The Android Security Bulletin for August 2019 has issued security patches for two dangerous vulnerabilities affecting devices with Qualcomm chips. These two flaws are collectively known as QualPwn and allow attackers to compromise the WLAN and Android kernel over-the-air.
What are the two flaws?
According to Tencent Blade, QualPwn is a set of two vulnerabilities. These vulnerabilities are CVE-2019-10538 and CVE-2019-10540. While the former is a high severity bug, the latter has received a critical severity rating.
What are the affected devices?
Researchers note that unpatched phones using Qualcomm Snapdragon 835 and Snapdragon 845 chips are vulnerable to QualPwn.
However, in its security advisory, Qualcomm has posted that the second vulnerability of QualPwn that affects many other chipsets including: IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712, SD 710, SD 670, SD 730, SD 820, SD 835, SD 845, SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, and SXR1130.
Addressing the issues
The first issue has been patched with a code fix in the Android operating system source code, while the second bug has been patched with a code fix in Qualcomm’s closed source firmware that is shipped in a limited set of devices.