In Qualcomm's wireless chip stack three vulnerabilities presented under the code name “QualPwn”. The first issue (CVE-2019-10539) allows Android devices to be remotely attacked via Wi-Fi. The second problem is present in the proprietary firmware with the Qualcomm wireless stack and allows access to the baseband modem (CVE-2019-10540). Third problem in the icnss driver (CVE-2019-10538) and makes it possible to achieve execution of its code at the kernel level of the Android platform. If a combination of these vulnerabilities is successfully exploited, the attacker can remotely gain control of a user's device on which Wi-Fi is active (the attack requires that the victim and the attacker be connected to the same wireless network).
The attack capability was demonstrated for Google Pixel2 and Pixel3 smartphones. Researchers estimate that the problem potentially affects more than 835 thousand devices based on the Qualcomm Snapdragon 835 SoC and newer chips (starting with the Snapdragon 835, the WLAN firmware was integrated with the modem subsystem and ran as an isolated application in user space). By Qualcomm, the problem affects several dozen different chips.
Currently, only general information about vulnerabilities is available, and details to be revealed on August 8 at the Black Hat conference. Qualcomm and Google were notified of the problems in March and have already released fixes (Qualcomm informed about the problems in , and Google has fixed vulnerabilities in Android platform update). All users of devices based on Qualcomm chips are recommended to install the available updates.
In addition to issues related to Qualcomm chips, the August update to the Android platform also eliminates a critical vulnerability (CVE-2019-11516) in the Broadcom Bluetooth stack, which allows an attacker to execute their code in the context of a privileged process by sending a specially crafted data transfer request. A vulnerability (CVE-2019-2130) has been resolved in Android system components that could allow code execution with elevated privileges when processing specially crafted PAC files.
Source: opennet.ru