CVE-2019-10603

Q: What is the severity of CVE-2019-10603?

CVE-2019-10603 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in Qualcomm Snapdragon chipsets allows attackers to potentially execute arbitrary code or cause denial of service when sending raw IPv6 messages while the real device interface is down. This affects numerous Qualcomm-based devices across automotive, mobile, IoT, and wearable platforms. The vulnerability requires local access to the affected device.

7.8 HIGH

📋 TL;DR

A use-after-free vulnerability in Qualcomm Snapdragon chipsets allows attackers to potentially execute arbitrary code or cause denial of service when sending raw IPv6 messages while the real device interface is down. This affects numerous Qualcomm-based devices across automotive, mobile, IoT, and wearable platforms. The vulnerability requires local access to the affected device.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Consumer Electronics Connectivity
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wearables

Versions: Chipsets: APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8917, MSM8937, MSM8996AU, QCN7605, SDA845, SDM630, SDM636, SDM660, SDX20, SXR1130

Operating Systems: Android, Linux-based embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using vulnerable Qualcomm chipsets with IPv6 networking enabled. Requires local access to trigger the vulnerability.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise, arbitrary code execution with kernel privileges, or persistent device compromise.

🟠

Likely Case

Denial of service (device crash/reboot) or limited information disclosure from kernel memory.

🟢

If Mitigated

Minimal impact if proper access controls prevent unauthorized local access to affected systems.

🌐 Internet-Facing: LOW - Requires local access to the device; not directly exploitable over the internet.

🏢 Internal Only: MEDIUM - Could be exploited by malicious insiders or compromised internal accounts with local access to affected devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and specific timing conditions (interface down during route lookup). No public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm security bulletin for specific chipset firmware updates

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/march-2020-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for firmware updates. 2. Apply Qualcomm-provided patches for affected chipsets. 3. Update device firmware through manufacturer channels. 4. Reboot device after patching.

🔧 Temporary Workarounds

Disable IPv6 raw sockets

linux

Prevent use of raw IPv6 sockets which trigger the vulnerable code path

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
sysctl -w net.ipv6.conf.all.disable_ipv6=1

Restrict local access

all

Implement strict access controls to prevent unauthorized local access to affected devices

🧯 If You Can't Patch

Implement network segmentation to isolate affected devices from untrusted networks
Deploy host-based security controls to detect and prevent privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check device chipset model and firmware version against Qualcomm's affected products list

Check Version:

cat /proc/cpuinfo | grep -i qualcomm && uname -a

Verify Fix Applied:

Verify firmware version has been updated to a version after March 2020 security patches

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
System crash/reboot events
IPv6 raw socket creation attempts

Network Indicators:

Unusual IPv6 traffic patterns from affected devices
Raw IPv6 socket usage

SIEM Query:

source="kernel" AND ("panic" OR "oops") AND device_chipset IN (affected_qualcomm_chipsets)

📊 Metadata

CVE ID: CVE-2019-10603

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: March 5, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/march-2020-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/march-2020-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Apq8053 Firmware by Qualcomm

Apq8096au Firmware by Qualcomm

Apq8098 Firmware by Qualcomm

Mdm9206 Firmware by Qualcomm

Mdm9207c Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Mdm9640 Firmware by Qualcomm

Mdm9650 Firmware by Qualcomm

Msm8917 Firmware by Qualcomm

Msm8937 Firmware by Qualcomm

Msm8996au Firmware by Qualcomm

Qcn7605 Firmware by Qualcomm

Sda845 Firmware by Qualcomm

Sdm630 Firmware by Qualcomm

Sdm636 Firmware by Qualcomm

Sdm660 Firmware by Qualcomm

Sdx20 Firmware by Qualcomm

Sxr1130 Firmware by Qualcomm