search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Samsung Qmage codec for Android Skia library does not properly validate image files

Vulnerability Note VU#366027

Original Release Date: 2020-05-14 | Last Revised: 2020-05-15

Overview

The Samsung Qmage codec used in the Android Skia library does not properly validate image files. A number of memory corruption vulnerabilities allow an attacker to execute arbitrary code by causing a vulnerable system to parse a Qmage file.

Description

The Samsung May 2020 Android Security Update notes that "a possible memory overwrite vulnerability in Quram qmg library allows possible remote arbitrary code execution." Samsung identifies this vulnerability as SVE-2020-16747, more commonly known as CVE-2020-8899. Google Project Zero performed extensive fuzz testing on the Qmage (or Quram, or qmg) code that Samsung added to the Android Skia library and identified 5218 uniquely crashing test cases. At least one of these memory corruption vulnerabilities can be exploited by sending a specially crafted MMS message to a vulnerable system.

Samsung notes that versions O(8.X), P(9.0), Q(10.0) are affected.

Impact

Exploitation of this vulnerability permits a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Solution

Apply an update

Samsung has released fixes in the May 2020 Android Security Update.

Vendor Information

366027
 
Affected   Unknown   Unaffected

Samsung

Updated:  May 14, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:ND
Environmental 7.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This vulnerability was published by Mateusz Jurczyk at Google Project Zero.

This document was written by Eric Hatleback.

Other Information

CVE IDs: CVE-2020-8899
Date Public: 2020-01-28
Date First Published: 2020-05-14
Date Last Updated: 2020-05-15 14:53 UTC
Document Revision: 12

Sponsored by CISA.