CVE-2017-18314 in Snapdragon Automobile
Summary
by MITRE
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016, on TZ cold boot the CNOC_QDSS RG0 locked by xBL_SEC is cleared by TZ.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/03/2020
This vulnerability exists in Qualcomm Snapdragon automotive, mobile, and wearable platforms affecting multiple chipsets including MDM9206, MDM9607, and various SD series processors. The flaw occurs during the Trusted Zone (TZ) cold boot process where the CNOC_QDSS RG0 register, which is secured by xBL_SEC, gets cleared by the TrustZone component. This represents a critical security weakness in the hardware security architecture of these devices, potentially allowing unauthorized access to protected system registers during the boot sequence.
The technical implementation involves a specific race condition or privilege escalation scenario where the Trusted Execution Environment fails to maintain proper register state during system initialization. The CNOC_QDSS RG0 register typically controls memory access and security parameters within the system's memory controller. When this register is cleared by the TrustZone during cold boot, it can potentially expose sensitive memory regions or disable security features that should remain active throughout the boot process. This vulnerability falls under CWE-284 Access Control Issues and specifically relates to improper privilege management during system initialization phases.
The operational impact of this vulnerability is significant for automotive and mobile platforms where security is paramount. During cold boot, when the system transitions from a powered-off state to fully operational, the clearing of security registers can create temporary windows of vulnerability. Attackers could potentially exploit this during the boot process to gain unauthorized access to system memory or manipulate security controls. This weakness is particularly concerning for automotive applications where vehicle security systems rely on hardware-level protections, and for mobile devices where sensitive user data and cryptographic keys are stored in protected memory regions.
The vulnerability demonstrates a fundamental flaw in Qualcomm's secure boot implementation where the transition from bootloader to TrustZone does not properly maintain security state integrity. This aligns with ATT&CK technique T1068, Privilege Escalation through exploitation of system boot processes, and specifically relates to T1499, Endpoint Denial of Service, when considering the potential for system instability. The affected platforms span multiple generations of Qualcomm's mobile and automotive processors, indicating this is a widespread issue across their product line. Mitigation strategies should include firmware updates from Qualcomm, implementation of additional software-level checks during boot, and potentially hardware redesigns to ensure proper register state preservation during cold boot sequences.