CVE-2020-11243 : Security Advisory and Response

Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, and Snapdragon Mobile devices by Qualcomm are affected by a vulnerability that allows RRC to send a connection establishment success to NAS despite connection setup validation failure, leading to denial of service.

Understanding CVE-2020-11243

This CVE involves a denial of service vulnerability in Qualcomm's Snapdragon products due to incorrect handling of connection establishment success.

What is CVE-2020-11243?

The vulnerability allows RRC to incorrectly signal a successful connection establishment to NAS, even when the connection setup validation has failed, resulting in a denial of service.

The Impact of CVE-2020-11243

The vulnerability has a CVSS base score of 7.5, indicating a high severity issue with a significant impact on availability.

Technical Details of CVE-2020-11243

Qualcomm's Snapdragon products are affected by this vulnerability, impacting various versions and products.

Vulnerability Description

The issue arises from RRC incorrectly reporting connection establishment success despite validation failure, leading to a denial of service.

Affected Systems and Versions

Products: Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile
Versions: AQT1000, AR8035, FSM10055, and many more

Exploitation Mechanism

The vulnerability can be exploited by triggering the incorrect signaling of connection establishment success by RRC, causing a denial of service.

Mitigation and Prevention

To address CVE-2020-11243, immediate steps and long-term security practices are recommended.

Immediate Steps to Take

Apply vendor-supplied patches promptly
Monitor Qualcomm's security bulletins for updates

Long-Term Security Practices

Regularly update firmware and software on affected devices
Implement network segmentation and access controls

Patching and Updates

Refer to Qualcomm's security bulletins for specific patch information and guidance