Improper Authorization in Several Huawei Smart Phones
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-1882 |
| CWE-ID | CWE-285 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Huawei Ever-L29B Client/Desktop applications / Multimedia software Huawei Mate 20 RS Client/Desktop applications / Multimedia software Huawei Mate 20 X Client/Desktop applications / Multimedia software Huawei Honor Magic 2 Client/Desktop applications / Multimedia software |
| Vendor | Huawei |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Improper Authorization
EUVDB-ID: #VU24510
Risk: Low
CVSSv3.1: 1.9 [CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-1882
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to bypass authorization checks.
The vulnerability exists due to improper authorization of some function. An authenticated attacker with physical access to the device can bypass the authorization to perform some operations.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei Ever-L29B: before 10.0.0.180
Huawei Mate 20 RS: before 10.0.0.175
Huawei Mate 20 X : before 10.0.0.176
Huawei Honor Magic 2: before 10.0.0.175
CPE2.3- cpe:2.3:a:huawei:huawei_ever-l29b:*:*:*:*:*:*:*:*
- cpe:2.3:a:huawei:huawei_mate_20_rs:*:*:*:*:*:*:*:*
- cpe:2.3:a:huawei:huawei_mate_20_x:*:*:*:*:*:*:*:*
- cpe:2.3:a:huawei:huawei_honor_magic_2:*:*:*:*:*:*:*:*
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200122-01-phone-en
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
