CVE-2019-14050

Q: What is the severity of CVE-2019-14050?

CVE-2019-14050 has a CVSS score of 7.8 (HIGH). This CVE describes a buffer overflow vulnerability in Qualcomm Snapdragon chipsets affecting 32-bit architectures. An attacker could execute arbitrary code or cause denial of service by exploiting out-of-bounds writes. The vulnerability affects multiple Qualcomm platforms used in automotive, mobile, IoT, and networking devices.

7.8 HIGH

Buffer Overflow

📋 TL;DR

This CVE describes a buffer overflow vulnerability in Qualcomm Snapdragon chipsets affecting 32-bit architectures. An attacker could execute arbitrary code or cause denial of service by exploiting out-of-bounds writes. The vulnerability affects multiple Qualcomm platforms used in automotive, mobile, IoT, and networking devices.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Compute
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wired Infrastructure and Networking

Versions: Specific chipset models: APQ8009, MDM9150, MDM9205, MDM9607, MDM9650, MSM8905, Nicobar, QCS405, QCS605, Rennell, SA6155P, SDA660, SDA845, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX24, SM6150, SM7150, SM8150, SXR1130

Operating Systems: Android, Linux-based embedded systems, Qualcomm proprietary OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects 32-bit architecture implementations of these chipsets. 64-bit implementations are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service causing device crashes or instability, potentially requiring physical reset.

🟢

If Mitigated

Limited impact with proper memory protection mechanisms and exploit mitigations in place.

🌐 Internet-Facing: MEDIUM - Affects devices that may be internet-accessible (IoT, mobile, networking gear), but exploitation requires specific conditions.

🏢 Internal Only: MEDIUM - Affects internal systems using vulnerable chipsets, though exploitation requires local access or network proximity.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific conditions and knowledge of the vulnerable buffer handling. No public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Qualcomm security bulletin for specific firmware versions

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/march-2020-bulletin

Restart Required: Yes

Instructions:

1. Check device manufacturer for firmware updates. 2. Apply Qualcomm-provided patches through OEM firmware updates. 3. Reboot device after update. 4. Verify patch installation.

🔧 Temporary Workarounds

Disable vulnerable services

all

Identify and disable services using the vulnerable component if not essential

Memory protection enforcement

linux

Enable ASLR and other memory protection mechanisms if available

🧯 If You Can't Patch

Network segmentation to isolate vulnerable devices
Implement strict access controls and monitoring for affected systems

🔍 How to Verify

Check if Vulnerable:

Check device chipset model and firmware version against Qualcomm advisory. Use 'cat /proc/cpuinfo' on Linux systems to identify chipset.

Check Version:

Check device settings for firmware version or use manufacturer-specific commands

Verify Fix Applied:

Verify firmware version has been updated to patched version from OEM. Check Qualcomm security bulletin for fixed versions.

📡 Detection & Monitoring

Log Indicators:

Unexpected process crashes
Memory access violation logs
Kernel panic events

Network Indicators:

Unusual network traffic from affected devices
Connection attempts to suspicious ports

SIEM Query:

Process termination events with memory violation error codes from affected devices

📊 Metadata

CVE ID: CVE-2019-14050

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 5, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/march-2020-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/march-2020-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Apq8009 Firmware by Qualcomm

Mdm9150 Firmware by Qualcomm

Mdm9205 Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Mdm9650 Firmware by Qualcomm

Msm8905 Firmware by Qualcomm

Nicobar Firmware by Qualcomm

Qcs405 Firmware by Qualcomm

Qcs605 Firmware by Qualcomm

Rennell Firmware by Qualcomm

Sa6155p Firmware by Qualcomm

Sda660 Firmware by Qualcomm

Sda845 Firmware by Qualcomm

Sdm630 Firmware by Qualcomm

Sdm636 Firmware by Qualcomm

Sdm660 Firmware by Qualcomm

Sdm670 Firmware by Qualcomm

Sdm710 Firmware by Qualcomm

Sdm845 Firmware by Qualcomm

Sdm850 Firmware by Qualcomm

Sdx24 Firmware by Qualcomm

Sm6150 Firmware by Qualcomm

Sm7150 Firmware by Qualcomm

Sm8150 Firmware by Qualcomm

Sxr1130 Firmware by Qualcomm