QualPwn vulnerabilities in Qualcomm chips let hackers compromise Android devices

CNE

Best Phones for 2019

Our editors hand-picked these products based on our tests and reviews.

Read now

The Android Security Bulletin for August 2019 is out today and this month's Android security patches include a fix for two dangerous vulnerabilities that impact devices with Qualcomm chips.

Known collectively as QualPwn, these two vulnerabilities "allow attackers to compromise the Android Kernel over-the-air," according to Tencent Blade, a cyber-security division at Tencent, one of China's biggest tech firms.

The over-the-air attack is not a fully remote attack, meaning it can't be executed over the internet. To launch a QualPwn attack, the attacker and the target must be on the same WiFi network.

Nonetheless, the QualPwn attacks don't require user interaction, and Android users with affected Qualcomm chipsets will need to look into installing the August 2019 Android OS security patch.

QualPwn vulnerabilities breakdown

The two QualPwn vulnerabilities are as follow:

• CVE-2019-10538 - a buffer overflow that impacts the Qualcomm WLAN component and the Android Kernel. Can be exploited by sending specially-crafted packets to a device's WLAN interface, which allows the attacker to run code with kernel privileges.
  
• CVE-2019-10540 - a buffer overflow in the Qualcomm WLAN and modem firmware that ships with Qualcomm chips. Can be exploited by sending specially-crafted packets to an Android's device modem. This allows for code execution on the device.
  

The first issue was patched with a code fix in the Android operating system source code, while the second bug was patched with a code fix in Qualcomm's closed-source firmware that ships on a limited set of devices.

Tencent researchers said they only tested the QualPwn attacks on Google Pixel 2 and Pixel 3 devices, using Qualcomm Snapdragon 835 and Snapdragon 845 chips.

However, in a security advisory posted on its website for the second bug (CVE-2019-10540), Qualcomm said this vulnerability impacted many more other chipsets, including: IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712, SD 710, SD 670, SD 730, SD 820, SD 835, SD 845, SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, and SXR1130.

"Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program," a Qualcomm spokesperson told ZDNet. "Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs."

Tencent Blade said they discovered the bugs on their own, and that they haven't seen any public exploitation attempts, to their knowledge.

The researchers plan to provide a more in-depth look at the QualPwn vulnerabilities and the over-the-air attack at the Black Hat USA 2019 security conference, this week, and the DEFCON 27 security conference, the week after that.

Updated on August 6, 03:55am ET, with comment from Qualcomm.

HackerOne's top 20 public bug bounty programs

More vulnerability reports:

• Urgent11 security flaws impact routers, printers, SCADA, and many IoT devices
• Cisco to pay $8.6 million for selling vulnerable software to US government
  
• Google: 95.8% of all bug reports are fixed before deadline expires
• New Dragonblood vulnerabilities found in WiFi WPA3 standard
• Apple's AWDL protocol plagued by flaws that enable tracking and MitM attacks
• iPhone Bluetooth traffic leaks phone numbers -- in certain scenarios
• Google will now pay up to $30,000 for reporting a Chrome bug CNET
• Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic