In this month’s Security Bulletin, Android has rolled out security updates that solve two dangerous vulnerabilities. The vulnerabilities are contained in Qualcomm chips and affect every device that is equipped with these chipsets.
The two vulnerabilities are called QualPwn together, writes ZDNet. With the errors, attackers can remotely compromise the Android Kernel. It is an over-the-air-attack, which means that the attacker and the target must be on the same Wi-Fi network.
However, the QualPwn attacks do not require user interactions. Android users with affected Qualcomm chips are therefore advised to install the August 2019 Android OS security update.
The first vulnerability found in CVE-2019-10538 is a buffer overflow that affects the Qualcomm QLAN component and the Android Kernel. The error can be abused by sending specially designed packets to a device’s WLAN interface, after which hackers can execute code with kernel privileges.
The second vulnerability found, CVE-2019-10540, is also a buffer overflow in the WLAN component. This vulnerability also affects the modem firmware supplied with the Qualcomm chipsets. This exploit can also be abused by sending specially designed packages to the modem of an Android device. Even then, hackers can execute code on the attacked device.
Researchers from Tencent’s security department have tried QualPwn attacks on Google’s Pixel 2 and Pixel 3 smartphones that have Snapdragon 835 and Snapdragon 845 chipsets.
According to Qualcomm itself, other chipsets are also vulnerable to the error CVE-2019-10540. These are the following chipsets: IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712, SD 710, SD 670, SD 730, SD 820, SD 835, SD 845, SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660 and SXR1130.
The first vulnerability found has been solved with a code-fix in the source code of Android. The second vulnerability is patchy with a code-fix in Qualcomm’s closed-source firmware that comes with a limited number of devices.This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.