This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Advisory - Multiple Security Vulnerabilities in Driver of Huawei Smart Phones

  • SA No:Huawei-SA-20160104-04-SmartPhone
  • Initial Release Date: Jan 04, 2016
  • Last Release Date: Feb 03, 2016

There are multiple security vulnerabilities in driver of some Huawei smart phones.

There are two interface access control vulnerabilities in Graphics driver. An attacker may trick a user into installing a malicious application and application can exploit the vulnerability to crash the system or escalate user privilege. (Vulnerability ID: HWPSIRT-2015-11010 and HWPSIRT-2015-11091)

The vulnerability HWPSIRT-2015-11010 has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-8307, the vulnerability HWPSIRT-2015-11091 has been assigned CVE ID: CVE-2015-8680.

There are two heap overflow vulnerabilities in HIFI driver. An attacker may trick a user into installing a malicious application and the application can send given parameter to HIFI driver to crash the system or escalate user privilege. (Vulnerability ID: HWPSIRT-2015-11028 and HWPSIRT-2015-11029)

The vulnerability HWPSIRT-2015-11028 has been assigned CVE ID: CVE-2015-8318, the vulnerability HWPSIRT-2015-11029 has been assigned CVE ID: CVE-2015-8319.

There is a interface access control vulnerability in ovisp driver. An attacker may trick a user into installing a malicious application and application can exploit the vulnerability to crash the system or escalate user privilege. (Vulnerability ID: HWPSIRT-2015-12003)

This vulnerability has been assigned CVE ID: CVE-2015-8681.

Huawei has released software updates to fix those vulnerabilities. This advisory is available at the following link:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160104-04-smartphone-en

Product Name

Affected Version

Resolved Product and Version

P8[1]

GRA-TL00C01B220 and earlier versions

GRA-TL00C01B230

GRA-CL00C92B220 and earlier versions

GRA-CL00C92B230

GRA-CL10C92B220 and earlier versions

GRA-CL10C92B230

GRA-UL00C00B220 and earlier versions

GRA-UL00C00B230

GRA-UL10C00B220 and earlier versions

GRA-UL10C00B230

Mate S

CRR-TL00C01B153SP01 and earlier versions

CRR-TL00C01B160SP01

CRR-UL00C00B153 and earlier versions

CRR-UL00C00B160

CRR-CL00C92B153 and earlier versions

CRR-CL00C92B161

 

[1] Mobile phones will receive a system update prompt. The vulnerability will be fixed after users install the update.

HWPSIRT-2015-11010 & HWPSIRT-2015-11028 & HWPSIRT-2015-11029 & HWPSIRT-2015-11091 & HWPSIRT-2015-12003:

The malicious application installed in smart phone can exploit this vulnerability to crash the system or escalate user privilege.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

HWPSIRT-2015-11010 & HWPSIRT-2015-11028 & HWPSIRT-2015-11029 & HWPSIRT-2015-11091 & HWPSIRT-2015-12003:

Base Score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)

Temporal Score: 5.1 (E:F/RL:O/RC:C)

HWPSIRT-2015-11010 & HWPSIRT-2015-11091:

1. Prerequisite:

The attacker successfully tricks a user into installing a malicious application on the smart phone.

2. Attacking procedure:

There are two interface access control vulnerabilities in Graphics driver. An attacker may trick a user into installing a malicious application; the application can get graphics privilege and exploit these vulnerabilities to modify the content of some registers, which could cause the system to crash or user privilege to escalate.

HWPSIRT-2015-11028 & HWPSIRT-2015-11029:

1. Prerequisite:

The attacker successfully tricks a user into installing a malicious application on the smart phone.

2. Attacking procedure:

The attacker tricks a user into installing a malicious application on the phone. The malicious application can access specific HIFI driver interfaces of the phone by system calls. The HIFI driver does not properly validate the parameters input by the application. Therefore, the application may exploit this vulnerability to make a heap overflow and read and modify phone memory address, which can crash the system or escalate user privilege.

HWPSIRT-2015-12003:

1. Prerequisite:

The attacker successfully tricks a user into installing a malicious application on the smart phone.

2. Attacking procedure:

There is a interface access control vulnerability in ovisp driver. An attacker may trick a user into installing a malicious application. The application can get camera privilege and exploit this vulnerability to modify content of some registers, which could cause the system to crash or user privilege to escalate.

1. Mobile phones that support automatic update will receive a system update prompt. You can install the update to fix the vulnerabilities.
2. Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/psirt/report-vulnerabilities.


These vulnerabilities were firstly reported to Huawei PSIRT by Chengming Yang of Alibaba Mobile Security Team. The vulnerability HWPSIRT-2015-11010 was also reported by Chiachih Wu and Xuxian Jiang from C0RE Team of Qihoo 360. The vulnerability HWPSIRT-2015-11028 was also reported by Yanfeng Wang, Yuan-Tsung Lo and Xuxian Jiang from C0RE Team of Qihoo 360. The vulnerability HWPSIRT-2015-12003 was also reported by Jianqiang Zhao, Yanfeng Wang and Xuxian Jiang from C0RE Team of Qihoo 360. Huawei would like to thank Chengming Yang, Chiachih Wu, Xuxian Jiang, Yanfeng Wang, Yuan-Tsung Lo and Jianqiang Zhao for working with us and coordinated vulnerability disclosure to protect our customers.

2016-02-03 V1.3 FINAL Update vulnerabilities source information
2016-02-03 V1.2 UPDATED Update information of "Software Versions and Fixes"
2016-01-05 V1.1 UPDATED Update vulnerabilities source information
2016-01-04 V1.0 INITIAL
Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/psirt/.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.