This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy (update in May 2018) >

Security Advisory - Information Exposure Vulnerability in Some Smart Phones

  • SA No:huawei-sa-20180523-01-phone
  • Initial Release Date: May 23, 2018
  • Last Release Date: May 23, 2018

There is an information exposure vulnerability in some Huawei smart phones. When the user's smart phone connects to the malicious device for charging, an unauthenticated attacker may activate some specific function by sending some specially crafted messages. Due to insufficient input validation of the messages, successful exploit may cause information exposure. (Vulnerability ID: HWPSIRT-2017-09191)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-17158.

Huawei has released software updates to fix this vulnerability. This advisory is available at the following link:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180523-01-phone-en

Product Name

Affected Version

Resolved Product and Version

Berlin-L21HN

The versions before Berlin-L21HNC185B381

Berlin-L21HNC185B381

Prague-AL00A

The versions before Prague-AL00AC00B223

Prague-AL00AC00B223

Prague-AL00B

The versions before Prague-AL00BC00B223

Prague-AL00BC00B223

Prague-AL00C

The versions before Prague-AL00CC00B223

Prague-AL00CC00B223

Prague-L31

The versions before Prague-L31C432B208

Prague-L31C432B208

Prague-TL00A

The versions before Prague-TL00AC01B223

Prague-TL00AC01B223

Prague-TL10A

The versions before Prague-TL00AC01B223

Prague-TL10AC01B223



Successful exploit may cause information exposure.


The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).

Base Score: 4.6 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 4.3 (E:F/RL:O/RC:C)


This vulnerability can be exploited only when the following conditions are present:

1. The affected smart phone connects to the malicious changing device.

Vulnerability details:

When the user's smart phone connects to the malicious device for charging, an unauthenticated attacker may activate some specific function by sending some specially crafted messages. Due to insufficient input validation of the messages, successful exploit may cause information exposure.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

This vulnerability was discovered by Huawei internal tester.


2018-05-23 V1.0 INITIAL


Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.