SB2019111422 - Multiple vulnerabilities in Huawei P20

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2019-5211)

The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper file management in the Share function. An attacker on adjacent network can trick the victim to perform certain operations on the mobile phone during file transfer and delete some files on the victim's mobile phone.

2) Improper access control (CVE-ID: CVE-2019-5212)

The vulnerability allows a local attacker to gain access to sensitive information on the target system.

The vulnerability exists due to the Huawei Share function does not properly restrict access to certain file from certain application. A local attacker can trick a victim to install a malicious application then establish a connect to the attacker through Huawei Share and disclose sensitive information on the target system.

Remediation

Install update from vendor's website.

References

• https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191113-02-share-en
• https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191113-01-share-en