CVE-2020-11180

Q: What is the severity of CVE-2020-11180?

CVE-2020-11180 has a CVSS score of 7.8 (HIGH). CVE-2020-11180 is an out-of-bounds memory access vulnerability in Qualcomm Snapdragon chipsets' computer vision control due to improper command length validation. This allows attackers to potentially execute arbitrary code or cause denial of service on affected devices. The vulnerability affects various Snapdragon platforms including Auto, Compute, Connectivity, Consumer IoT, Industrial IoT, and Mobile.

7.8 HIGH

📋 TL;DR

CVE-2020-11180 is an out-of-bounds memory access vulnerability in Qualcomm Snapdragon chipsets' computer vision control due to improper command length validation. This allows attackers to potentially execute arbitrary code or cause denial of service on affected devices. The vulnerability affects various Snapdragon platforms including Auto, Compute, Connectivity, Consumer IoT, Industrial IoT, and Mobile.

💻 Affected Systems

Products:

Qualcomm Snapdragon Auto
Snapdragon Compute
Snapdragon Connectivity
Snapdragon Consumer IoT
Snapdragon Industrial IoT
Snapdragon Mobile

Versions: Specific chipset versions as listed in Qualcomm December 2020 bulletin

Operating Systems: Android, Linux-based IoT systems, Automotive systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using vulnerable Snapdragon chipsets with computer vision features enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service causing device crashes or instability, potentially leading to temporary loss of functionality.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation attempts.

🌐 Internet-Facing: MEDIUM - Requires specific conditions and access to vulnerable services, but many IoT/mobile devices are internet-connected.

🏢 Internal Only: MEDIUM - Could be exploited through malicious apps or compromised internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires sending specially crafted commands to the vulnerable computer vision control component.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to device manufacturer updates for specific firmware versions

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/december-2020-bulletin

Restart Required: Yes

Instructions:

1. Check with device manufacturer for firmware updates. 2. Apply the latest security patches from device vendor. 3. Reboot device after update installation.

🔧 Temporary Workarounds

Disable computer vision features

all

If computer vision functionality is not required, disable it to reduce attack surface.

Device-specific configuration commands vary by manufacturer

Network segmentation

all

Isolate affected devices from untrusted networks and implement strict firewall rules.

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Monitor for unusual device behavior or crashes

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against manufacturer's security bulletin and verify if using affected Snapdragon chipset.

Check Version:

Device-specific commands vary (e.g., Android: 'getprop ro.build.fingerprint', Linux-based: check /proc/version or manufacturer tools)

Verify Fix Applied:

Confirm device firmware has been updated to version containing December 2020 or later security patches from manufacturer.

📡 Detection & Monitoring

Log Indicators:

Unexpected device crashes
Memory access violation logs
Computer vision service failures

Network Indicators:

Unusual network traffic to computer vision services
Suspicious command patterns

SIEM Query:

Search for: 'computer vision service crash' OR 'memory access violation' AND device_type contains 'Snapdragon'

📊 Metadata

CVE ID: CVE-2020-11180

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: January 21, 2021

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Aqt1000 by Qualcomm

Pm3003a by Qualcomm

Pm6150 by Qualcomm

Pm7150a by Qualcomm

Pm7150l by Qualcomm

Pm7250 by Qualcomm

Pm7250b by Qualcomm

Pm8004 by Qualcomm

Pm8008 by Qualcomm

Pm8009 by Qualcomm

Pm8150 by Qualcomm

Pm8150a by Qualcomm

Pm8150b by Qualcomm

Pm8150c by Qualcomm

Pm8150l by Qualcomm

Pm8250 by Qualcomm

Pm855 by Qualcomm

Pm855b by Qualcomm

Pm855l by Qualcomm

Pm855p by Qualcomm

Pmc1000h by Qualcomm

Pmk8002 by Qualcomm

Pmk8003 by Qualcomm

Pmm6155au by Qualcomm

Pmm8155au by Qualcomm

Pmm8195au by Qualcomm

Pmm855au by Qualcomm

Pmr525 by Qualcomm

Pmr735b by Qualcomm

Pmx50 by Qualcomm

Pmx55 by Qualcomm

Qat3516 by Qualcomm

Qat3518 by Qualcomm

Qat3519 by Qualcomm

Qat3555 by Qualcomm

Qat5515 by Qualcomm

Qat5522 by Qualcomm

Qat5533 by Qualcomm

Qbt1500 by Qualcomm

Qbt2000 by Qualcomm

Qca6390 by Qualcomm

Qca6391 by Qualcomm

Qca6420 by Qualcomm

Qca6421 by Qualcomm

Qca6426 by Qualcomm

Qca6430 by Qualcomm

Qca6431 by Qualcomm

Qca6436 by Qualcomm

Qca6574 by Qualcomm

Qca6574a by Qualcomm

Qca6574au by Qualcomm

Qca6595au by Qualcomm

Qca6696 by Qualcomm

Qdm2301 by Qualcomm

Qdm2305 by Qualcomm

Qdm3301 by Qualcomm

Qdm5620 by Qualcomm

Qdm5621 by Qualcomm

Qdm5650 by Qualcomm

Qdm5652 by Qualcomm

Qdm5670 by Qualcomm

Qdm5671 by Qualcomm

Qdm5677 by Qualcomm

Qdm5679 by Qualcomm

Qet4101 by Qualcomm

Qet5100 by Qualcomm

Qet6110 by Qualcomm

Qfs2530 by Qualcomm

Qfs2580 by Qualcomm

Qln4642 by Qualcomm

Qln4650 by Qualcomm

Qln5020 by Qualcomm

Qln5030 by Qualcomm

Qln5040 by Qualcomm

Qpa2625 by Qualcomm

Qpa5580 by Qualcomm

Qpa6560 by Qualcomm