CVE-2021-30307 in Snapdragon Autoinfo

Summary

by MITRE • 01/13/2022

Possible denial of service due to improper validation of DNS response when DNS client requests with PTR, NAPTR or SRV query type in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/16/2022

This vulnerability exists in Qualcomm Snapdragon automotive and IoT products where the DNS client fails to properly validate incoming DNS responses during specific query types including PTR NAPTR and SRV. The flaw allows for potential denial of service conditions when malformed or unexpected DNS responses are processed by the affected systems. The vulnerability stems from insufficient input validation mechanisms within the DNS resolution process specifically when handling these three query types. The improper validation occurs at the application layer where the DNS client parses and processes responses without adequate checks for response format structure or content legitimacy. This weakness creates an opportunity for attackers to craft malicious DNS responses that could cause the affected Snapdragon-based systems to crash or become unresponsive. The impact extends across multiple Snapdragon product lines including automotive platforms, compute modules, connectivity solutions, consumer IoT devices, and industrial IoT applications. According to CWE classification this represents a weakness in input validation where insufficient checks are performed on data received from external sources. The vulnerability aligns with ATT&CK technique T1499.004 which involves network denial of service attacks targeting infrastructure components. The affected systems typically operate in critical environments where availability is paramount such as automotive safety systems, industrial control networks, and IoT device communications. When exploited, this vulnerability can result in complete service disruption for devices relying on DNS resolution for network connectivity and functionality. The attack surface includes any Snapdragon device that performs DNS lookups using the affected query types and operates in environments where malicious DNS responses could be injected or spoofed. The vulnerability is particularly concerning in automotive applications where DNS resolution failures could impact vehicle connectivity services, navigation systems, or over-the-air update mechanisms. Security researchers have identified that the issue manifests when the DNS client does not properly validate the response structure including record types, lengths, and data formats during processing of PTR NAPTR and SRV queries. The lack of validation allows for malformed data to propagate through the system causing unexpected behavior and potential crashes. This weakness is consistent with common software vulnerabilities where insufficient bounds checking or format validation leads to resource exhaustion or execution errors. The exploitation requires an attacker to either intercept DNS traffic or compromise a DNS server within the network to deliver malicious responses. The vulnerability affects both IPv4 and IPv6 implementations within the Snapdragon DNS client stack and impacts devices that may be deployed in remote or isolated network environments where network traffic inspection is limited. Organizations should consider implementing network segmentation to isolate critical Snapdragon-based systems and deploy DNS filtering mechanisms to prevent malformed responses from reaching affected devices. Additionally, firmware updates from Qualcomm should be applied immediately to address the validation deficiencies in the DNS client implementation. The vulnerability demonstrates the importance of robust input validation in network protocols and highlights the need for comprehensive testing of DNS client implementations against malformed response scenarios. This issue represents a significant risk to operational continuity in automotive and IoT deployments where uninterrupted network connectivity is essential for proper device function. The flaw underscores the critical nature of DNS security in embedded systems and the potential for seemingly benign network operations to become attack vectors when proper validation mechanisms are absent.

Responsible

Qualcomm, Inc.

Reservation

04/07/2021

Disclosure

01/13/2022

Moderation

accepted

CPE

ready

EPSS

0.00568

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!