QualPwn - Exploiting Qualcomm WLAN and Modem Over The Air

QualPwn is a series of vulnerabilities discovered in Qualcomm chips. One of the vulnerabilities allows attackers to compromise the WLAN and Modem over-the-air. The other allows attackers to compromise the Android Kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android Kernel over-the-air in some circumstance. These vulnerabilities were discovered by Tencent Blade Team. We will share what we found about QualPwn in BlackHat USA 2019 and DEFCON 27.



Q & A


(1) Am I affected by the vulnerability?

We didn’t test all the Qualcomm chips. We only tested on the Google Pixel2/Pixel3. Results of our tests indicate that unpatched phones running on Qualcomm Snapdragon 835,845 may be vulnerable.


(2) What is the impact of this vulnerability?

In some circumstance, the Android Kernel could be compromised by attackers over-the-air.


(3) What is the CVE ID of this vulnerability?

The first issue (Compromise WLAN Issue) - CVE-2019-10539

The second issue (WLAN into Modem issue) - CVE-2019-10540

The third issue (Modem into Linux Kernel issue) - CVE-2019-10538


(4) Has “QualPwn” been abused in the wild?

We have not found this vulnerability to have a public full exploit code.


(5) Is there a workaround/fix?

We have reported all the details of the vulnerabilities to Google and Qualcomm who are have issued fixes. Qualcomm released a security bulletin to OEMs on 2019-6-03 describing the issues and requesting the OEMs to download and incorporate appropriate patches. Please check the security bulletin of Google and Qualcomm for further information and update.

Android security bulletin: https://source.android.com/security/bulletin/2019-08-01

Qualcomm security bulletin: https://www.qualcomm.com/company/product-security/bulletins


(6) Are there plans to disclose details of the vulnerability?

Not yet. We follow the responsible vulnerability disclosure process and will not disclose details of the vulnerabilities until we’re informed that the flaws are fixed and consumers have time to install security updates on their devices.


(7)Does Qualcomm have a statement on the issue?

“Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from Tencent for using industry-standard coordinated disclosure practices through our Vulnerability Rewards Program. Qualcomm Technologies has already issued fixes to OEMs, and we encourage end users to update their devices as patches become available from OEMs.”



Timeline


2019-2-14 Find the Modem debug vulnerability on MSM8998

2019-3-24 Find the WLAN issue and report to Google

2019-3-28 Google forwards the issue to Qualcomm

2019-4-24 Google confirms the WLAN issue as Critical

2019-5-08 Find the WLAN into Linux Kernel issue and report to Google

2019-5-24 Google confirms the WLAN into Linux Kernel issue

2019-6-03 CVEs assigned by Qualcomm

2019-6-03 Qualcomm notifies and issues fixes to OEMs

2019-6-17 Submit the full exploit chain (OTA -> WLAN -> Kernel) to Google

2019-8-05 Both Qualcomm and Google Android release security bulletins including these issues

2019-8-08 Public disclosure of vulnerabilities by Tencent Blade Team at BlackHat conference