Improper Authentication in Huawei Band 2 and Honor Band 3
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-5218 |
| CWE-ID | CWE-287 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software |
Huawei Band 2 Client/Desktop applications / Other client software Honor Band 3 Client/Desktop applications / Other client software |
| Vendor | Huawei |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Improper Authentication
EUVDB-ID: #VU22779
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-5218
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to bypass authentication process.
The vulnerability exists due to the band does not sufficiently authenticate the device try to connect to it in certain scenario. An attacker on adjacent network can fake certain credential, spoof the band, then connect to it and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
|
Product Name |
Affected Version |
Resolved Product and Version |
|
Huawei Band 2 |
Versions earlier than Eris-B19/Eris-B29 1.2.53 |
Eris-B19/Eris-B29 1.2.53 |
|
Honor Band 3 |
Versions earlier than NYX-B10HN 1.5.53 |
NYX-B10HN 1.5.53 |
Huawei Band 2: All versions
Honor Band 3: All versions
CPE2.3 External linkshttps://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191106-01-band-en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
