QualPwn vulnerabilities in Qualcomm chips let hackers compromise Android devices

Patches for the QualPwn vulnerabilities have been released earlier today by both Qualcomm and the Android team.
Written by Catalin Cimpanu, Contributor
Logo: Qualcomm // Composition: ZDNet

The Android Security Bulletin for August 2019 is out today and this month's Android security patches include a fix for two dangerous vulnerabilities that impact devices with Qualcomm chips.

Known collectively as QualPwn, these two vulnerabilities "allow attackers to compromise the Android Kernel over-the-air," according to Tencent Blade, a cyber-security division at Tencent, one of China's biggest tech firms.

The over-the-air attack is not a fully remote attack, meaning it can't be executed over the internet. To launch a QualPwn attack, the attacker and the target must be on the same WiFi network.

Nonetheless, the QualPwn attacks don't require user interaction, and Android users with affected Qualcomm chipsets will need to look into installing the August 2019 Android OS security patch.

QualPwn vulnerabilities breakdown

The two QualPwn vulnerabilities are as follow:

  • CVE-2019-10538 - a buffer overflow that impacts the Qualcomm WLAN component and the Android Kernel. Can be exploited by sending specially-crafted packets to a device's WLAN interface, which allows the attacker to run code with kernel privileges.
  • CVE-2019-10540 - a buffer overflow in the Qualcomm WLAN and modem firmware that ships with Qualcomm chips. Can be exploited by sending specially-crafted packets to an Android's device modem. This allows for code execution on the device.

The first issue was patched with a code fix in the Android operating system source code, while the second bug was patched with a code fix in Qualcomm's closed-source firmware that ships on a limited set of devices.

Tencent researchers said they only tested the QualPwn attacks on Google Pixel 2 and Pixel 3 devices, using Qualcomm Snapdragon 835 and Snapdragon 845 chips.

However, in a security advisory posted on its website for the second bug (CVE-2019-10540), Qualcomm said this vulnerability impacted many more other chipsets, including: IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712, SD 710, SD 670, SD 730, SD 820, SD 835, SD 845, SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, and SXR1130.

"Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program," a Qualcomm spokesperson told ZDNet. "Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs."

Tencent Blade said they discovered the bugs on their own, and that they haven't seen any public exploitation attempts, to their knowledge.

The researchers plan to provide a more in-depth look at the QualPwn vulnerabilities and the over-the-air attack at the Black Hat USA 2019 security conference, this week, and the DEFCON 27 security conference, the week after that.

Updated on August 6, 03:55am ET, with comment from Qualcomm.

HackerOne's top 20 public bug bounty programs

More vulnerability reports:

Editorial standards