CVE-2020-3657
published 2020-11-02CVE-2020-3657: u'Remote code execution can happen by sending a carefully crafted POST query when Device configuration is accessed from a tethered client through webserver due…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
28.34%
97.9th percentile
u'Remote code execution can happen by sending a carefully crafted POST query when Device configuration is accessed from a tethered client through webserver due to lack of array bound check.' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8953, MSM8996AU, QCA6574AU, QCS405, QCS610, QRB5165, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8250
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/qcmap_web_cgi?page=SetMediaDir
url/cgi-bin/qcmap_web_cgi?
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Stack-Based Buffer Overflow Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031057; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Command Injection Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?page=SetMediaDir"; fast_pattern; content:"|3b|"; distance:0; isdataat:1,relative; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031056; rev:1;)
- →Exploit traffic targets the QCMAP web CGI endpoint via HTTP GET requests. Look for GET requests to /cgi-bin/qcmap_web_cgi? with 8 or more '&' delimited parameters, indicative of a stack-based buffer overflow attempt.
- →Command injection attempts against the SetMediaDir page can be detected by the presence of a semicolon byte (0x3b) in the URI following the page parameter, indicating shell metacharacter injection.
- →The vulnerability is triggered via a crafted POST query to the device webserver when accessed from a tethered client. Monitor inbound HTTP POST and GET traffic to QCMAP CGI endpoints on internal/perimeter networks. ↗
- →Both ET rules (sid:2031056 and sid:2031057) are tagged for Perimeter, Internal, and SSLDecrypt deployment, meaning exploit attempts may also occur over TLS — SSL inspection is recommended.
- ·The ET Snort rule for the buffer overflow (sid:2031057) uses HTTP method GET, but the NVD description states exploitation occurs via a POST query. Ensure detection coverage includes POST requests to the same CGI endpoint. ↗
- ·The Android Security Bulletin marks this as a Closed-source component (reference A-153344684*), meaning patch availability and applicability must be verified per OEM/vendor for each affected Snapdragon chipset. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Android
CVE-2020-3657: Closed-source component
vendor_android·2020-10-01·CVSS 9.8
CVE-2020-3657 [CRITICAL] CVE-2020-3657: Closed-source component
Android Security Bulletin 2020-10-01
CVE: CVE-2020-3657
Severity: CRITICAL
Component: Closed-source component
References: A-153344684*
GHSA
GHSA-m5wr-7765-xwvx: u'Remote code execution can happen by sending a carefully crafted POST query when Device configuration is accessed from a tethered client through webs
ghsa_unreviewed·2022-05-24
CVE-2020-3657 [CRITICAL] CWE-120 GHSA-m5wr-7765-xwvx: u'Remote code execution can happen by sending a carefully crafted POST query when Device configuration is accessed from a tethered client through webs
u'Remote code execution can happen by sending a carefully crafted POST query when Device configuration is accessed from a tethered client through webserver due to lack of array bound check.' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, IPQ4019, IPQ6018, IPQ8064, IPQ8074, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8953, MSM8996AU, QCA6574AU, QCS405, QCS610, QRB5165, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM8250
Suricata
ET EXPLOIT Qualcomm QCMAP Stack-Based Buffer Overflow Attempt Inbound (CVE-2020-3657)
suricata·2020-10-19·CVSS 9.8
CVE-2020-3657 [CRITICAL] ET EXPLOIT Qualcomm QCMAP Stack-Based Buffer Overflow Attempt Inbound (CVE-2020-3657)
ET EXPLOIT Qualcomm QCMAP Stack-Based Buffer Overflow Attempt Inbound (CVE-2020-3657)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Stack-Based Buffer Overflow Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031057; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performan
Suricata
ET EXPLOIT Qualcomm QCMAP Command Injection Attempt Inbound (CVE-2020-3657)
suricata·2020-10-19·CVSS 9.8
CVE-2020-3657 [CRITICAL] ET EXPLOIT Qualcomm QCMAP Command Injection Attempt Inbound (CVE-2020-3657)
ET EXPLOIT Qualcomm QCMAP Command Injection Attempt Inbound (CVE-2020-3657)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Command Injection Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?page=SetMediaDir"; fast_pattern; content:"|3b|"; distance:0; isdataat:1,relative; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031056; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_19, mitre_tactic_id TA0008, m
No public exploits indexed.
No writeups or analysis indexed.
2020-11-02
Published