CERTVU:366027Samsung Qmage codec for Android Skia library does not properly validate image files
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:L/SA:L
0.034 Low
EPSS
Percentile
91.5%
Overview
The Samsung Qmage codec used in the Android Skia library does not properly validate image files. A number of memory corruption vulnerabilities allow an attacker to execute arbitrary code by causing a vulnerable system to parse a Qmage file.
Description
The Samsung May 2020 Android Security Update notes that “a possible memory overwrite vulnerability in Quram qmg library allows possible remote arbitrary code execution.” Samsung identifies this vulnerability as SVE-2020-16747, more commonly known as CVE-2020-8899. Google Project Zero performed extensive fuzz testing on the Qmage (or Quram, or qmg) code that Samsung added to the Android Skia library and identified 5218 uniquely crashing test cases. At least one of these memory corruption vulnerabilities can be exploited by sending a specially crafted MMS message to a vulnerable system.
Samsung notes that versions O(8.X), P(9.0), Q(10.0) are affected.
Impact
Exploitation of this vulnerability permits a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Solution
Apply an update
Samsung has released fixes in the May 2020 Android Security Update.
Vendor Information
366027
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Samsung Affected
Updated: May 14, 2020
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 7.8 | E:POC/RL:OF/RC:ND |
| Environmental | 7.8 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- <https://bugs.chromium.org/p/project-zero/issues/detail?id=2002>
- <https://security.samsungmobile.com/securityUpdate.smsb>
- <https://www.youtube.com/watch?v=nke8Z3G4jnc>
Acknowledgements
This vulnerability was published by Mateusz Jurczyk at Google Project Zero.
This document was written by Eric Hatleback.
Other Information
| CVE IDs: | CVE-2020-8899 |
|---|---|
| Date Public: | 2020-01-28 Date First Published: |
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:L/SA:L
0.034 Low
EPSS
Percentile
91.5%