Risk | Low |
Patch available | YES |
Number of vulnerabilities | 6 |
CVE-ID | CVE-2020-1836 CVE-2020-9077 CVE-2020-9249 CVE-2020-9245 CVE-2020-9095 CVE-2020-9096 |
CWE-ID | CWE-200 CWE-401 CWE-285 CWE-190 CWE-125 |
Exploitation vector | Local network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
Huawei P30 Client/Desktop applications / Multimedia software Huawei P30 Pro Client/Desktop applications / Multimedia software |
Vendor | Huawei |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
Updated 22.07.2020
Added vulnerability #2
Updated 29.07.2020
Added vulnerability #3
Updated 06.08.2020
Added vulnerability #4
Updated 24.08.2020
Added vulnerability #5-6
EUVDB-ID: #VU29340
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-1836
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in certain function's default configuration. A remote attacker on the local network can launch the attack via a crafted WI-FI hotspot and gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei P30: before 10.1.0.160
Huawei P30 Pro: before 10.1.0.160
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200624-01-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU31759
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9077
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected system does not properly authenticate the application that access a specified interface. A local attacker can trick a victim to install a malicious software and gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei P30: before 10.1.0.160
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200722-03-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32909
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9249
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak. A remote attacker on the local network can send a specially crafted messages, force the application to leak memory and perform denial of service attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei P30: before 10.1.0.160
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200729-02-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU34096
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9245
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to bypass authorization checks.
The vulnerability exists due to improper authorization. A local attacker can trick a victim to install a malicious application and cause a denial of service condition of PHONE function.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei P30: before 10.1.0.160
Huawei P30 Pro: before 10.1.0.160
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200805-01-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU45976
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9095
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow. A local attacker can send malicious message, trigger integer overflow and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei P30 Pro: before 10.1.0.160
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200819-03-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU45978
Risk: Low
CVSSv3.1: 4.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9096
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition when processing some messages sent from other module. A local user can send a malicious message, trigger out-of-bounds read error and cause a denial of service condition on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei P30 Pro: before 10.1.0.160
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200819-02-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.