector	LOCAL
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	COMPLETE
Integrity Impact	COMPLETE
Availability Impact	COMPLETE

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 10.0

Weaknesses

Source	Type	Description
[email protected]	Primary	en CWE-20

Affected Products

Vendor	Product	Version	Update	Type
qualcomm	qcm6125_firmware	-	<built-in method update of dict object at 0x7c3c2b142200>	Operating System
qualcomm	qcs410_firmware	-	<built-in method update of dict object at 0x7c3c2ab12b80>	Operating System
qualcomm	qcs603_firmware	-	<built-in method update of dict object at 0x7c3c2ab11440>	Operating System
qualcomm	qcs605_firmware	-	<built-in method update of dict object at 0x7c3c46894380>	Operating System
qualcomm	qcs610_firmware	-	<built-in method update of dict object at 0x7c3c2b1422c0>	Operating System
qualcomm	qcs6125_firmware	-	<built-in method update of dict object at 0x7c3c2b143bc0>	Operating System
qualcomm	sa6145p_firmware	-	<built-in method update of dict object at 0x7c3c46894e00>	Operating System
qualcomm	sa6155_firmware	-	<built-in method update of dict object at 0x7c3c2ab13bc0>	Operating System
qualcomm	sa6155p_firmware	-	<built-in method update of dict object at 0x7c3c3212df40>	Operating System
qualcomm	sa8155_firmware	-	<built-in method update of dict object at 0x7c3c2b1430c0>	Operating System
qualcomm	sa8155p_firmware	-	<built-in method update of dict object at 0x7c3c40d4e080>	Operating System
qualcomm	sda640_firmware	-	<built-in method update of dict object at 0x7c3c2b034fc0>	Operating System
qualcomm	sda845_firmware	-	<built-in method update of dict object at 0x7c3c40dd7dc0>	Operating System
qualcomm	sdm640_firmware	-	<built-in method update of dict object at 0x7c3c481f6d40>	Operating System
qualcomm	sdm830_firmware	-	<built-in method update of dict object at 0x7c3c40dd7bc0>	Operating System
qualcomm	sdm845_firmware	-	<built-in method update of dict object at 0x7c3c468975c0>	Operating System
qualcomm	sdx50m_firmware	-	<built-in method update of dict object at 0x7c3c481570c0>	Operating System
qualcomm	sdx55_firmware	-	<built-in method update of dict object at 0x7c3c2b0349c0>	Operating System
qualcomm	sdx55m_firmware	-	<built-in method update of dict object at 0x7c3c2b035500>	Operating System
qualcomm	sm6125_firmware	-	<built-in method update of dict object at 0x7c3c29ed7700>	Operating System
qualcomm	sm6150_firmware	-	<built-in method update of dict object at 0x7c3bf3b62280>	Operating System
qualcomm	sm6250_firmware	-	<built-in method update of dict object at 0x7c3bf3b62080>	Operating System
qualcomm	sm6250p_firmware	-	<built-in method update of dict object at 0x7c3c2b034180>	Operating System
qualcomm	sm7125_firmware	-	<built-in method update of dict object at 0x7c3c40dd4fc0>	Operating System
qualcomm	sm7150_firmware	-	<built-in method update of dict object at 0x7c3c40d4cb00>	Operating System
qualcomm	sm7150p_firmware	-	<built-in method update of dict object at 0x7c3c29ed6100>	Operating System
qualcomm	sm8150_firmware	-	<built-in method update of dict object at 0x7c3c40dd5d40>	Operating System
qualcomm	sm8150p_firmware	-	<built-in method update of dict object at 0x7c3c40d4c100>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcm6125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcm6125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs410_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs410:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs603_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs603:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs605_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs605:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs610_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs610:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs6125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs6125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa6145p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa6145p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa6155_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa6155:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa6155p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa6155p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa8155_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa8155:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa8155p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa8155p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sda640_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sda640:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sda845_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sda845:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm640_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm640:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm830_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm830:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm845_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm845:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdx50m_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdx50m:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdx55_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdx55:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdx55m_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdx55m:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6150_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6150:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6250_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6250:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6250p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6250p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7150_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7150:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7150p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7150p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm8150_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm8150:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm8150p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm8150p:-:::::::*`

References

https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/
Source: [email protected]

Third Party Advisory
https://research.checkpoint.com/2021/pwn2own-qualcomm-dsp/
Source: [email protected]

Exploit Third Party Advisory
https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin
Source: [email protected]

Broken Link Vendor Advisory
https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://research.checkpoint.com/2021/pwn2own-qualcomm-dsp/
Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Third Party Advisory
https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin
Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link Vendor Advisory