Corporate Worldwide
Corporate
Corporate news and information
Consumer
Phones, laptops, tablets, wearables & other devices
Enterprise
Enterprise products, solutions & services
Carrier
Products, solutions & services for carrier networks
Huawei Cloud
Cloud products, solutions & services

Select a Country or Region

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Advisory - Buffer Overflow Vulnerability in HIFI Driver of Huawei Smart Phone

  • SA No:Huawei-SA-20160104-03-SmartPhone
  • Initial Release Date:2016-01-04
  • Last Release Date:2016-02-03

HIFI driver of some Huawei products have a buffer overflow vulnerability due to the lack of a parameters check. An attacker may trick a user into installing a malicious application, and the application can send given parameter to HIFI driver to crash the system or escalate user privilege. (Vulnerability ID: HWPSIRT-2015-11009)

This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-8306.

Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160104-03-smartphone-en

Product Name

Affected Version

Resolved Product and Version

P8[1]

GRA-TL00C01B220 and earlier versions

GRA-TL00C01B230

GRA-CL00C92B220 and earlier versions

GRA-CL00C92B230

GRA-CL10C92B220 and earlier versions

GRA-CL10C92B230

GRA-UL00C00B220 and earlier versions

GRA-UL00C00B230

GRA-UL10C00B220 and earlier versions

GRA-UL10C00B230

Mate S[1]

CRR-TL00C01B153SP01 and earlier versions

CRR-TL00C01B160SP01

CRR-UL00C00B153 and earlier versions

CRR-UL00C00B160

CRR-CL00C92B153 and earlier versions

CRR-CL00C92B161

 

[1] Mobile phones will receive a system update prompt. The vulnerabilities will be fixed after users install the update.
Successful exploitation of the vulnerability allows attackers to crash the system or escalate user privilege.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)

Temporal Score: 5.1 (E:F/RL:O/RC:C)

1. Prerequisite:

The attacker successfully tricks a user into installing a malicious application on the smart phone.

2. Attacking procedure:

HIFI driver of some Huawei products have a buffer overflow vulnerability due to the lack of a parameters check. An attacker may trick a user into installing a malicious application, and the application can send given parameter to HIFI driver to crash the system or escalate user privilege.
None


1. Mobile phones that support automatic update will receive a system update prompt. You can install the update to fix the vulnerabilities.
2. Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/psirt/report-vulnerabilities.


This vulnerability was reported to Huawei PSIRT by Yang Chengming and Yang Chao of Alibaba Mobile Security Team. Huawei would like to thank Yang Chengming and Yang Chao for working with us and coordinated vulnerability disclosure to protect our customers.

2016-02-03 V1.1 UPDATED updated information of "Software Versions and Fixes"
2016-01-04 V1.0 INITIAL

None


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/psirt/.
This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.