This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Advisory - Two Security Vulnerabilities in Huawei EMUI

  • SA No:huawei-sa-20170125-01-emui
  • Initial Release Date: 2017-01-25
  • Last Release Date: 2017-02-08

Huawei EMUI3.1 has two vulnerabilities.

The Keyguard application in Huawei EMUI3.1 has a privilege elevation vulnerability due to insufficient validation on specific parameters. An attacker may trick a user into installing a malicious application. Successful exploit could allow the attacker to launch command injection to gain elevated privileges. (Vulnerability ID: HWPSIRT-2017-01086)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-2692.

Huawei EMUI3.1 has a path traversal vulnerability due to insufficient path check during the decompression of files of specific types. An attacker may trick a user into downloading and installing malicious software. Successful exploit could allow the attacker to decompress malicious files into a target path. (Vulnerability ID: HWPSIRT-2017-01097)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-2693.

Huawei has released software updates to fix these two vulnerabilities. This advisory is available at the following link: http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170125-01-emui-cn

Product Name

Affected Version

Resolved Product and Version

P8 Lite

ALE-L02C635B140 and earlier versions

ALE-L02C635B562

ALE-L02C636B140 and earlier versions

ALE-L02C636B535

ALE-L21C10B150 and earlier versions

ALE-L21C10B536

ALE-L21C185B200 and earlier versions

ALE-L21C185B562

ALE-L21C432B214 and earlier versions

ALE-L21C432B585

ALE-L21C464B150 and earlier versions

ALE-L21C464B581

ALE-L21C636B200 and earlier versions

ALE-L21C636B563

ALE-L23C605B190 and earlier versions

ALE-L23C605B527

ALE-TL00C01B250 and earlier versions

ALE-TL00C01B575

ALE-UL00C00B250 and earlier versions

ALE-UL00C00B571

Mate 7

MT7-L09C605B325 and earlier versions

MT7-L09C605B560

MT7-L09C900B339 and earlier versions

MT7-L09C900B500

MT7-TL10C900B339 and earlier versions

MT7-TL10C900B500

Mate S

CRR-CL00C92B172 and earlier versions

CRR-CL00C92B368

CRR-L09C432B180 and earlier versions

CRR-L09C432B370

CRR-TL00C01B172 and earlier versions

CRR-TL00C01B368

CRR-UL00C00B172 and earlier versions

CRR-UL00C00B368

CRR-UL20C432B171 and earlier versions

CRR-UL20C432B361

P8

GRA-CL00C92B230 and earlier versions

GRA-CL00C92B366

GRA-L09C432B222 and earlier versions

GRA-L09C432B390

GRA-TL00C01B230SP01 and earlier versions

GRA-TL00C01B366

GRA-UL00C00B230 and earlier versions

GRA-UL00C00B366

GRA-UL00C10B201 and earlier versions

GRA-UL00C10B330

GRA-UL00C432B220 and earlier versions

GRA-UL00C432B313

honor 6

H60-L04C10B523 and earlier versions

H60-L04C10B830

H60-L04C185B523 and earlier versions

H60-L04C185B860

H60-L04C636B527 and earlier versions

H60-L04C636B860

H60-L04C900B530 and earlier versions

H60-L04C900B800

honor 7

PLK-AL10C00B220 and earlier versions

PLK-AL10C00B382

PLK-AL10C92B220 and earlier versions

PLK-AL10C92B382

PLK-CL00C92B220 and earlier versions

PLK-CL00C92B382

PLK-L01C10B140 and earlier versions

PLK-L01C10B331

PLK-L01C185B130 and earlier versions

PLK-L01C185B380

PLK-L01C432B187 and earlier versions

PLK-L01C432B380

PLK-L01C432B190 and earlier versions

PLK-L01C432B380

PLK-L01C432B190 and earlier versions

PLK-L01C432B380

PLK-L01C636B130 and earlier versions

PLK-L01C636B350

PLK-TL00C01B220 and earlier versions

PLK-TL00C01B382

PLK-TL01HC01B220 and earlier versions

PLK-TL01HC01B382

PLK-UL00C17B220 and earlier versions

PLK-UL00C17B382

SHOTX

ATH-AL00C00B210 and earlier versions

ATH-AL00C00B390

ATH-AL00C92B200 and earlier versions

ATH-AL00C92B390

ATH-CL00C92B210 and earlier versions

ATH-CL00C92B380

ATH-TL00C01B210 and earlier versions

ATH-TL00C01B390

ATH-TL00HC01B210 and earlier versions

ATH-TL00HC01B390

ATH-UL00C00B210 and earlier versions

ATH-UL00C00B390

G8

RIO-AL00C00B220 and earlier versions

RIO-AL00C00B390

RIO-CL00C92B220 and earlier versions

RIO-CL00C92B390

RIO-TL00C01B220 and earlier versions

RIO-TL00C01B390

RIO-UL00C00B220 and earlier versions

RIO-UL00C00B390


HWPSIRT-2017-01086:

Successful exploit could allow the attacker to gain elevated privileges.

HWPSIRT-2017-01097:

Successful exploit could allow the attacker to decompress malicious files into a target path.

The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).

HWPSIRT-2017-01086:

Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

Temporal Score: 6.2 (E:F/RL:O/RC:C)

HWPSIRT-2017-01097:

Base Score: 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Temporal Score: 5.1 (E:F/RL:O/RC:C)

HWPSIRT-2017-01086:

1. Prerequisite:

The attacker has successfully tricked a user into installing a malicious application and obtained the permission on the built-in SD card.

2. Attacking procedure:

The EMUI Keyguard application implements insufficient validation on specific parameters. After the user is tricked into installing the malicious application, the attacker can exploit the vulnerability to inject commands, leading to privilege elevation.

HWPSIRT-2017-01097:

1. Prerequisite:

The attacker has successfully tricked a user into downloading and installing a malicious application in a specific path.

2. Attacking procedure:

The system implements insufficient path check during the decompression of files of specific types. After tricking the user into downloading and installing the malicious application, the attacker can exploit the vulnerability to decompress malicious files into a target path.

Mobile phones that support automatic update will receive a system update prompt. You can install the update to fix the vulnerabilities.

The two vulnerabilities are disclosed by Flanker from the Keen Security Lab of Tencent.

2017-02-08 V1.1 UPDATED Updated the affected product list and fixed version

2017-01-25 V1.0 INITIAL

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.