Vulnerabilities > CVE-2015-9138 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Qualcomm products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

qualcomm

CWE-119

critical

NVD

Published: 2018-04-18

Updated: 2018-05-09

Summary

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear, and Small Cell SoC FSM9055, IPQ4019, MDM9206, MDM9607, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, SD 850, and SDX20, when an RSA encryption operation is called, the ce_util_to_unsigned_bin is invoked to convert the input buffer to unsigned binary. The ce_util_to_unsigned_bin function, instead of operating on the size of the unsigned character buffer that is passed, operates on the address - i.e. operates on "c" instead of "*c". Decrementing the address to check if it is less than zero means that the operation will always pass, since a pointer will never be less than zero, and may result in a buffer overflow.

Vulnerable Configurations

Part	Description	Count
OS	Qualcomm Qualcomm Mdm9206 Firmware - Qualcomm Mdm9607 Firmware - Qualcomm Fsm9055 Firmware - Qualcomm Mdm9625 Firmware - Qualcomm Mdm9635M Firmware - Qualcomm Mdm9640 Firmware - Qualcomm Mdm9645 Firmware - Qualcomm Mdm9650 Firmware - Qualcomm Mdm9655 Firmware - Qualcomm Msm8909W Firmware - Qualcomm SD 210 Firmware - Qualcomm SD 212 Firmware - Qualcomm SD 205 Firmware - Qualcomm SD 400 Firmware - Qualcomm SD 410 Firmware - Qualcomm SD 412 Firmware - Qualcomm SD 425 Firmware - Qualcomm SD 430 Firmware - Qualcomm SD 450 Firmware - Qualcomm SD 615 Firmware - Qualcomm SD 616 Firmware - Qualcomm SD 415 Firmware - Qualcomm SD 617 Firmware - Qualcomm SD 625 Firmware - Qualcomm SD 650 Firmware - Qualcomm SD 652 Firmware - Qualcomm SD 800 Firmware - Qualcomm SD 808 Firmware - Qualcomm SD 810 Firmware - Qualcomm SD 820 Firmware - Qualcomm SD 835 Firmware - Qualcomm SD 845 Firmware - Qualcomm Sdx20 Firmware - Qualcomm SD 850 Firmware - Qualcomm Ipq4019 Firmware - Qualcomm SD 600 Firmware - Qualcomm SD 820A Firmware -	37
Hardware	Qualcomm Qualcomm Mdm9206 - Qualcomm Mdm9607 - Qualcomm Fsm9055 - Qualcomm Mdm9625 - Qualcomm Mdm9635M - Qualcomm Mdm9640 - Qualcomm Mdm9645 - Qualcomm Mdm9650 - Qualcomm Mdm9655 - Qualcomm Msm8909W - Qualcomm SD 210 - Qualcomm SD 212 - Qualcomm SD 205 - Qualcomm SD 400 - Qualcomm SD 410 - Qualcomm SD 412 - Qualcomm SD 425 - Qualcomm SD 430 - Qualcomm SD 450 - Qualcomm SD 615 - Qualcomm SD 616 - Qualcomm SD 415 - Qualcomm SD 617 - Qualcomm SD 625 - Qualcomm SD 650 - Qualcomm SD 652 - Qualcomm SD 800 - Qualcomm SD 808 - Qualcomm SD 810 - Qualcomm SD 820 - Qualcomm SD 835 - Qualcomm SD 845 - Qualcomm Sdx20 - Qualcomm SD 850 - Qualcomm Ipq4019 - Qualcomm SD 600 - Qualcomm SD 820A -	37

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References