CVE-2020-11206 HIGH

Published: 2020-11-12 | Last Modified: 2024-11-21 | Status: Modified

Description

Possible buffer overflow in Fastrpc while handling received parameters due to lack of validation on input parameters' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in APQ8098, MSM8998, QCM4290, QCM6125, QCS410, QCS4290, QCS610, QCS6125, QSM8250, QSM8350, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SDA640, SDA660, SDA845, SDA855, SDM640, SDM660, SDM830, SDM845, SDM850, SDX50M, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P

Additional Descriptions (1)

Un posible desbordamiento del búfer en Fastrpc mientras se manejan los parámetros recibidos debido a la falta de validación en los parámetros de entrada' en Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile en versiones APQ8098, MSM8998, QCM4290, QCM6125, QCS410, QCS4290, QCS610, QCS6125, QSM8250, QSM8350, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SC7180, SDA640, SDA660, SDA845, SDA855, SDM640, SDM660, SDM830, SDM845, SDM850, SDX50M, SDX55, SDX55M, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SM8350, SM8350P, SXR2130, SXR2130P

CVSS Metrics

Base Score: 7.8 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector	LOCAL
Attack Complexity	LOW
Privileges Required	LOW
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 5.9

Base Score: 7.2 (HIGH)

AV:L/AC:L/Au:N/C:C/I:C/A:C

Access Vector	LOCAL
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	COMPLETE
Integrity Impact	COMPLETE
Availability Impact	COMPLETE

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 10.0

Weaknesses

Source	Type	Description
[email protected]	Primary	en NVD-CWE-Other

Affected Products

Vendor	Product	Version	Update	Type
qualcomm	apq8098_firmware	-	<built-in method update of dict object at 0x7c3bf3e4cb80>	Operating System
qualcomm	msm8998_firmware	-	<built-in method update of dict object at 0x7c3c40dd77c0>	Operating System
qualcomm	qcm4290_firmware	-	<built-in method update of dict object at 0x7c3c40dd6e80>	Operating System
qualcomm	qcm6125_firmware	-	<built-in method update of dict object at 0x7c3bf3e4ce40>	Operating System
qualcomm	qcs410_firmware	-	<built-in method update of dict object at 0x7c3bf3e4d3c0>	Operating System
qualcomm	qcs4290_firmware	-	<built-in method update of dict object at 0x7c3bf3e4db40>	Operating System
qualcomm	qcs610_firmware	-	<built-in method update of dict object at 0x7c3c40dd71c0>	Operating System
qualcomm	qcs6125_firmware	-	<built-in method update of dict object at 0x7c3bf3e4d4c0>	Operating System
qualcomm	qsm8250_firmware	-	<built-in method update of dict object at 0x7c3bf3e4f440>	Operating System
qualcomm	qsm8350_firmware	-	<built-in method update of dict object at 0x7c3bf3e4c780>	Operating System
qualcomm	sa6145p_firmware	-	<built-in method update of dict object at 0x7c3bf3e4dbc0>	Operating System
qualcomm	sa6150p_firmware	-	<built-in method update of dict object at 0x7c3c40dd5f80>	Operating System
qualcomm	sa6155_firmware	-	<built-in method update of dict object at 0x7c3c40dd7d80>	Operating System
qualcomm	sa6155p_firmware	-	<built-in method update of dict object at 0x7c3c48264ec0>	Operating System
qualcomm	sa8150p_firmware	-	<built-in method update of dict object at 0x7c3c40dd5e40>	Operating System
qualcomm	sa8155_firmware	-	<built-in method update of dict object at 0x7c3bf3e4eb00>	Operating System
qualcomm	sa8155p_firmware	-	<built-in method update of dict object at 0x7c3c40dd7740>	Operating System
qualcomm	sa8195p_firmware	-	<built-in method update of dict object at 0x7c3c47813f80>	Operating System
qualcomm	sc7180_firmware	-	<built-in method update of dict object at 0x7c3bf3e4e400>	Operating System
qualcomm	sda640_firmware	-	<built-in method update of dict object at 0x7c3c482ccdc0>	Operating System
qualcomm	sda660_firmware	-	<built-in method update of dict object at 0x7c3bf3e4e2c0>	Operating System
qualcomm	sda845_firmware	-	<built-in method update of dict object at 0x7c3c40dd5c00>	Operating System
qualcomm	sda855_firmware	-	<built-in method update of dict object at 0x7c3c40d56300>	Operating System
qualcomm	sdm640_firmware	-	<built-in method update of dict object at 0x7c3bf3e4da80>	Operating System
qualcomm	sdm660_firmware	-	<built-in method update of dict object at 0x7c3bf3b2f540>	Operating System
qualcomm	sdm830_firmware	-	<built-in method update of dict object at 0x7c3bf3b4c500>	Operating System
qualcomm	sdm845_firmware	-	<built-in method update of dict object at 0x7c3bf3e4fd40>	Operating System
qualcomm	sdm850_firmware	-	<built-in method update of dict object at 0x7c3c40dd5d00>	Operating System
qualcomm	sdx50m_firmware	-	<built-in method update of dict object at 0x7c3c40dd7a80>	Operating System
qualcomm	sdx55_firmware	-	<built-in method update of dict object at 0x7c3bf3b4c0c0>	Operating System
qualcomm	sdx55m_firmware	-	<built-in method update of dict object at 0x7c3c684d84c0>	Operating System
qualcomm	sm4250_firmware	-	<built-in method update of dict object at 0x7c3bf3b2fd80>	Operating System
qualcomm	sm4250p_firmware	-	<built-in method update of dict object at 0x7c3bf3e4f180>	Operating System
qualcomm	sm6115_firmware	-	<built-in method update of dict object at 0x7c3c2910f240>	Operating System
qualcomm	sm6115p_firmware	-	<built-in method update of dict object at 0x7c3bf3a1e880>	Operating System
qualcomm	sm6125_firmware	-	<built-in method update of dict object at 0x7c3bf3a1f000>	Operating System
qualcomm	sm6150_firmware	-	<built-in method update of dict object at 0x7c3bf3a1c940>	Operating System
qualcomm	sm6150p_firmware	-	<built-in method update of dict object at 0x7c3bf3a1d9c0>	Operating System
qualcomm	sm6250_firmware	-	<built-in method update of dict object at 0x7c3bf3a1ca40>	Operating System
qualcomm	sm6250p_firmware	-	<built-in method update of dict object at 0x7c3bf3a1c980>	Operating System
qualcomm	sm6350_firmware	-	<built-in method update of dict object at 0x7c3bf3b07f40>	Operating System
qualcomm	sm7125_firmware	-	<built-in method update of dict object at 0x7c3c40dd7280>	Operating System
qualcomm	sm7150_firmware	-	<built-in method update of dict object at 0x7c3c40dd5a00>	Operating System
qualcomm	sm7150p_firmware	-	<built-in method update of dict object at 0x7c3c40dd4080>	Operating System
qualcomm	sm7225_firmware	-	<built-in method update of dict object at 0x7c3c40dd5080>	Operating System
qualcomm	sm7250_firmware	-	<built-in method update of dict object at 0x7c3c40dd4bc0>	Operating System
qualcomm	sm7250p_firmware	-	<built-in method update of dict object at 0x7c3c40dd4440>	Operating System
qualcomm	sm8150_firmware	-	<built-in method update of dict object at 0x7c3c40dd5140>	Operating System
qualcomm	sm8150p_firmware	-	<built-in method update of dict object at 0x7c3c3277f980>	Operating System
qualcomm	sm8250_firmware	-	<built-in method update of dict object at 0x7c3bf291f080>	Operating System
qualcomm	sm8350_firmware	-	<built-in method update of dict object at 0x7c3bf291f8c0>	Operating System
qualcomm	sm8350p_firmware	-	<built-in method update of dict object at 0x7c3bf291ea00>	Operating System
qualcomm	sxr2130_firmware	-	<built-in method update of dict object at 0x7c3c40d4c180>	Operating System
qualcomm	sxr2130p_firmware	-	<built-in method update of dict object at 0x7c3bf291fcc0>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:apq8098_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:apq8098:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:msm8998_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:msm8998:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcm4290_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcm4290:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcm6125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcm6125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs410_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs410:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs4290_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs4290:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs610_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs610:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qcs6125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qcs6125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qsm8250_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qsm8250:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:qsm8350_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:qsm8350:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa6145p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa6145p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa6150p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa6150p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa6155_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa6155:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa6155p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa6155p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa8150p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa8150p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa8155_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa8155:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa8155p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa8155p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sa8195p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sa8195p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sc7180_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sc7180:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sda640_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sda640:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sda660_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sda660:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sda845_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sda845:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sda855_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sda855:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm640_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm640:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm660_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm660:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm830_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm830:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm845_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm845:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdm850_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdm850:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdx50m_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdx50m:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdx55_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdx55:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sdx55m_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sdx55m:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm4250_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm4250:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm4250p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm4250p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6115_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6115:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6115p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6115p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6150_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6150:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6150p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6150p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6250_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6250:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6250p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6250p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm6350_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm6350:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7125_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7125:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7150_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7150:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7150p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7150p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7225_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7225:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7250_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7250:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm7250p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm7250p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm8150_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm8150:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm8150p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm8150p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm8250_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm8250:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm8350_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm8350:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sm8350p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sm8350p:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sxr2130_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sxr2130:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:qualcomm:sxr2130p_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:qualcomm:sxr2130p:-:::::::*`

References

https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/
Source: [email protected]

Third Party Advisory
https://research.checkpoint.com/2021/pwn2own-qualcomm-dsp/
Source: [email protected]

Exploit Third Party Advisory
https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin
Source: [email protected]

Vendor Advisory
https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://research.checkpoint.com/2021/pwn2own-qualcomm-dsp/
Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Third Party Advisory
https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin
Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory