Security Advisory - Two Security Vulnerabilities in Huawei EMUI
- SA No:huawei-sa-20170125-01-emui
- Initial Release Date: Jan 25, 2017
- Last Release Date: Feb 08, 2017
Huawei EMUI3.1 has two vulnerabilities.
The Keyguard application in Huawei EMUI3.1 has a privilege elevation vulnerability due to insufficient validation on specific parameters. An attacker may trick a user into installing a malicious application. Successful exploit could allow the attacker to launch command injection to gain elevated privileges. (Vulnerability ID: HWPSIRT-2017-01086)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-2692.
Huawei EMUI3.1 has a path traversal vulnerability due to insufficient path check during the decompression of files of specific types. An attacker may trick a user into downloading and installing malicious software. Successful exploit could allow the attacker to decompress malicious files into a target path. (Vulnerability ID: HWPSIRT-2017-01097)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-2693.
Huawei has released software updates to fix these two vulnerabilities. This advisory is available at the following link: http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170125-01-emui-cn
|
Product Name |
Affected Version |
Resolved Product and Version |
|
P8 Lite |
ALE-L02C635B140 and earlier versions |
ALE-L02C635B562 |
|
ALE-L02C636B140 and earlier versions |
ALE-L02C636B535 |
|
|
ALE-L21C10B150 and earlier versions |
ALE-L21C10B536 |
|
|
ALE-L21C185B200 and earlier versions |
ALE-L21C185B562 |
|
|
ALE-L21C432B214 and earlier versions |
ALE-L21C432B585 |
|
|
ALE-L21C464B150 and earlier versions |
ALE-L21C464B581 |
|
|
ALE-L21C636B200 and earlier versions |
ALE-L21C636B563 |
|
|
ALE-L23C605B190 and earlier versions |
ALE-L23C605B527 |
|
|
ALE-TL00C01B250 and earlier versions |
ALE-TL00C01B575 |
|
|
ALE-UL00C00B250 and earlier versions |
ALE-UL00C00B571 |
|
|
Mate 7 |
MT7-L09C605B325 and earlier versions |
MT7-L09C605B560 |
|
MT7-L09C900B339 and earlier versions |
MT7-L09C900B500 |
|
|
MT7-TL10C900B339 and earlier versions |
MT7-TL10C900B500 |
|
|
Mate S |
CRR-CL00C92B172 and earlier versions |
CRR-CL00C92B368 |
|
CRR-L09C432B180 and earlier versions |
CRR-L09C432B370 |
|
|
CRR-TL00C01B172 and earlier versions |
CRR-TL00C01B368 |
|
|
CRR-UL00C00B172 and earlier versions |
CRR-UL00C00B368 |
|
|
CRR-UL20C432B171 and earlier versions |
CRR-UL20C432B361 |
|
|
P8 |
GRA-CL00C92B230 and earlier versions |
GRA-CL00C92B366 |
|
GRA-L09C432B222 and earlier versions |
GRA-L09C432B390 |
|
|
GRA-TL00C01B230SP01 and earlier versions |
GRA-TL00C01B366 |
|
|
GRA-UL00C00B230 and earlier versions |
GRA-UL00C00B366 |
|
|
GRA-UL00C10B201 and earlier versions |
GRA-UL00C10B330 |
|
|
GRA-UL00C432B220 and earlier versions |
GRA-UL00C432B313 |
|
|
honor 6 |
H60-L04C10B523 and earlier versions |
H60-L04C10B830 |
|
H60-L04C185B523 and earlier versions |
H60-L04C185B860 |
|
|
H60-L04C636B527 and earlier versions |
H60-L04C636B860 |
|
|
H60-L04C900B530 and earlier versions |
H60-L04C900B800 |
|
|
honor 7 |
PLK-AL10C00B220 and earlier versions |
PLK-AL10C00B382 |
|
PLK-AL10C92B220 and earlier versions |
PLK-AL10C92B382 |
|
|
PLK-CL00C92B220 and earlier versions |
PLK-CL00C92B382 |
|
|
PLK-L01C10B140 and earlier versions |
PLK-L01C10B331 |
|
|
PLK-L01C185B130 and earlier versions |
PLK-L01C185B380 |
|
|
PLK-L01C432B187 and earlier versions |
PLK-L01C432B380 |
|
|
PLK-L01C432B190 and earlier versions |
PLK-L01C432B380 |
|
|
PLK-L01C432B190 and earlier versions |
PLK-L01C432B380 |
|
|
PLK-L01C636B130 and earlier versions |
PLK-L01C636B350 |
|
|
PLK-TL00C01B220 and earlier versions |
PLK-TL00C01B382 |
|
|
PLK-TL01HC01B220 and earlier versions |
PLK-TL01HC01B382 |
|
|
PLK-UL00C17B220 and earlier versions |
PLK-UL00C17B382 |
|
|
SHOTX |
ATH-AL00C00B210 and earlier versions |
ATH-AL00C00B390 |
|
ATH-AL00C92B200 and earlier versions |
ATH-AL00C92B390 |
|
|
ATH-CL00C92B210 and earlier versions |
ATH-CL00C92B380 |
|
|
ATH-TL00C01B210 and earlier versions |
ATH-TL00C01B390 |
|
|
ATH-TL00HC01B210 and earlier versions |
ATH-TL00HC01B390 |
|
|
ATH-UL00C00B210 and earlier versions |
ATH-UL00C00B390 |
|
|
G8 |
RIO-AL00C00B220 and earlier versions |
RIO-AL00C00B390 |
|
RIO-CL00C92B220 and earlier versions |
RIO-CL00C92B390 |
|
|
RIO-TL00C01B220 and earlier versions |
RIO-TL00C01B390 |
|
|
RIO-UL00C00B220 and earlier versions |
RIO-UL00C00B390 |
HWPSIRT-2017-01086:
Successful exploit could allow the attacker to gain elevated privileges.
HWPSIRT-2017-01097:
Successful exploit could allow the attacker to decompress malicious files into a target path.
The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).
HWPSIRT-2017-01086:
Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
Temporal Score: 6.2 (E:F/RL:O/RC:C)
HWPSIRT-2017-01097:
Base Score: 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
Temporal Score: 5.1 (E:F/RL:O/RC:C)
HWPSIRT-2017-01086:
1. Prerequisite:
The attacker has successfully tricked a user into installing a malicious application and obtained the permission on the built-in SD card.
2. Attacking procedure:
The EMUI Keyguard application implements insufficient validation on specific parameters. After the user is tricked into installing the malicious application, the attacker can exploit the vulnerability to inject commands, leading to privilege elevation.
HWPSIRT-2017-01097:
1. Prerequisite:
The attacker has successfully tricked a user into downloading and installing a malicious application in a specific path.
2. Attacking procedure:
The system implements insufficient path check during the decompression of files of specific types. After tricking the user into downloading and installing the malicious application, the attacker can exploit the vulnerability to decompress malicious files into a target path.
Mobile phones that support automatic update will receive a system update prompt. You can install the update to fix the vulnerabilities.
The two vulnerabilities are disclosed by Flanker from the Keen Security Lab of Tencent.
2017-02-08 V1.1 UPDATED Updated the affected product list and fixed version
2017-01-25 V1.0 INITIAL
None
Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.
To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.
To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.
