CVE-2019-14001

Name of the Vulnerable Software and Affected Versions: Snapdragon Auto versions APQ8009 through SDX20 Snapdragon Consumer IOT versions APQ8009 through SDX20 Snapdragon Industrial IOT versions APQ8009 through SDX20 Snapdragon Mobile versions APQ8009 through SDX20 Snapdragon Voice & Music versions APQ8009 through SDX20 Snapdragon Wearables versions APQ8009 through SDX20

Description: The issue concerns the wrong public key usage from the existing oem keystore for hash generation. This affects various Snapdragon products, including Auto, Consumer IOT, Industrial IOT, Mobile, Voice & Music, and Wearables, in a range of chipsets from APQ8009 to SDX20.

Recommendations: For Snapdragon Auto versions APQ8009 through SDX20, consider disabling the use of the existing oem keystore for hash generation until a fix is available. For Snapdragon Consumer IOT versions APQ8009 through SDX20, restrict access to the oem keystore to minimize the risk of exploitation. For Snapdragon Industrial IOT versions APQ8009 through SDX20, avoid using the oem keystore for hash generation in sensitive operations. For Snapdragon Mobile versions APQ8009 through SDX20, apply configuration changes to limit the impact of the wrong public key usage. For Snapdragon Voice & Music versions APQ8009 through SDX20, temporarily disable the hash generation function until a patch is available. For Snapdragon Wearables versions APQ8009 through SDX20, restrict the use of the oem keystore to authorized processes only.