CVE-2020-3657

Name of the Vulnerable Software and Affected Versions Qualcomm Snapdragon Auto versions APQ8009 through SM8250 Qualcomm Snapdragon Compute versions APQ8009 through SM8250 Qualcomm Snapdragon Consumer IOT versions APQ8009 through SM8250 Qualcomm Snapdragon Industrial IOT versions APQ8009 through SM8250 Qualcomm Snapdragon Mobile versions APQ8009 through SM8250 Qualcomm Snapdragon Voice & Music versions APQ8009 through SM8250 Qualcomm Snapdragon Wearables versions APQ8009 through SM8250 Qualcomm Snapdragon Wired Infrastructure and Networking versions APQ8009 through SM8250

Description Remote code execution can happen by sending a carefully crafted POST query when Device configuration is accessed from a tethered client through webserver due to lack of array bound check.

Recommendations For Qualcomm Snapdragon Auto versions APQ8009 through SM8250, consider disabling access to the Device configuration from tethered clients through the webserver as a temporary workaround. For Qualcomm Snapdragon Compute versions APQ8009 through SM8250, restrict access to the webserver to minimize the risk of exploitation. For Qualcomm Snapdragon Consumer IOT versions APQ8009 through SM8250, avoid using the vulnerable function until a patch is available. For Qualcomm Snapdragon Industrial IOT versions APQ8009 through SM8250, consider implementing additional security measures to prevent remote code execution. For Qualcomm Snapdragon Mobile versions APQ8009 through SM8250, update the software to a version that includes a fix for the lack of array bound check. For Qualcomm Snapdragon Voice & Music versions APQ8009 through SM8250, restrict access to the Device configuration to prevent exploitation. For Qualcomm Snapdragon Wearables versions APQ8009 through SM8250, consider disabling the vulnerable feature until a patch is available. For Qualcomm Snapdragon Wired Infrastructure and Networking versions APQ8009 through SM8250, implement a workaround to prevent remote code execution, such as restricting access to the webserver.