Preface: There are four global satellite navigation systems, currently GPS (United States), GLONASS (Russian Federation), Beidou (China) and Galileo (European Union).

Background: Android Opensource is called HLOS. Qualcomm’s proprietary one is called non-HLOS.

The Android on Snapdragon architecture is built to allow for common feature adoption across devices with Snapdragon. It represents the software features and functionalities available on Qualcomm® reference devices and provided to OEMs for design into their Android mobile devices and tablets.

Global Navigation Satellite System ( GNSS ) refers to any satellite constellation that provides global positioning, navigation, and timing services. Several GNSS are currently available: BeiDou (China) , Galileo (EU), GPS (USA) and GLONASS (Russia). On Oct 2022, Rx Networks, Inc., a GNSS data services company, announced the availability of TruePoint.io precise location services on Qualcomm’s Snapdragon 8 Gen 1 and Snapdragon 888 5G Mobile Platforms.

Vulnerability details: Memory corruption during GNSS HAL process initialization.

Technology Area: GPS HLOS Driver

CWE-416: Use After Free

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-38424

Preface: BSS Transition Management enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination.

Background: A STA receiving a BSS Transition Management Request frame may respond with a BSS Transition Management Response frame.

The BSS Termination Included (bit 3) field indicates that the BSS Termination Duration field is included, the BSS or the AP MLD is shutting down and the STA or the non-AP MLD will be disassociated. The AP or AP MLD sets the BSS Termination Included bit in the Request mode field to 1 to indicate that the BSS or AP MLD is shutting down.

The BSS Termination Included bit is 0 if no BSS Termination Duration information is included in the BSS Transition Management Request frame.

Vulnerability details: Transient DOS while parsing BTM ML IE when per STA profile is not included.

Official announcement: Please refer to the vendor announcement for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2024-bulletin.html

Preface: What is intent redirection and app security in Android? An intent redirection occurs when an attacker can partly or fully control the contents of an intent used to launch a new component in the context of a vulnerable app.

Background: An Intent in the Android operating system is a software mechanism that allows users to coordinate the functions of different activities to achieve a task. One or more of your apps contain an Intent Redirection issue which can allow malicious apps to access private app components or files.

Vulnerability details: CVE-2024-43080: This vulnerability could lead to privilege escalation. Please refer to the official announcement for details – https://source.android.com/docs/security/bulletin/2024-11-01

Preface: USAT (USIM Application Toolkit) technology is based on the original passive operation mode of the SIM card and adds the new active operation capability of the SIM card, which allows applications and services in the SIM card to actively interact with mobile terminals.

Background: The USAT (USIM Application Toolkit) is a standardized set of commands and protocols that allow mobile applications to interact with the USIM card in 3G and 4G/LTE mobile networks.

USAT use case example:

Mobile Banking: Displays a secure PIN entry screen for transaction verification.

Mobile Payments: Interact with USIM cards for secure payment transactions, authorization and token generation.

Mobile messaging: Receive event notifications for incoming SMS messages or delivery reports.

Vulnerability details: An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modems with chipset Exynos 9820, 9825, 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, Modem 5123, and Modem 5300. A USAT out-of-bounds write due to a heap buffer overflow can lead to a Denial of Service.

Official announcement: Please refer to the link for details – https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2024-45184/

Preface: Security patches can be divided into 2 categories — HLOS (High Level Operating System) and NON-HLOS. The first category is for patches concerning the Android system itself and the Linux kernel, and the other is about code running at much lower levels.

Background: The software image running on the main processor is termed as HLOS. The Snapdragon 8 Gen 1 Chipset, that powered the new Samsung Galaxy S22 series, is one of the quickest and most energy-efficient processors available. Qualcomm is known for making some of the greatest chipsets for Android devices, and their current flagship SoC is the Snapdragon 8 Gen 1. Despite the fact that the chip was unveiled in November 2021, few devices have taken advantage of its capabilities. The MotorolaEdge X30, which was released in December 2021, was the first smartphone to include a Snapdragon 8 Gen 1 processor.

Vulnerability details: Memory corruption when invalid length is provided from HLOS for FRS/UDS request/response buffers.

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/bundle/publicresource/topics/80-41102-2/page_c_tafDiagUpdate.html

Preface: Race conditions arise when multiple threads attempt to access a shared resource without proper synchronization, often leading to vulnerabilities such as concurrent use-after-free. To mitigate their occurrence, operating systems rely on synchronization primitives such as mutexes, spinlocks, etc.

Background: The Qualcomm Type 1 Hypervisor facilitates the hosting of multiple trusted execution environments for secure use cases. The figure shows the architecture of the Qualcomm Hypervisor software stack, its components, and virtual machines (VM). This figure includes an example of one guest VM using the Linux kernel.

Interprocess communication (IPC), This includes shared memory, message passing (IPC) APIs, and virtual interrupts. The ioctl function performs the generic I/O operation command on filedes . A third argument is usually present, either a single number or a pointer to a structure.

Ref: EL2 provides support for virtualization

Vulnerability details: Use After Free in Qualcomm IPC, Memory corruption while processing concurrent IOCTL calls.

Official announcement: Please refer to the vendor announcement for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2024-bulletin.html