Chipset security vulnerabilities are certainly not as common as software vulnerabilities in services, apps, or software products but they do occur. For example, in the past, some security vulnerabilities have plagued top-tier chipsets like those from Intel and Apple. Furthermore, when chipset vulnerabilities do occur, it is often a more serious subject with broader consequences in general. This time, a surprisingly large amount of security vulnerabilities plague a global semiconductor manufacturer that is among the top three semiconductor companies in the world. This is in reference specifically to American multinational technology giant Qualcomm, which famously produces the Snapdragon chipset. This chipset powers over 40% of all smartphones which means countless Android devices from Samsung and Google, to name just a few. Qualcomm also owns patents to critical technologies like 5G, 4G as well as other patents in wireless and telecommunications technology.
On August 2nd, 2021 Qualcomm’s August 2021 product security bulletin revealed a very lengthy security vulnerability release report. The release report describes several proprietary and open-source software security issues that affected numerous Qualcomm chipsets. What is more, news about these security vulnerabilities arrived on the same day when news of Google abandoning Qualcomm’s chipsets appeared online. The semiconductor industry giants are in a global race for onshore chip production, so the situation is quite tense in the industry at the moment.
Qualcomm Security Vulnerabilities
The Qualcomm security vulnerability release report took a long time to be released and is very large. It contains dozens of security vulnerabilities affecting varying chipsets, categorized with CVE ID codes (Common Vulnerabilities and Exposures) and the respective descriptions. Of these vulnerabilities, it is important to note that 7 are marked as being a critical risk while the rest range between medium and high risk. A CVSS score (Common Vulnerability Scoring System) was assigned to each vulnerability. The vulnerabilities have been addressed by both proprietary software and open-source software.
Technical Details of The Vulnerabilities
The proprietary software issues and the respective CVE ID codes, security ratings, technology area, and reported dates for the vulnerabilities found by security researchers are as follows;
| CVE-2021-1916 | Critical | Critical | Data Modem | Internal |
| CVE-2021-1919 | Critical | Critical | Data Modem | Internal |
| CVE-2021-1920 | Critical | Critical | Data Modem | Internal |
| CVE-2020-26140 | High | High | WLAN Firmware | 12/13/2020 |
| CVE-2020-26143 | High | High | WiFi Host | 12/13/2020 |
| CVE-2020-26144 | High | High | WiFi Host | 12/13/2020 |
| CVE-2020-26147 | High | High | WiFi Host | 12/13/2020 |
| CVE-2021-1914 | High | High | Data Modem | Internal |
| CVE-2021-1923 | High | High | HLOS | Internal |
| CVE-2021-30260 | High | High | WLAN Firmware | 02/14/2021 |
| CVE-2021-30261 | High | High | WLAN Firmware | 12/07/2017 |
The open-source software issues and the respective CVE ID codes, security ratings, technology area, and reported dates for the vulnerabilities found by security researchers are as follows;
| CVE-2020-11264 | Critical | Critical | WLAN Windows Host | 12/13/2020 |
| CVE-2020-11301 | Critical | Critical | WIGIG | 12/13/2020 |
| CVE-2021-1972 | Critical | Critical | WLAN HOST | 11/10/2020 |
| CVE-2021-1976 | Critical | Critical | WLAN HOST | Internal |
| CVE-2020-24587 | High | High | WLAN HOST | 12/13/2020 |
| CVE-2020-24588 | High | High | WLAN Firmware | 12/13/2020 |
| CVE-2020-26139 | High | High | WLAN Host Communication | 12/13/2020 |
| CVE-2020-26141 | High | High | WLAN HOST | 12/13/2020 |
| CVE-2020-26145 | High | High | WLAN HOST | 12/13/2020 |
| CVE-2020-26146 | High | High | WLAN HOST | 12/13/2020 |
| CVE-2021-1939 | High | High | Graphics | Internal |
| CVE-2021-1947 | High | High | Graphics | 12/11/2020 |
| CVE-2021-1978 | High | Medium | WLAN HOST | Internal |
| CVE-2021-1904 | High | Medium | Graphics | 09/15/2020 |
The Vulnerability Descriptions
Below is a description of the critical vulnerabilities only. All of the critical vulnerabilities may allow a remote attacker to compromise or gain full control of a system with unpatched software. All other information can be found in the Qualcomm security bulletin release report. The descriptions are as follows;
- Critical risk arising from improper authentication in CVE-2020-11264 due to an error in WLAN Windows Host processing. A remote attacker can compromise the vulnerable system
- Critical risk arising from improper authentication in CVE-2020-11301 due to an error in WIGIG. A remote attacker can compromise the vulnerable system
- Critical risk arising from buffer overflow in CVE-2021-1972 due to a boundary error in WLAN HOST. A remote attacker can compromise the vulnerable system.
- Critical risk arising from integer overflow in CVE-2021-1916 due to integer overflow in the Data Modem subsystem. A remote attacker can compromise the vulnerable system
- Critical risk arising from integer overflow in CVE-2021-1919 due to integer overflow in RTCP packets processing in Data Modem. A remote attacker can compromise the vulnerable system.
- Critical risk arising from integer overflow in CVE-2021-1920 due to integer overflow in RTCP packets processing in Data Modem. A remote attacker can compromise the vulnerable system.
- Critical risk arising from a use-after-free error in CVE-2021-1976 arising from use-after-free when handling P2P device addresses in WLAN HOST.
Affected Chipset Models
The security vulnerabilities affect a wide range of Qualcomm products, some of which include;
- Qualcomm APQ
- Qualcomm MDM
- Qualcomm AR
- Qualcomm AQT
- Qualcomm QCA
- Qualcomm MSM
- Qualcomm SD
- Qualcomm WCN
- Qualcomm WSA
Note: The complete list of all affected chipsets contains more than one hundred entries. It can be found on the release report page.
The Current Situation
Vulnerabilities in Qualcomm chipset software (just like vulnerabilities in Intel or TSMC products) mean that millions of devices that are powered by these products are open to remote attacks. For that reason, Qualcomm has been long at work on fixes. Patches have been released to address both the proprietary and open-source software vulnerabilities. According to Qualcomm’s report “OEMs have been notified and strongly recommended to release patches on end devices.” For all users and OEMs of Qualcomm chipsets: patches and fixes can be found on the release report page. For the latest information, Qualcomm can also be directly contacted via their support page.
