QualPwn, critical vulnerabilities in Qualcomm chips, that allows attackers to compromise Android device remotely over-the-air. The flaw resides in the Qualcomm’s Snapdragon WLAN component.
The series of vulnerabilities dubbed QualPwn, discovered by Tencent Blade Team, the first two vulnerabilities reside in Qualcomm chips and the third one in Android Kernel.
The vulnerabilities chained together allows attackers to compromise the Android device over-the-air without any user interaction. The over-the-air attack can be triggered if the victim and the attacker connected with the same WiFi network.
Researchers tested with Google Pixel2/Pixel3 and didn’t test with all the phones, “results of our tests indicate that unpatched phones running on Qualcomm Snapdragon 835,845 may be vulnerable.”
CVE-2019-10539(Compromise WLAN Issue) – Possible buffer overflow vulnerability in the WiFi firmware, due to lack of length check while parsing the extended cap IE header length.
CVE-2019-10540 (WLAN into Modem issue) – Buffer overflow vulnerability that affects Qualcomm WLAN and the vulnerability is due to lack of check of the count value received in NAN availability attribute.
Attackers can exploit the vulnerability by sending maliciously crafted packet over air, according to Qualcomm report the vulnerability affects other chipsets that includes, IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712, SD 710, SD 670, SD 730, SD 820, SD 835, SD 845, SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, and SXR1130.
CVE-2019-10538 (Modem into Linux Kernel issue) – The vulnerability relies on the Qualcomm Linux kernel component for Android, an attacker could exploit the vulnerability to overwrite the Linux kernel for Android.
Patches for QualPwn
The vulnerabilities were discovered in February and the researchers reported the details to Google and Qualcomm. In June Qualcomm issued fixes and notified OEMs. Google issued patches for the vulnerability with the August security update.
Users are recommended to update with the latest security updates that rolled out August 5, 2019, that address both of the bugs.
The full details of the bug were and the exploitation steps were not yet disclosed, according to Tencent there is no public full exploit code available.