CVE-2020-11184

Q: What is the severity of CVE-2020-11184?

CVE-2020-11184 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on affected Qualcomm Snapdragon devices by exploiting a buffer overflow in the video parser when processing specially crafted MP4 files. It affects multiple Snapdragon platforms across automotive, compute, industrial IoT, and mobile sectors. With a CVSS score of 9.8, this is a critical vulnerability that could lead to complete system compromise.

9.8 CRITICAL

Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected Qualcomm Snapdragon devices by exploiting a buffer overflow in the video parser when processing specially crafted MP4 files. It affects multiple Snapdragon platforms across automotive, compute, industrial IoT, and mobile sectors. With a CVSS score of 9.8, this is a critical vulnerability that could lead to complete system compromise.

💻 Affected Systems

Products:

QCM4290
QCS4290
QM215
QSM8350
SA6145P
SA6155
SA6155P
SA8155
SA8155P
SDX55
SDX55M
SM4250
SM4250P
SM6115
SM6115P
SM6125
SM6250
SM6350
SM7125
SM7225
SM7250
SM7250P
SM8150
SM8150P
SM8250
SM8350
SM8350P
SXR2130
SXR2130P

Versions: Specific firmware versions before November 2020 patches

Operating Systems: Android-based systems and other embedded OS using affected Snapdragon platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices using Qualcomm's video processing components. The vulnerability is in the firmware/hardware abstraction layer, so patching requires firmware updates from device manufacturers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full device compromise, data theft, persistent backdoor installation, and potential lateral movement within networks.

🟠

Likely Case

Application crash (denial of service) or limited code execution within the video processing context, potentially escalating to full system compromise.

🟢

If Mitigated

Application crash without code execution if memory protections like ASLR/DEP are effective, but still results in service disruption.

🌐 Internet-Facing: HIGH - Attackers can exploit this by sending malicious MP4 files through various channels including web browsers, messaging apps, or media players.

🏢 Internal Only: HIGH - Malicious MP4 files could be delivered through internal applications, email attachments, or file shares.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious MP4 file with specific esds atom size manipulation. No public exploit code was available at disclosure time, but the vulnerability is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware updates released by device manufacturers in late 2020/early 2021

Vendor Advisory: https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin

Restart Required: Yes

Instructions:

1. Check with device manufacturer for firmware updates. 2. Apply the latest firmware/security patch. 3. Reboot device. 4. Verify patch installation through system settings.

🔧 Temporary Workarounds

Disable automatic media processing

all

Prevent automatic parsing of MP4 files by applications

Use application sandboxing

all

Run media players in restricted environments with limited permissions

🧯 If You Can't Patch

Isolate affected devices from untrusted networks and internet access
Implement strict file upload filtering to block MP4 files from untrusted sources
Use network segmentation to limit potential lateral movement
Monitor for abnormal media processing behavior or crashes

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against manufacturer's security bulletins. Look for 'November 2020' or later security patches in Android security patch level.

Check Version:

On Android: adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level is November 2020 or later in Settings > About phone > Android security patch level. Confirm with device manufacturer that specific firmware includes CVE-2020-11184 fix.

📡 Detection & Monitoring

Log Indicators:

Video processing service crashes
Media player application failures
Kernel panic logs related to video drivers
Memory corruption errors in system logs

Network Indicators:

Unusual MP4 file transfers to devices
Multiple failed media processing attempts
Traffic patterns suggesting file delivery for exploitation

SIEM Query:

source="*kernel*" AND ("video" OR "mp4" OR "esds") AND ("crash" OR "panic" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2020-11184

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: November 12, 2020

Last Updated: November 21, 2024

🔗 References

https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin Vendor Advisory
https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Qcm4290 Firmware by Qualcomm

Qcs4290 Firmware by Qualcomm

Qm215 Firmware by Qualcomm

Qsm8350 Firmware by Qualcomm

Sa6145p Firmware by Qualcomm

Sa6155 Firmware by Qualcomm

Sa6155p Firmware by Qualcomm

Sa8155 Firmware by Qualcomm

Sa8155p Firmware by Qualcomm

Sdx55 Firmware by Qualcomm

Sdx55m Firmware by Qualcomm

Sm4250 Firmware by Qualcomm

Sm4250p Firmware by Qualcomm

Sm6115 Firmware by Qualcomm

Sm6115p Firmware by Qualcomm

Sm6125 Firmware by Qualcomm

Sm6250 Firmware by Qualcomm

Sm6350 Firmware by Qualcomm

Sm7125 Firmware by Qualcomm

Sm7225 Firmware by Qualcomm

Sm7250 Firmware by Qualcomm

Sm7250p Firmware by Qualcomm

Sm8150 Firmware by Qualcomm

Sm8150p Firmware by Qualcomm

Sm8250 Firmware by Qualcomm

Sm8350 Firmware by Qualcomm

Sm8350p Firmware by Qualcomm

Sxr2130 Firmware by Qualcomm

Sxr2130p Firmware by Qualcomm