Sign-up

ID

VAR-202002-0273


CVE

CVE-2019-14088


TITLE

plural Snapdragon Product free memory usage vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-014564

DESCRIPTION

Possible use after free issue while CRM is accessing the link pointer from device private data due to lack of resource protection in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, MDM9206, MDM9207C, MDM9607, QCS605, SDM429W, SDX24, SM8150, SXR1130. plural Snapdragon The product contains a vulnerability related to the use of freed memory.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows local attackers to escalate privileges on affected installations of Google Android. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the cam_actuator_driver_cmd function in the V4l2 driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel. Qualcomm MDM9206 and so on are the products of American Qualcomm. MDM9206 is a central processing unit (CPU) product. MDM9607 is a central processing unit (CPU) product. SDX24 is a modem. The Camera in several Qualcomm products has a resource management error vulnerability. The vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products. No detailed vulnerability details are provided at this time

Trust: 2.79

sources: NVD: CVE-2019-14088 // JVNDB: JVNDB-2019-014564 // ZDI: ZDI-20-199 // CNVD: CNVD-2020-09965

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-09965

AFFECTED PRODUCTS

vendor:qualcommmodel:apq8009scope:eqversion: -

Trust: 2.2

vendor:qualcommmodel:sdm429wscope:eqversion: -

Trust: 2.2

vendor:qualcommmodel:sdx24scope:eqversion: -

Trust: 2.2

vendor:qualcommmodel:sxr1130scope:eqversion: -

Trust: 2.2

vendor:qualcommmodel:sm8150scope:eqversion: -

Trust: 2.2

vendor:qualcommmodel:mdm9206scope: - version: -

Trust: 1.4

vendor:qualcommmodel:mdm9607scope: - version: -

Trust: 1.4

vendor:qualcommmodel:sdx24scope: - version: -

Trust: 1.4

vendor:qualcommmodel:sxr1130scope: - version: -

Trust: 1.4

vendor:qualcommmodel:qcs605scope: - version: -

Trust: 1.4

vendor:qualcommmodel:apq8009scope: - version: -

Trust: 1.4

vendor:qualcommmodel:sm8150scope: - version: -

Trust: 1.4

vendor:qualcommmodel:mdm9207cscope: - version: -

Trust: 1.4

vendor:qualcommmodel:mdm9607scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:qcs605scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9206scope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:mdm9207cscope:eqversion: -

Trust: 1.0

vendor:qualcommmodel:sdm 429wscope: - version: -

Trust: 0.8

vendor:googlemodel:androidscope: - version: -

Trust: 0.7

vendor:qualcommmodel:sdm429wscope: - version: -

Trust: 0.6

sources: ZDI: ZDI-20-199 // CNVD: CNVD-2020-09965 // JVNDB: JVNDB-2019-014564 // CNNVD: CNNVD-202002-204 // NVD: CVE-2019-14088

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-14088
value: HIGH

Trust: 1.0

NVD: JVNDB-2019-014564
value: HIGH

Trust: 0.8

ZDI: CVE-2019-14088
value: HIGH

Trust: 0.7

CNVD: CNVD-2020-09965
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202002-204
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-14088
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2019-014564
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-09965
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-14088
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2019-014564
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2019-14088
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.1
impactScore: 6.0
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-199 // CNVD: CNVD-2020-09965 // JVNDB: JVNDB-2019-014564 // CNNVD: CNNVD-202002-204 // NVD: CVE-2019-14088

PROBLEMTYPE DATA

problemtype:CWE-416

Trust: 1.8

sources: JVNDB: JVNDB-2019-014564 // NVD: CVE-2019-14088

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202002-204

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202002-204

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-014564

PATCH
title:February 2020 Security Bulletinurl:https://www.qualcomm.com/company/product-security/bulletins/february-2020-bulletin
Trust: 0.8
title:Google has issued an update to correct this vulnerability.url:https://source.android.com/security/bulletin/pixel/2020-02-01.html
Trust: 0.7
title:Patch for Multiple Qualcomm Product Resource Management Error Vulnerabilities (CNVD-2020-09965)url:https://www.cnvd.org.cn/patchInfo/show/201063
Trust: 0.6
title:Multiple Qualcomm Product resource management error vulnerability fixesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108712
Trust: 0.6
sources:
            
            
            ZDI: ZDI-20-199 // 
            
            
            
            CNVD: CNVD-2020-09965 // 
            
            
            
            JVNDB: JVNDB-2019-014564 // 
            
            
            
            CNNVD: CNNVD-202002-204

EXTERNAL IDS
db:NVDid:CVE-2019-14088
Trust: 3.7
db:ZDIid:ZDI-20-199
Trust: 2.9
db:JVNDBid:JVNDB-2019-014564
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-9549
Trust: 0.7
db:CNVDid:CNVD-2020-09965
Trust: 0.6
db:CNNVDid:CNNVD-202002-204
Trust: 0.6
sources:
            
            
            ZDI: ZDI-20-199 // 
            
            
            
            CNVD: CNVD-2020-09965 // 
            
            
            
            JVNDB: JVNDB-2019-014564 // 
            
            
            
            CNNVD: CNNVD-202002-204 // 
            
            
            
            NVD: CVE-2019-14088

REFERENCES
url:https://www.zerodayinitiative.com/advisories/zdi-20-199/
Trust: 2.2
url:https://nvd.nist.gov/vuln/detail/cve-2019-14088
Trust: 2.0
url:https://www.qualcomm.com/company/product-security/bulletins/february-2020-bulletin
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14088
Trust: 0.8
url:https://source.android.com/security/bulletin/pixel/2020-02-01.html
Trust: 0.7
url:https://vigilance.fr/vulnerability/google-android-pixel-multiple-vulnerabilities-of-february-2020-31507
Trust: 0.6
sources:
            
            
            ZDI: ZDI-20-199 // 
            
            
            
            CNVD: CNVD-2020-09965 // 
            
            
            
            JVNDB: JVNDB-2019-014564 // 
            
            
            
            CNNVD: CNNVD-202002-204 // 
            
            
            
            NVD: CVE-2019-14088

CREDITS
Lacne Jiang and Moony Li of TrendMicro Mobile Security Research Team
Trust: 0.7
sources:
            
            
            ZDI: ZDI-20-199

SOURCES
db:ZDIid:ZDI-20-199
db:CNVDid:CNVD-2020-09965
db:JVNDBid:JVNDB-2019-014564
db:CNNVDid:CNNVD-202002-204
db:NVDid:CVE-2019-14088

LAST UPDATE DATE
2024-08-14T13:44:24.965000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-20-199date:2020-02-07T00:00:00
db:CNVDid:CNVD-2020-09965date:2020-02-17T00:00:00
db:JVNDBid:JVNDB-2019-014564date:2020-02-28T00:00:00
db:CNNVDid:CNNVD-202002-204date:2020-03-02T00:00:00
db:NVDid:CVE-2019-14088date:2020-02-12T17:15:56.470

SOURCES RELEASE DATE
db:ZDIid:ZDI-20-199date:2020-02-07T00:00:00
db:CNVDid:CNVD-2020-09965date:2020-02-17T00:00:00
db:JVNDBid:JVNDB-2019-014564date:2020-02-28T00:00:00
db:CNNVDid:CNNVD-202002-204date:2020-02-07T00:00:00
db:NVDid:CVE-2019-14088date:2020-02-07T05:15:12.873