CVE-2019-14042

Q: What is the severity of CVE-2019-14042?

CVE-2019-14042 has a CVSS score of 7.1 (HIGH). This vulnerability allows an attacker to read memory outside the intended buffer in the fingerprint application on Qualcomm Snapdragon chipsets. It affects multiple Qualcomm platforms across automotive, compute, mobile, and IoT devices. Attackers could potentially access sensitive information or cause system instability.

7.1 HIGH

📋 TL;DR

This vulnerability allows an attacker to read memory outside the intended buffer in the fingerprint application on Qualcomm Snapdragon chipsets. It affects multiple Qualcomm platforms across automotive, compute, mobile, and IoT devices. Attackers could potentially access sensitive information or cause system instability.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Connectivity
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wired Infrastructure and Networking

Versions: Specific chipset versions: Kamorta, MDM9205, Nicobar, QCS404, QCS405, QCS605, Rennell, SA415M, SA6155P, SC7180, SC8180X, SDM670, SDM710, SDM845, SDM850, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

Operating Systems: Android and other embedded OS using affected Qualcomm chipsets

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using the vulnerable fingerprint application implementation on listed Qualcomm platforms. Requires fingerprint functionality to be enabled and accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive data from memory, potential system crash or denial of service, and possible elevation of privileges if combined with other vulnerabilities.

🟠

Likely Case

Information disclosure leading to exposure of fingerprint data or other sensitive information stored in adjacent memory, potentially causing application crashes.

🟢

If Mitigated

Limited impact with proper memory protections and sandboxing, though some information leakage may still occur.

🌐 Internet-Facing: LOW - This vulnerability requires local access to the fingerprint application and is not directly exploitable over network interfaces.

🏢 Internal Only: MEDIUM - Requires local access to the device, but could be exploited by malicious apps or users with physical access to affected devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access to the fingerprint application and knowledge of memory layout. No public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available through Qualcomm security bulletin from May 2020

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/may-2020-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for available firmware updates. 2. Apply Qualcomm-provided patches through OEM firmware updates. 3. Reboot device after update installation. 4. Verify patch installation through device security settings.

🔧 Temporary Workarounds

Disable fingerprint authentication

android

Temporarily disable fingerprint authentication to prevent exploitation of the vulnerable component

Navigate to Settings > Security > Fingerprint and disable fingerprint unlock

Restrict fingerprint app permissions

android

Limit permissions for fingerprint-related applications to reduce attack surface

adb shell pm revoke [fingerprint_package] android.permission.USE_FINGERPRINT

🧯 If You Can't Patch

Isolate affected devices from sensitive networks and data
Implement application whitelisting to prevent unauthorized apps from accessing fingerprint functionality

🔍 How to Verify

Check if Vulnerable:

Check device chipset model in Settings > About phone > Hardware info and compare with affected list. Check fingerprint functionality for abnormal behavior.

Check Version:

adb shell getprop ro.boot.hardware.sku or adb shell getprop ro.board.platform

Verify Fix Applied:

Verify security patch level in Settings > About phone > Android version > Security patch level is May 2020 or later. Test fingerprint functionality for stability.

📡 Detection & Monitoring

Log Indicators:

Fingerprint service crashes
Memory access violations in system logs
Unexpected fingerprint authentication attempts

Network Indicators:

No direct network indicators - local vulnerability

SIEM Query:

source="android_system" AND ("fingerprint" AND ("crash" OR "exception" OR "out of bounds"))

📊 Metadata

CVE ID: CVE-2019-14042

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: June 2, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/may-2020-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/may-2020-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Kamorta Firmware by Qualcomm

Mdm9205 Firmware by Qualcomm

Nicobar Firmware by Qualcomm

Qcs404 Firmware by Qualcomm

Qcs405 Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Rennell Firmware by Qualcomm

Sa415m Firmware by Qualcomm

Sa6155p Firmware by Qualcomm

Sc7180 Firmware by Qualcomm

Sc8180x Firmware by Qualcomm

Sdm670 Firmware by Qualcomm

Sdm710 Firmware by Qualcomm

Sdm845 Firmware by Qualcomm

Sdm850 Firmware by Qualcomm

Sdx24 Firmware by Qualcomm

Sdx55 Firmware by Qualcomm

Sm6150 Firmware by Qualcomm

Sm7150 Firmware by Qualcomm

Sm8150 Firmware by Qualcomm

Sm8250 Firmware by Qualcomm

Sxr1130 Firmware by Qualcomm

Sxr2130 Firmware by Qualcomm