Information disclosure in several Huawei Smartphones

Published: 2019-12-16

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2019-5264
CWE-ID	CWE-200
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Huawei Mate 10 Client/Desktop applications / Multimedia software Huawei Mate 10 Pro Client/Desktop applications / Multimedia software Huawei Honor V10 Client/Desktop applications / Multimedia software Changxiang 7S Client/Desktop applications / Multimedia software Huawei P-smart Client/Desktop applications / Multimedia software Changxiang 8 Plus Client/Desktop applications / Multimedia software Huawei Y9 2018 Client/Desktop applications / Multimedia software Huawei Honor 9 Lite Client/Desktop applications / Multimedia software Huawei Honor 9i Client/Desktop applications / Multimedia software Huawei Mate 9 Client/Desktop applications / Multimedia software
Vendor	Huawei

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU23618

Risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-5264

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected software does not properly handle certain information of application locked by applock in a rare condition. An attacker with physical access to the device can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Huawei Mate 10: All versions

Huawei Mate 10 Pro: All versions

Huawei Honor V10: All versions

Changxiang 7S: All versions

Huawei P-smart: All versions

Changxiang 8 Plus: All versions

Huawei Y9 2018: All versions

Huawei Honor 9 Lite: All versions

Huawei Honor 9i: All versions

Huawei Mate 9: All versions

CPE2.3

External links

https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191211-01-smartphone-en

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.