Qualcomm Extended Capabilities vulnerabilty

1 minute read

New Qualcomm vulnerabilities

CVE-2019-10539, CVE-2019-10540, and CVE-2019-10538 have been issued as part of a new set of bugs found by Tencent; As detailed in a Threatpost article these can lead to arbitrary execution in the kernel on Android devices, and may hit other devices using the Qualcomm chipsets.

Of particular interest is:

The first critical bug (CVE-2019-10539) is identified by researchers as a “buffer copy without checking size of input in WLAN.” Qualcomm describes it as a “possible buffer overflow issue due to lack of length check when parsing the extended cap IE header length.”

The Extended Capabilities IE tag, #127, should never be more than 10 bytes; this lets us easily write a fingerprint alert for it.

Kismet-git now has the QCOMEXTENDED alert, which will be raised whenever an Extended Capabilities field is observed with an incorrect size. These attacks have not yet been seen in the wild, but knowing that they exist will likely lead to more probing around those IE tags.

If anyone encounters this in the wild, I’d love to see a pcap; it’s always possible some device is spamming invalid packets or there’s an edge case that hasn’t been taken into account, but it would be very interesting to see if someone is attempting to crash drivers with the public info.