Factory Reset Protection (FRP) bypass in Huawei Smart Phones



Published: 2020-01-16
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-19412
CWE-ID CWE-254
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Huawei P-smart
Client/Desktop applications / Multimedia software

Huawei Honor V10
Client/Desktop applications / Multimedia software

Huawei ALP-AL00B
Client/Desktop applications / Multimedia software

Huawei ALP-L09
Client/Desktop applications / Multimedia software

Huawei ALP-L29
Client/Desktop applications / Multimedia software

Huawei Anne-AL00
Client/Desktop applications / Multimedia software

Huawei BLA-L09C
Client/Desktop applications / Multimedia software

Huawei BLA-L29C
Client/Desktop applications / Multimedia software

Huawei Berkeley-AL20
Client/Desktop applications / Multimedia software

Huawei Berkeley-L09
Client/Desktop applications / Multimedia software

Huawei Emily-L29C
Client/Desktop applications / Multimedia software

Huawei Figo-L03
Client/Desktop applications / Multimedia software

Huawei Figo-L21
Client/Desktop applications / Multimedia software

Huawei Figo-L23
Client/Desktop applications / Multimedia software

Huawei Figo-L31
Client/Desktop applications / Multimedia software

Huawei Florida-L03
Client/Desktop applications / Multimedia software

Huawei Florida-L21
Client/Desktop applications / Multimedia software

Huawei Florida-L22
Client/Desktop applications / Multimedia software

Huawei Florida-L23
Client/Desktop applications / Multimedia software

Huawei Y7s
Client/Desktop applications / Multimedia software

Huawei P20 lite
Client/Desktop applications / Multimedia software

Huawei nova 3e
Client/Desktop applications / Multimedia software

Huawei Leland-AL00A
Client/Desktop applications / Multimedia software

Huawei Leland-L21A
Client/Desktop applications / Multimedia software

Huawei Leland-L22A
Client/Desktop applications / Multimedia software

Huawei Leland-L22C
Client/Desktop applications / Multimedia software

Huawei Leland-L31A
Client/Desktop applications / Multimedia software

Vendor Huawei

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Security Features

EUVDB-ID: #VU24337

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-19412

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a local attacker to bypass the FRP function.

The vulnerability exists due to a Factory Reset Protection (FRP) security bypass. When re-configuring the mobile phone using the FRP function, an attacker with physical access to the device can login the Talkback mode, perform some operations to install a third-Party application and bypass the FRP function.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Huawei P-smart: before 9.1.0.130

Huawei Honor V10: before 9.0.0.202

Huawei ALP-AL00B: before 9.0.0.181

Huawei ALP-L09: before 9.0.0.201

Huawei ALP-L29: before 9.0.0.195

Huawei Anne-AL00: before 8.0.0.168

Huawei BLA-L09C: before 9.0.0.206

Huawei BLA-L29C: before 9.0.0.210

Huawei Berkeley-AL20: before 9.0.0.156

Huawei Berkeley-L09: before 8.0.0.173

Huawei Emily-L29C: before 9.0.0.193

Huawei Figo-L03: before 9.1.0.130

Huawei Figo-L21: before 9.1.0.130

Huawei Figo-L23: before 9.1.0.130

Huawei Figo-L31: before 9.1.0.130

Huawei Florida-L03: before 9.1.0.121

Huawei Florida-L21: before 8.0.0.132

Huawei Florida-L22: before 8.0.0.132

Huawei Florida-L23: before 8.0.0.144

Huawei Y7s: before 9.1.0.124

Huawei P20 lite: before 8.0.0.172

Huawei nova 3e: before 8.0.0.172

Huawei Leland-AL00A: before 8.0.0.182

Huawei Leland-L21A: before 9.1.0.118

Huawei Leland-L22A: before 9.1.0.118

Huawei Leland-L22C: before 9.1.0.118

Huawei Leland-L31A: before 8.0.0.139

CPE2.3 External links

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-frp-en


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###