CVE-2019-10611

Q: What is the severity of CVE-2019-10611?

CVE-2019-10611 has a CVSS score of 9.8 (CRITICAL). A buffer overflow vulnerability in Qualcomm Snapdragon chipsets allows attackers to execute arbitrary code or cause denial of service by sending specially crafted clip data. This affects numerous Qualcomm-based devices across automotive, mobile, IoT, and wearable platforms. The vulnerability is rated CRITICAL with CVSS 9.8 due to its potential for remote code execution.

9.8 CRITICAL

📋 TL;DR

A buffer overflow vulnerability in Qualcomm Snapdragon chipsets allows attackers to execute arbitrary code or cause denial of service by sending specially crafted clip data. This affects numerous Qualcomm-based devices across automotive, mobile, IoT, and wearable platforms. The vulnerability is rated CRITICAL with CVSS 9.8 due to its potential for remote code execution.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Connectivity
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon IoT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wearables

Versions: All versions before January 2020 security patches

Operating Systems: Android, Linux-based embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects specific chipset models: APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, Nicobar, QCS605, QM215, SA6155P, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM8150, SM8250, SXR1130, SXR2130

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with kernel privileges leading to complete device compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Denial of service (device crash/reboot) or limited code execution in user-space processes.

🟢

If Mitigated

No impact if patched or if exploit attempts are blocked by network/application controls.

🌐 Internet-Facing: HIGH - Many affected devices are mobile/IoT devices directly exposed to the internet.

🏢 Internal Only: MEDIUM - Enterprise devices behind firewalls are still vulnerable to internal threats.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending malicious clip data to vulnerable processing functions. No public exploit code is known, but the vulnerability is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2020 security patches and later

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/january-2020-bulletin

Restart Required: Yes

Instructions:

1. Check with device manufacturer for firmware updates. 2. Apply January 2020 or later security patches. 3. Reboot device after update. 4. Verify patch installation.

🔧 Temporary Workarounds

Network segmentation

all

Isolate vulnerable devices from untrusted networks

Disable vulnerable services

linux

Disable clip processing services if not required

🧯 If You Can't Patch

Segment vulnerable devices in isolated network zones
Implement strict network filtering to block suspicious clip data

🔍 How to Verify

Check if Vulnerable:

Check device firmware version and chipset model against affected list. Use 'cat /proc/cpuinfo' to identify chipset.

Check Version:

On Linux/Android: 'getprop ro.build.version.security_patch' or 'cat /proc/cpuinfo'

Verify Fix Applied:

Verify security patch level is January 2020 or later. On Android: Settings > About phone > Android security patch level.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Process crashes related to clip processing
Memory corruption errors

Network Indicators:

Unusual clip data patterns
Exploit attempts from unknown sources

SIEM Query:

search 'kernel panic' OR 'segmentation fault' AND process_name contains 'clip'

📊 Metadata

CVE ID: CVE-2019-10611

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-129

Published: January 21, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/january-2020-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/january-2020-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Apq8009 Firmware by Qualcomm

Apq8017 Firmware by Qualcomm

Apq8053 Firmware by Qualcomm

Apq8064 Firmware by Qualcomm

Apq8096au Firmware by Qualcomm

Apq8098 Firmware by Qualcomm

Mdm9206 Firmware by Qualcomm

Mdm9207c Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Msm8905 Firmware by Qualcomm

Msm8909 Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Msm8917 Firmware by Qualcomm

Msm8920 Firmware by Qualcomm

Msm8937 Firmware by Qualcomm

Msm8939 Firmware by Qualcomm

Msm8940 Firmware by Qualcomm

Msm8953 Firmware by Qualcomm

Msm8996 Firmware by Qualcomm

Nicobar Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Qm215 Firmware by Qualcomm

Sa6155p Firmware by Qualcomm

Sda660 Firmware by Qualcomm

Sda845 Firmware by Qualcomm

Sdm429 Firmware by Qualcomm

Sdm429w Firmware by Qualcomm

Sdm439 Firmware by Qualcomm

Sdm450 Firmware by Qualcomm

Sdm632 Firmware by Qualcomm

Sdm660 Firmware by Qualcomm

Sdm670 Firmware by Qualcomm

Sdm710 Firmware by Qualcomm

Sdm845 Firmware by Qualcomm

Sdx20 Firmware by Qualcomm

Sm6150 Firmware by Qualcomm

Sm8150 Firmware by Qualcomm

Sm8250 Firmware by Qualcomm

Sxr1130 Firmware by Qualcomm

Sxr2130 Firmware by Qualcomm