cnvd - cnvd-2018-04767

cnvd-2018-04767

Vulnerability from cnvd

Title: Huawei Mate 9 Pro鉴权绕过漏洞

Description:

Huawei Mate 9 Pro是华为（Huawei）公司的一款智能手机。

Huawei Mate 9 Pro手机中的语音唤醒模块存在鉴权绕过漏洞，攻击者可诱使用户安装恶意应用程序，绕过身份验证，在距离手机的语音可达范围内控制手机发送短信息或拨打电话。

Severity: 中

Formal description:

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： http://www.huawei.com/cn/psirt/security-advisories/2018/huawei-sa-20180307-01-smartphone-cn

Reference: http://www.huawei.com/cn/psirt/security-advisories/2018/huawei-sa-20180307-01-smartphone-cn

Impacted products

Name
Huawei Mate 9 Pro <LON-AL00B 8.0.0.343(C00)

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-17279"
    }
  },
  "description": "Huawei Mate 9 Pro\u662f\u534e\u4e3a\uff08Huawei\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u667a\u80fd\u624b\u673a\u3002\r\n\r\nHuawei Mate 9 Pro\u624b\u673a\u4e2d\u7684\u8bed\u97f3\u5524\u9192\u6a21\u5757\u5b58\u5728\u9274\u6743\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u8bf1\u4f7f\u7528\u6237\u5b89\u88c5\u6076\u610f\u5e94\u7528\u7a0b\u5e8f\uff0c\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff0c\u5728\u8ddd\u79bb\u624b\u673a\u7684\u8bed\u97f3\u53ef\u8fbe\u8303\u56f4\u5185\u63a7\u5236\u624b\u673a\u53d1\u9001\u77ed\u4fe1\u606f\u6216\u62e8\u6253\u7535\u8bdd\u3002",
  "discovererName": "Huawei",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://www.huawei.com/cn/psirt/security-advisories/2018/huawei-sa-20180307-01-smartphone-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-04767",
  "openTime": "2018-03-09",
  "products": {
    "product": "Huawei Mate 9 Pro \u003cLON-AL00B 8.0.0.343(C00)"
  },
  "referenceLink": "http://www.huawei.com/cn/psirt/security-advisories/2018/huawei-sa-20180307-01-smartphone-cn",
  "serverity": "\u4e2d",
  "submitTime": "2018-03-08",
  "title": "Huawei Mate 9 Pro\u9274\u6743\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2017-17279 (GCVE-0-2017-17279)

Vulnerability from cvelistv5

Published

2018-03-09 17:00

Modified

2024-08-05 20:43

Severity ?

CWE

authentication bypass

Summary

The soundtrigger module in Huawei Mate 9 Pro smart phones with software of the versions before LON-AL00B 8.0.0.343(C00) has an authentication bypass vulnerability due to the improper design of the module. An attacker tricks a user into installing a malicious application, and the application can exploit the vulnerability and make attacker bypass the authentication, the attacker can control the phone to sent short messages and make call within audio range to the phone.

References

▼	URL	Tags
	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180307-01-smartphone-en	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/103360	vdb-entry, x_refsource_BID

Impacted products

	Vendor	Product	Version
	Huawei Technologies Co., Ltd.	Mate 9 Pro	Version: The versions before LON-AL00B 8.0.0.343(C00)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T20:43:59.895Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180307-01-smartphone-en"
          },
          {
            "name": "103360",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/103360"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Mate 9 Pro",
          "vendor": "Huawei Technologies Co., Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "The versions before LON-AL00B 8.0.0.343(C00)"
            }
          ]
        }
      ],
      "datePublic": "2018-03-07T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The soundtrigger module in Huawei Mate 9 Pro smart phones with software of the versions before LON-AL00B 8.0.0.343(C00) has an authentication bypass vulnerability due to the improper design of the module. An attacker tricks a user into installing a malicious application, and the application can exploit the vulnerability and make attacker bypass the authentication, the attacker can control the phone to sent short messages and make call within audio range to the phone."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "authentication bypass",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-13T09:57:01",
        "orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
        "shortName": "huawei"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180307-01-smartphone-en"
        },
        {
          "name": "103360",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/103360"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@huawei.com",
          "ID": "CVE-2017-17279",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Mate 9 Pro",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "The versions before LON-AL00B 8.0.0.343(C00)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Huawei Technologies Co., Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The soundtrigger module in Huawei Mate 9 Pro smart phones with software of the versions before LON-AL00B 8.0.0.343(C00) has an authentication bypass vulnerability due to the improper design of the module. An attacker tricks a user into installing a malicious application, and the application can exploit the vulnerability and make attacker bypass the authentication, the attacker can control the phone to sent short messages and make call within audio range to the phone."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "authentication bypass"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180307-01-smartphone-en",
              "refsource": "CONFIRM",
              "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180307-01-smartphone-en"
            },
            {
              "name": "103360",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/103360"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
    "assignerShortName": "huawei",
    "cveId": "CVE-2017-17279",
    "datePublished": "2018-03-09T17:00:00",
    "dateReserved": "2017-12-04T00:00:00",
    "dateUpdated": "2024-08-05T20:43:59.895Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted