Information disclosure in several Huawei Smartphones

1) Information disclosure

EUVDB-ID: #VU23618

Risk: Low

CVSSv3.1: 2.1 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-5264

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected software does not properly handle certain information of application locked by applock in a rare condition. An attacker with physical access to the device can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Huawei Mate 10: before 9.0.0.177

Huawei Mate 10 Pro: before 9.0.0.167

Huawei Honor V10: before 9.0.0.159

Changxiang 7S: before 9.1.0.107

Huawei P-smart: before 9.1.0.130

Changxiang 8 Plus: before 9.1.0.111

Huawei Y9 2018: before 9.1.0.120

Huawei Honor 9 Lite: before 9.1.0.121

Huawei Honor 9i: before 9.1.0.112

Huawei Mate 9: before 9.0.1.159

External links

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191211-01-smartphone-en

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.