This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Advisory - Stagefright Vulnerability in Multiple Huawei Android Products

  • SA No:Huawei-SA-20150809-01-Android
  • Initial Release Date: Aug 09, 2015
  • Last Release Date: Mar 22, 2016


The Stagefright media player engine in Android OS has multiple vulnerabilities, which can be exploited to remotely execute code in affected devices. (Vulnerability ID: HWPSIRT-2015-07056, HWPSIRT-2015-07057, HWPSIRT-2015-07058, HWPSIRT-2015-07059, HWPSIRT-2015-07060, HWPSIRT-2015-07061 and HWPSIRT-2015-07062)
These Vulnerabilities have been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-3824, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829, CVE-2015-3826, CVE-2015-1538 and CVE-2015-1539.

Product Name

Affected Version

Resolved Product and Version

Honor 7

Versions earlier than PLK-TL01HC01B150

PLK-TL01HC01B150[1]

Versions earlier than PLK-UL00C17B150

PLK-UL00C17B150[1]

Versions earlier than PLK-CL00C92B151

PLK-CL00C92B151[1]

Versions earlier than PLK-AL10C00B150

PLK-AL10C00B150[1]

PE

Versions earlier than PE-CL00 V100R001C92B190

PE-CL00 V100R001C92B190[1]

Versions earlier than PE-UL00 V100R001C00B190

PE-UL00 V100R001C00B190[1]

Versions earlier than PE-TL10 V100R001CHNC00B250

PE-TL10 V100R001CHNC00B250[1]

SCL

Versions earlier than SCL-TL00H C00B136

SCL-TL00H C00B136[1]

Versions earlier than SCL-AL00 C00B136

SCL-AL00 C00B136[1]

C8817D

Versions earlier than C8817D V100R001C92B266

C8817D V100R001C92B266[1]

C8817E

Versions earlier than C8817E V100R001C92B266

C8817E V100R001C92B266[1]

P8

Versions earlier than GRA-TL00C01B182

GRA-TL00C01B182[1]

Versions earlier than GRA-UL00C00B182

GRA-UL00C00B182[1]

Versions earlier than GRA-CL00C92B182

GRA-CL00C92B182[1]

eSpace 8950

V200R003C00CPS500 and earlier versions

V200R003C00SPC600

AR3200

V200R005C32

Upgrade to V200R006C12

V200R006C10

V200R006C11

[1] These versions have applied patch ANDROID-20923261 and ANDROID-20139950 but not ANDROID-23034759, and still be impacted by security vulnerability CVE-2015-3824.

[2] Mobile phones will receive a system update prompt. The vulnerabilities will be fixed after users install the update.


Successful exploitation of the vulnerabilities allows attackers to execute code remotely in affected Android devices.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Temporal Score: 5.6 (E:F/RL:O/RC:C)

1. Prerequisite:

None

2. Attacking procedure:

An attacker can graft malicious code in a multimedia message and send the message to the target users. The target mobile devices will automatically download and parse the multimedia messages without any user interaction

Disable the automatic download of multimedia short messages.

To do so, choose “Settings > All > Apps > Message > Advanced”, navigate to “Multimedia (MMS) messages”, and disable the function of automatic download of multimedia messages.

Do not open any unknown multimedia message or click any unknown link to video.

1. Mobile phones that support automatic update will receive a system update prompt. You can install the update to fix the vulnerabilities.

2. Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.

The vulnerabilities were found by Joshua J. Drake, a researcher of Zimperium, a company in Israel.

For security problems about Huawei products and solutions, please contact PSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.

2016-03-22 V1.4 UPDATED updated list of affected products

2015-11-27 V1.3 UPDATED updated list of affected products

2015-08-18 V1.2 UPDATED updated list of affected products

2015-08-14 V1.1 UPDATED updated list of affected products

2015-08-09 V1.0 INITIAL



his document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.