Factory Reset Protection bypass on Huawei smartphones
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-5220 |
| CWE-ID | CWE-264 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Huawei Honor Magic 2 Client/Desktop applications / Multimedia software Huawei Mate 20 Client/Desktop applications / Multimedia software Huawei Mate 20 X Client/Desktop applications / Multimedia software |
| Vendor | Huawei |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU18919
Risk: Low
CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5220
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows an attacker to escalate privileges on the system.
The vulnerability exists due to the system does not sufficiently verify the permission. An attacker with physical access to the smartphones can do a certain operation on certain step of setup wizard.
Successful exploitation of this vulnerability may allow an attacker to bypass the FRP protection.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei Honor Magic 2: before Tony-AL00B/Tony-TL00B 9.0.0.182(C00E180R2P2)
Huawei Mate 20: before Hima-AL00B/Hima-TL00B 9.0.0.200(C00E200R2P1)
Huawei Mate 20 X : before Ever-AL00B 9.0.0.200(C00E200R2P1)
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190626-01-frp-en
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
