安全预警 - 涉及华为手机空指针引用的安全漏洞
- 预警编号:huawei-sa-20190821-01-smartphone
- 初始发布时间: 2019年08月21日
- 更新发布时间: 2019年12月11日
某些华为手机存在空指针引用的安全漏洞。攻击者通过构造特定报文发送给受影响设备来利用此漏洞,成功利用会导致手机使用异常。 (漏洞编号:HWPSIRT-2019-05097)
此漏洞的CVE编号为: CVE-2019-5235.
华为已发布版本修复该漏洞。安全预警链接:
http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20190821-01-smartphone-cn
|
产品名称 |
版本号 |
修复版本号 |
|
ALP-AL00B |
8.0.0.153(C00) |
Upgrade to 9.1.0.321(C00E320R2P1T8) |
|
ALP-TL00B |
8.0.0.129(SP2C01) |
Upgrade to 9.1.0.321(C01E320R1P1T8) |
|
BLA-AL00B |
8.0.0.129(SP2C786) |
Upgrade to 9.1.0.321(C786E320R2P1T8) |
|
8.0.0.153(C00) |
Upgrade to 9.1.0.321(C00E320R2P1T8) |
|
|
BLA-TL00B |
8.0.0.129(SP2C01) |
Upgrade to 9.1.0.321(C01E320R1P1T8) |
|
Charlotte-AL00A |
8.1.0.176(C00) |
Upgrade to 9.1.0.321(C00E320R1P1T8) |
|
Charlotte-TL00B |
8.1.0.176(C01) |
Upgrade to 9.1.0.321(C01E320R1P1T8) |
|
Columbia-AL10B |
8.1.0.163(C00) |
Upgrade to 9.1.0.321(C00E320R1P1T8) |
|
Columbia-AL10I |
8.1.0.150(C675CUSTC675D2) |
Upgrade to 9.1.0.330(C675E8R1P9T8) |
|
Columbia-L29D |
8.1.0.146(C461) |
Upgrade to 9.1.0.325(C461E2R1P9T8) |
|
8.1.0.148(C185) |
Upgrade to 9.1.0.325(C185E2R1P11T8) |
|
|
8.1.0.151(C10) |
Upgrade to 9.1.0.325(C10E3R1P13T8) |
|
|
8.1.0.151(C432) |
Upgrade to 9.1.0.325(C432E4R1P12T8) |
|
|
Columbia-TL00D |
8.1.0.186(C01GT) |
Upgrade to Columbia-TL10C 9.1.0.321(C01E320R1P1T8) |
|
ELLE-AL00B |
9.1.0.162(C00E160R2P1) |
Upgrade to 9.1.0.186(C00E180R2P1) |
|
ELLE-TL00B |
9.1.0.162(C01E160R2P1) |
Upgrade to 9.1.0.186(C01E180R2P1) |
|
Emily-AL00A |
8.1.0.190(C00) |
Upgrade to 9.1.0.321(C00E320R1P1T8) |
|
Emily-TL00B |
8.1.0.175(C01) |
Upgrade to 9.1.0.321(C01E320R1P1T8) |
|
Ever-AL00B |
9.0.0.195(C00E195R2P1) |
Upgrade to 9.1.0.127(C00E127R2P1) |
|
Ever-L29B |
9.0.0.206(C185E3R3P1) |
Upgrade to 9.1.0.321(C185E3R3P1) |
|
9.0.0.207(C636E3R2P1) |
Upgrade to 9.1.0.320(C636E3R2P1) |
|
|
9.0.0.208(C432E3R1P12) |
Upgrade to 9.1.0.320(C432E3R1P12) |
|
|
Harry-AL00C |
9.1.0.206(C00E205R3P1) |
Upgrade to 9.1.0.217(C00E215R1P17) |
|
Harry-AL10B |
9.1.0.206(C00E205R3P1) |
Upgrade to 9.1.0.217(C00E215R3P1) |
|
Harry-TL00C |
9.0.1.162(C01E160R2P3) |
Upgrade to 9.1.0.217(C01E215R3P1) |
|
Hima-AL00B |
9.0.0.200(C00E200R2P1) |
Upgrade to 9.1.0.131(C00E131R3P1) |
|
Jackman-L21 |
8.2.0.160(C185) |
Upgrade to 9.1.0.220(C185E1R5P1T8) |
|
Jackman-L22 |
8.2.0.156(C636R2P2) |
Upgrade to Johnson-L22D 9.1.0.217(C636E2R2P1T8) |
|
Jackman-L23 |
8.2.0.152(C45CUSTC45D1) |
Upgrade to 9.1.0.220(C45E3R1P1T8) |
|
8.2.0.162(C605) |
Upgrade to 9.1.0.220(C605E3R1P1T8) |
|
|
Johnson-AL00IC |
8.2.0.161(C675CUSTC675D1) |
Upgrade to Johnson-L42IC 9.1.0.216(C675E8R2P1T8) |
|
Johnson-AL10C |
8.2.0.165(C00R1P16) |
Upgrade to 9.1.0.210(C00E10R3P2T8) |
|
Johnson-L21C |
8.2.0.130(C461R1P1) |
Upgrade to 9.1.0.221(C461E2R1P1T8) |
|
8.2.0.131(C10R2P2) |
Upgrade to 9.1.0.221(C10E2R1P1T8) |
|
|
8.2.0.136(C432CUSTC432D1) |
Upgrade to 9.1.0.219(C432E1R1P1T8) |
|
|
Johnson-L21D |
8.2.0.101(C10CUSTC10D1) |
Upgrade to Johnson-L21C 9.1.0.221(C10E2R1P1T8) |
|
8.2.0.101(C432CUSTC432D1) |
Upgrade to Johnson-L21C 9.1.0.219(C432E1R1P1T8) |
|
|
8.2.0.131(C55CUSTC55D1) |
Upgrade to 9.1.0.219(EEAC55E2R1P1T8) |
|
|
Johnson-L22C |
8.2.0.105(C185R1P1) |
Upgrade to Johnson-L22D 9.1.0.217(C185E3R2P1T8) |
|
8.2.0.107(C636R2P1) |
Upgrade to Johnson-L22D 9.1.0.217(C636E2R2P1T8) |
|
|
Johnson-L22D |
8.2.0.105(C185R2P1) |
Upgrade to 9.1.0.217(C185E3R2P1T8) |
|
8.2.0.107(C636R2P1) |
Upgrade to 9.1.0.217(C636E2R2P1T8) |
|
|
Johnson-L23C |
8.2.0.130(C636CUSTC636D2) |
Upgrade to Johnson-L22D 9.1.0.217(C636E2R2P1T8) |
|
8.2.0.133(C605CUSTC605D1) |
Upgrade to 9.1.0.218(C605E1R1P2T8) |
|
|
Johnson-L42IC |
8.2.0.155(C675R2P1) |
Upgrade to 9.1.0.216(C675E8R2P1T8) |
|
Johnson-L42IE |
8.2.0.155(C675R2P1) |
Upgrade to Johnson-L42IC 9.1.0.216(C675E8R2P1T8) |
|
Johnson-L42IF |
8.2.0.155(C675R2P1) |
Upgrade to Johnson-L42IC 9.1.0.216(C675E8R2P1T8) |
|
Johnson-TL00D |
8.2.0.100(C541CUSTC541D1) |
Upgrade to Johnson-TL00F 9.1.0.223(C541E1R1P1T8) |
|
8.2.0.165(C01R1P16) |
Upgrade to Johnson-TL00C 9.1.0.210(C01E10R3P2T8) |
|
|
Johnson-TL00F |
8.2.0.100(C541CUSTC541D1) |
Upgrade to 9.1.0.223(C541E1R1P1T8) |
|
Laya-AL00EP |
9.0.0.201(C786E200R2P1) |
Upgrade to 9.1.0.135(C786E133R3P1) |
|
NEO-AL00D |
8.1.0.175(C786) |
Upgrade to NEO-AL00 9.1.0.321(C786E320R1P1T8) |
|
Potter-AL00C |
9.1.0.208(C00E205R3P1) |
Upgrade to 9.1.0.217(C00E217R4P1) |
|
Potter-AL10A |
9.1.0.208(C00E205R3P1) |
Upgrade to 9.1.0.217(C00E215R3P1) |
|
Princeton-AL10B |
9.1.0.211(C00E203R2P2) |
Upgrade to 9.1.0.233(C00E233R4P3) |
|
Princeton-AL10D |
9.1.0.212(C00E204R2P2) |
Upgrade to 9.1.0.234(C00E234R4P3) |
|
Princeton-AL10I |
9.0.1.150(C675E9R1P4) |
Upgrade to Princeton-AL00I 9.1.0.235(C675E10R1P4) |
|
Princeton-TL10C |
9.1.0.211(C01E203R2P2) |
Upgrade to 9.1.0.233(C01E233R4P3) |
|
Tony-AL00B |
9.1.0.206(C00E200R2P3) |
Upgrade to 9.1.0.222(C00E222R2P1) |
|
Tony-TL00B |
9.1.0.206(C01E200R2P3) |
Upgrade to 9.1.0.226(C01E222R2P1) |
|
VOGUE-AL00A |
9.1.0.162(C00E160R2P1) |
Upgrade to 9.1.0.186(C00E180R2P1) |
|
VOGUE-AL00A-PRELOAD |
9.1.0.12(C00R1) |
Upgrade to VOGUE-AL00A 9.1.0.186(C00E180R2P1) |
|
VOGUE-AL10C |
9.1.0.162(C00E160R2P1) |
Upgrade to 9.1.0.186(C00E180R2P1) |
|
VOGUE-AL10C-PRELOAD |
9.1.0.12(C00R1) |
Upgrade to VOGUE-AL10C 9.1.0.186(C00E180R2P1) |
|
VOGUE-TL00B |
9.1.0.162(C01E160R2P1) |
Upgrade to 9.1.0.186(C01E180R2P1) |
攻击者可以利用此漏洞导致手机使用异常。
漏洞使用CVSSv3计分系统进行分级(http://www.first.org/cvss/specification-document)
基础得分:5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
临时得分:4.9 (E:F/RL:O/RC:C)
利用漏洞发起攻击的预置条件:
攻击者能够与设备正常通信。
漏洞详细描述:
某些华为手机存在空指针引用的安全漏洞。攻击者通过构造特定报文发送给受影响设备来利用此漏洞,成功利用会导致手机使用异常。
无
该漏洞由华为内部测试发现。
2019-12-18 V1.1 UPDATED 刷新受影响产品版本和修复信息;
2019-08-21 V1.0 INITIAL
无
华为一贯主张尽全力保障产品用户的最终利益,遵循负责任的安全事件披露原则,并通过产品安全问题处理机制处理产品安全问题。
获取华为公司安全应急响应服务及华为产品漏洞信息,请访问http://www.huawei.com/cn/psirt。
反馈华为产品和解决方案安全问题,请反馈至华为PSIRT邮箱PSIRT@huawei.com,详情参考http://www.huawei.com/cn/psirt/report-vulnerabilities。
