Multiple vulnerabilities in Huawei Mate 30
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2020-9263 CVE-2020-9262 CVE-2020-9261 CVE-2020-1839 |
| CWE-ID | CWE-416 CWE-843 CWE-362 |
| Exploitation vector | Local |
| Public exploit |
Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. |
| Vulnerable software Subscribe |
Huawei Mate 30 Client/Desktop applications / Multimedia software |
| Vendor | Huawei |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU29495
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9263
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to a use-after-free error. A local user can trick a victim into running a specially crafted application with common privilege and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei Mate 30: before 10.1.0.150
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200701-07-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU29496
Risk: Low
CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-9262
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error. A local attacker can trick a victim into running a specially crafted application with high privilege and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei Mate 30: before 10.1.0.150
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200701-06-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Type Confusion
EUVDB-ID: #VU29497
Risk: Low
CVSSv3.1: 7 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-9261
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error. A local attacker can trick a victim to install a specially crafted application, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei Mate 30: before 10.1.0.150
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200701-05-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Race condition
EUVDB-ID: #VU29498
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-1839
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a race condition when there is a timing window exists in which certain pointer members can be modified by another process that is operating concurrently. A local administrator can trick a victim into running a specially crafted application with high privilege, exploit the race and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHuawei Mate 30: before 10.1.0.150
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200701-04-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
