CVE-2019-14028

Name of the Vulnerable Software and Affected Versions: Snapdragon Auto versions APQ8009 through SXR2130 Snapdragon Compute versions APQ8009 through SXR2130 Snapdragon Connectivity versions APQ8009 through SXR2130 Snapdragon Consumer Electronics Connectivity versions APQ8009 through SXR2130 Snapdragon Consumer IOT versions APQ8009 through SXR2130 Snapdragon Industrial IOT versions APQ8009 through SXR2130 Snapdragon IoT versions APQ8009 through SXR2130 Snapdragon Mobile versions APQ8009 through SXR2130 Snapdragon Voice & Music versions APQ8009 through SXR2130 Snapdragon Wired Infrastructure and Networking versions APQ8009 through SXR2130

Description: The issue is related to a buffer overwrite during memcpy due to a lack of check on SSID length validation. This affects various Snapdragon products, including Auto, Compute, Connectivity, Consumer Electronics Connectivity, Consumer IOT, Industrial IOT, IoT, Mobile, Voice & Music, and Wired Infrastructure and Networking. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations: For Snapdragon Auto versions APQ8009 through SXR2130, consider disabling the memcpy function until a patch is available. For Snapdragon Compute versions APQ8009 through SXR2130, restrict access to the vulnerable module to minimize the risk of exploitation. For Snapdragon Connectivity versions APQ8009 through SXR2130, avoid using the SSID parameter in the affected API endpoint until the issue is resolved. For Snapdragon Consumer Electronics Connectivity versions APQ8009 through SXR2130, apply configuration changes to limit the impact of the issue. For Snapdragon Consumer IOT versions APQ8009 through SXR2130, update the firmware to a version that includes the fix for this issue. For Snapdragon Industrial IOT versions APQ8009 through SXR2130, implement additional security measures to prevent exploitation. For Snapdragon IoT versions APQ8009 through SXR2130, disable the vulnerable function until a patch is available. For Snapdragon Mobile versions APQ8009 through SXR2130, restrict access to the vulnerable module to minimize the risk of exploitation. For Snapdragon Voice & Music versions APQ8009 through SXR2130, avoid using the SSID parameter in the affected API endpoint until the issue is resolved. For Snapdragon Wired Infrastructure and Networking versions APQ8009 through SXR2130, apply configuration changes to limit the impact of the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.