CVE-2019-2324

Q: What is the severity of CVE-2019-2324?

CVE-2019-2324 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows an attacker to execute arbitrary code or cause denial of service when the ADSP (Audio Digital Signal Processor) is compromised. The compromised ADSP returns an audio port index outside the valid range, leading to out-of-bounds memory access. Affected devices include numerous Snapdragon-based systems across automotive, IoT, mobile, and wearable platforms.

9.8 CRITICAL

📋 TL;DR

This vulnerability allows an attacker to execute arbitrary code or cause denial of service when the ADSP (Audio Digital Signal Processor) is compromised. The compromised ADSP returns an audio port index outside the valid range, leading to out-of-bounds memory access. Affected devices include numerous Snapdragon-based systems across automotive, IoT, mobile, and wearable platforms.

💻 Affected Systems

Products:

Snapdragon Auto
Snapdragon Connectivity
Snapdragon Consumer IOT
Snapdragon Industrial IOT
Snapdragon IoT
Snapdragon Mobile
Snapdragon Voice & Music
Snapdragon Wearables

Versions: Various firmware versions on listed chipsets

Operating Systems: Android-based systems and embedded OS on affected chipsets

Default Config Vulnerable: ⚠️ Yes

Notes: Affects specific Snapdragon chipset models: MDM9150, MDM9206, MDM9607, MDM9615, MDM9640, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 845 / SD 850, SD 855, SDX20, SDX24

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with kernel privileges leading to complete device compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service (device crash/reboot) or limited information disclosure from memory corruption.

🟢

If Mitigated

No impact if patched or if ADSP compromise is prevented through other security controls.

🌐 Internet-Facing: MEDIUM - Requires ADSP compromise first, but many affected devices have internet connectivity.

🏢 Internal Only: HIGH - Once ADSP is compromised locally, this vulnerability provides privilege escalation within the device.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ADSP compromise first, then exploitation of the out-of-bounds access. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patches from 2019 onward

Vendor Advisory: https://source.android.com/security/bulletin/

Restart Required: Yes

Instructions:

1. Check for Android security updates from device manufacturer. 2. Apply latest available security patch. 3. For embedded devices, contact Qualcomm or device manufacturer for firmware updates.

🔧 Temporary Workarounds

ADSP Isolation

all

Implement strict isolation between ADSP and main processor to prevent ADSP compromise.

🧯 If You Can't Patch

Implement network segmentation to isolate affected devices from critical networks.
Deploy application whitelisting and runtime protection to detect exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level (Settings > About phone > Android security patch level). If before 2019 patches, likely vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level is from 2019 or later. For embedded devices, check firmware version with manufacturer.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
ADSP crash reports
Memory access violation logs

Network Indicators:

Unusual ADSP communication patterns
Suspicious audio service requests

SIEM Query:

Device logs containing 'ADSP', 'audio', 'out of bounds', or 'memory corruption' keywords

📊 Metadata

CVE ID: CVE-2019-2324

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: November 6, 2019

Last Updated: November 21, 2024

🔗 References

https://source.android.com/security/bulletin/ Patch,Vendor Advisory
https://source.android.com/security/bulletin/ Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mdm9150 Firmware by Qualcomm

Mdm9206 Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Mdm9615 Firmware by Qualcomm

Mdm9640 Firmware by Qualcomm

Mdm9650 Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Sd 205 Firmware by Qualcomm

Sd 210 Firmware by Qualcomm

Sd 212 Firmware by Qualcomm

Sd 415 Firmware by Qualcomm

Sd 425 Firmware by Qualcomm

Sd 427 Firmware by Qualcomm

Sd 430 Firmware by Qualcomm

Sd 435 Firmware by Qualcomm

Sd 450 Firmware by Qualcomm

Sd 600 Firmware by Qualcomm

Sd 615 Firmware by Qualcomm

Sd 616 Firmware by Qualcomm

Sd 625 Firmware by Qualcomm

Sd 665 Firmware by Qualcomm

Sd 670 Firmware by Qualcomm

Sd 675 Firmware by Qualcomm

Sd 710 Firmware by Qualcomm

Sd 712 Firmware by Qualcomm

Sd 730 Firmware by Qualcomm

Sd 820 Firmware by Qualcomm

Sd 820a Firmware by Qualcomm

Sd 845 Firmware by Qualcomm

Sd 850 Firmware by Qualcomm

Sd 855 Firmware by Qualcomm

Sdx20 Firmware by Qualcomm

Sdx24 Firmware by Qualcomm