CVE-2020-11202 HIGH

Published: 2020-11-12 | Last Modified: 2024-11-21 | Status: Modified

Description

Buffer overflow/underflow occurs when typecasting the buffer passed by CPU internally in the library which is not aligned with the actual size of the structure' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in QCM6125, QCS410, QCS603, QCS605, QCS610, QCS6125, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDA640, SDA670, SDA845, SDM640, SDM670, SDM710, SDM830, SDM845, SDX50M, SDX55, SDX55M, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM8150, SM8150P

Additional Descriptions (1)

Un desbordamiento y subdesbordamiento del búfer se produce al encasillar el búfer pasado por la CPU internamente en la biblioteca que no está alineado con el tamaño real de la estructura' en Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile en QCM6125, QCS410, QCS603, QCS605, QCS610, QCS6125, SA6145P, SA6155, SA6155P, SA8155, SA8155P, SDA640, SDA670, SDA845, SDM640, SDM670, SDM710, SDM830, SDM845, SDX50M, SDX55, SDX55M, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM7125, SM7150, SM7150P, SM8150, SM8150P

CVSS Metrics

Base Score: 7.8 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector	LOCAL
Attack Complexity	LOW
Privileges Required	LOW
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 5.9

Base Score: 7.2 (HIGH)

AV:L/AC:L/Au:N/C:C/I:C/A:C

Access Vector	LOCAL
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	COMPLETE
Integrity Impact	COMPLETE
Availability Impact	COMPLETE

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 10.0

Weaknesses

Source	Type	Description
[email protected]	Primary	en CWE-787

Affected Products

Vendor	Product	Version	Update	Type
qualcomm	qcm6125_firmware	-	<built-in method update of dict object at 0x7c3bf291d6c0>	Operating System
qualcomm	qcs410_firmware	-	<built-in method update of dict object at 0x7c3c40dd6780>	Operating System
qualcomm	qcs603_firmware	-	<built-in method update of dict object at 0x7c3c47782580>	Operating System
qualcomm	qcs605_firmware	-	<built-in method update of dict object at 0x7c3c483bf500>	Operating System
qualcomm	qcs610_firmware	-	<built-in method update of dict object at 0x7c3bf291c540>	Operating System
qualcomm	qcs6125_firmware	-	<built-in method update of dict object at 0x7c3bf291d2c0>	Operating System
qualcomm	sa6145p_firmware	-	<built-in method update of dict object at 0x7c3c483bcd40>	Operating System
qualcomm	sa6155_firmware	-	<built-in method update of dict object at 0x7c3c40d566c0>	Operating System
qualcomm	sa6155p_firmware	-	<built-in method update of dict object at 0x7c3c40dd59c0>	Operating System
qualcomm	sa8155_firmware	-	<built-in method update of dict object at 0x7c3bf291ff00>	Operating System
qualcomm	sa8155p_firmware	-	<built-in method update of dict object at 0x7c3c40d552c0>	Operating System
qualcomm	sda640_firmware	-	<built-in method update of dict object at 0x7c3c40dd4640>	Operating System
qualcomm	sda670_firmware	-	<built-in method update of dict object at 0x7c3c40dd6cc0>	Operating System
qualcomm	sda845_firmware	-	<built-in method update of dict object at 0x7c3bf291fb40>	Operating System
qualcomm	sdm640_firmware	-	<built-in method update of dict object at 0x7c3bf291ce40>	Operating System
qualcomm	sdm670_firmware	-	<built-in method update of dict object at 0x7c3bf291fe00>	Operating System
qualcomm	sdm710_firmware	-	<built-in method update of dict object at 0x7c3bf291c700>	Operating System
qualcomm	sdm830_firmware	-	<built-in method update of dict object at 0x7c3c483bed00>	Operating System
qualcomm	sdm845_firmware	-	<built-in method update of dict object at 0x7c3c40d54a00>	Operating System
qualcomm	sdx50m_firmware	-	<built-in method update of dict object at 0x7c3c483bea40>	Operating System
qualcomm	sdx55_firmware	-	<built-in method update of dict object at 0x7c3c2910c400>	Operating System
qualcomm	sdx55m_firmware	-	<built-in method update of dict object at 0x7c3c40dd7080>	Operating System
qualcomm	sm6125_firmware	-	<built-in method update of dict object at 0x7c3c476bcc00>	Operating System
qualcomm	sm6150_firmware	-	<built-in method update of dict object at 0x7c3c40dd4ec0>	Operating System
qualcomm	sm6150p_firmware	-	<built-in method update of dict object at 0x7c3bf291ca40>	Operating System
qualcomm	sm6250_firmware	-	<built-in method update of dict object at 0x7c3bf291c5c0>	Operating System
qualcomm	sm6250p_firmware	-	<built-in method update of dict object at 0x7c3c483bcf80>	Operating System
qualcomm	sm7125_firmware	-	<built-in method update of dict object at 0x7c3c40dd71c0>	Operating System
qualcomm	sm7150_firmware	-	<built-in method update of dict object at 0x7c3bf291c840>	Operating System
qualcomm	sm7150p_firmware	-	<built-in method update of dict object at 0x7c3c2910f640>	Operating System
qualcomm	sm8150_firmware	-	<built-in method update of dict object at 0x7c3c2910c740>	Operating System
qualcomm	sm8150p_firmware	-	<built-in method update of dict object at 0x7c3c483bf280>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcm6125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcm6125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs410_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs410:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs603_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs603:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs605_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs605:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs610_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs610:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs6125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs6125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa6145p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa6145p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa6155_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa6155:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa6155p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa6155p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa8155_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa8155:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa8155p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa8155p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sda640_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sda640:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sda670_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sda670:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sda845_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sda845:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm640_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm640:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm670_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm670:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm710_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm710:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm830_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm830:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm845_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm845:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdx50m_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdx50m:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdx55_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdx55:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdx55m_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdx55m:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6150_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6150:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6150p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6150p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6250_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6250:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6250p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6250p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7150_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7150:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7150p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7150p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm8150_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm8150:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm8150p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm8150p:-:::::::*`

References

https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/
Source: [email protected]

Third Party Advisory
https://research.checkpoint.com/2021/pwn2own-qualcomm-dsp/
Source: [email protected]

Exploit Third Party Advisory
https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin
Source: [email protected]

Broken Link Vendor Advisory
https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://research.checkpoint.com/2021/pwn2own-qualcomm-dsp/
Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Third Party Advisory
https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin
Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link Vendor Advisory