Newly discovered QualPwn vulnerability affects devices with Qualcomm chips

  • QualPwn is a set of two vulnerabilities.
  • These vulnerabilities (CVE-2019-10538 and CVE-2019-10540) are both caused due to buffer overflow.

The Android Security Bulletin for August 2019 has issued security patches for two dangerous vulnerabilities affecting devices with Qualcomm chips. These two flaws are collectively known as QualPwn and allow attackers to compromise the WLAN and Android kernel over-the-air.

What are the two flaws?

According to Tencent Blade, QualPwn is a set of two vulnerabilities. These vulnerabilities are CVE-2019-10538 and CVE-2019-10540. While the former is a high severity bug, the latter has received a critical severity rating.

  • The CVE-2019-10538 is a buffer overflow vulnerability that impacts the Qualcomm WLAN component and the Android Kernel. The flaw can be exploited by sending specially-crafted packets to a device’s WLAN interface. This allows attackers to run malicious code with kernel privileges.
  • The CVE-2019-10540 is another buffer overflow vulnerability that affects the Qualcomm WLAN and modem firmware. The flaw can be abused by sending specially-crafted packets to an Android device modem. This flaw also allows threat actors to execute code on the device.

What are the affected devices?

Researchers note that unpatched phones using Qualcomm Snapdragon 835 and Snapdragon 845 chips are vulnerable to QualPwn.

However, in its security advisory, Qualcomm has posted that the second vulnerability of QualPwn that affects many other chipsets including: IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712, SD 710, SD 670, SD 730, SD 820, SD 835, SD 845, SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, and SXR1130.

Addressing the issues

The first issue has been patched with a code fix in the Android operating system source code, while the second bug has been patched with a code fix in Qualcomm’s closed source firmware that is shipped in a limited set of devices.