Multiple vulnerabiities in Huawei Taurus-AL00A
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2021-22303 CVE-2021-22304 CVE-2021-22302 |
| CWE-ID | CWE-415 CWE-416 CWE-125 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Taurus-AL00A Hardware solutions / Firmware |
| Vendor | Huawei |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Double Free
EUVDB-ID: #VU50080
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22303
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to a lack of muti-thread protection when a function is called. A local attacker can pass specially crafted data to the application, trigger double free error and crash the module or compromise normal service.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTaurus-AL00A: 10.0.0.1(C00E1R1P1)
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210127-02-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU50084
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22304
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when dealing with some messages. A local attacker can send specific message, crash the target module and compromise normal service.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTaurus-AL00A: 10.0.0.1(C00E1R1P1)
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210127-03-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU50083
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22302
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A local administrator can trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTaurus-AL00A: 10.0.0.1(C00E1R1P1)
External linkshttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210127-01-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
