The Android Security Bulletin for August 2019 is out today and this month’s Android security patches include a fix for two dangerous vulnerabilities that impact devices with Qualcomm chips.
Known collectively as QualPwn, these two vulnerabilities “allow attackers to compromise the Android Kernel over-the-air,” according to Tencent Blade, a cyber-security division at Tencent, one of China’s biggest tech firms.
The over-the-air attack is not a fully remote attack, meaning it can’t be executed over the internet. To launch a QualPwn attack, the attacker and the target must be on the same WiFi network.
Nonetheless, the QualPwn attacks don’t require user interaction, and Android users with affected Qualcomm chipsets will need to look into installing the August 2019 Android OS security patch.
QualPwn vulnerabilities breakdown
The two QualPwn vulnerabilities are as follow:
- CVE-2019-10538 – a buffer overflow that impacts the Qualcomm WLAN component and the Android Kernel.
- CVE-2019-10540 – a buffer overflow in the Qualcomm WLAN and modem firmware that ships with Qualcomm chips.
The first issue was patched with a code fix in the Android operating system source code, while the second bug was patched with a code fix in Qualcomm’s closed-source firmware that ships on a limited set of devices.
Tencent researchers said they only tested the QualPwn attacks on Google Pixel 2 and Pixel 3 devices, using Qualcomm Snapdragon 835 and Snapdragon 845 chips.
However, in a security advisory posted on its website for the second bug (CVE-2019-10540), Qualcomm said this vulnerability impacted many more other chipsets, including: IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712, SD 710, SD 670, SD 730, SD 820, SD 835, SD 845, SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, and SXR1130.
Tencent Blade said they discovered the bugs on their own, and that they haven’t seen any public exploitation attempts, to their knowledge.
The researchers plan to provide a more in-depth look at the QualPwn vulnerabilities and the over-the-air attack at the Black Hat USA 2019 security conference, this week, and the DEFCON 27 security conference, the week after that.
More vulnerability reports: