CVE-2021-1918 : Improper handling of resource allocation in virtual machines can lead to information exposure in Snapdragon. NVD Published Date 3rd JAN, 2022

Preface: The specifics vulnerability (CVE-2021-1918) has notified customer on 06/07/2021. But vendor security advisory was released on 6th December, 2022. Finally, US-CERT release the details on 3rd Jan, 2021. As a researcher or end user, it is not an issue.

Background: Snapdragon is a suite of system on a chip (SoC) semiconductor products for mobile devices designed and marketed by Qualcomm Technologies Inc. The Snapdragon’s central processing unit (CPU) uses the ARM architecture. In Snapdragon SoCs, three components are used to provide access control: Virtual Master ID Mapping Table (VMIDMT), External Protection Unit (XPU), and System Memory Management Unit (SMMU). VMIDMT and XPU work together. The SMMU is a hardware component that performs address translation and access control for bus initiators outside of the CPU.

Vulnerability details: Certain versions of Snapdragon Consumer IOT Snapdragon Industrial IOT Snapdragon Mobile from Qualcomm Inc. contain the following vulnerability:
Improper handling of resource allocation in virtual machines can lead to information exposure in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile.

My observation: Since vendor not providing the technical details. According to Snapdragon design, a well know attack surface will be on SMMU. For the possibilities of cyber attack details, please refer to attached diagram for reference.

Vendor announcement: Additional vulnerability are also released by vendor on December, 2021. Please refer to link for details – https://www.qualcomm.com/company/product-security/bulletins/december-2021-bulletin#_cve-2021-1918

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.