Security researchers from Tencent’s Blade Team have cautioned Android smartphone and tablet users of vulnerabilities in Qualcomm chipsets, called QualPwn. The bugs together let hackers affect Android devices remotely just by sending malicious packets over-the-air, with no user interaction.
Three bugs—CVE-2019-10539, CVE-2019-10540 and CVE-2019-10538—constitute QualPwn. The precondition for the attack is that both the attacker and targeted Android device must be active on the same shared Wi-Fi network.
The researchers wrote: “One of the vulnerabilities allows attackers to compromise the WLAN and modem, over-the-air. The other allows attackers to compromise the Android kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android kernel over-the-air in some circumstances.”
All three vulnerabilities have been conveyed to Qualcomm and Google’s Android security team and coverings are available for handsets. The team has said “we have not found this vulnerability to have a public full exploit code.”
Researchers also said their focus was on Google Pixel2 and Pixel3 handsets and that its tests showed that unpatched phones running on Qualcomm Snapdragon 835 and Snapdragon 845 chips may be susceptible.
The first serious bug (CVE-2019-10539) is recognized by researchers as a “buffer copy without checking size of input in WLAN.” Qualcomm describes it as a “possible buffer overflow issue due to lack of length check when parsing the extended cap IE header length.”
The second bug (CVE-2019-10540) is classified as critical and a “classic buffer overflow” where the buffer copies without checking size of input WLAN. Qualcomm describes it as a “buffer overflow in WLAN NAN function due to lack of check of count value received in NAN availability attribute.”
The third bug (CVE-2019-10538) is not listed on Qualcomm’s August security bulletin, but is rated high in severity by Google’s August Android Security Bulletin. Tencent only describes the CVE as a “modem into Linux Kernel issue.”
The QualPwn vulnerabilities will be discussed by Tencent’s Blade Team researchers at BlackHat USA 2019 and DEFCON 27 later this week, as per researchers.
Researchers failed to share susceptibility particulars until, as they put it: “we’re informed that the flaws are fixed and consumers have time to install security updates on their devices.”