#VU24337 Security Features in Huawei products - CVE-2019-19412
Published: January 16, 2020
Vulnerability identifier: #VU24337
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-19412
CWE-ID: CWE-254
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Huawei P-smart
Huawei Honor V10
Huawei ALP-AL00B
Huawei ALP-L09
Huawei ALP-L29
Huawei Anne-AL00
Huawei BLA-L09C
Huawei BLA-L29C
Huawei Berkeley-AL20
Huawei Berkeley-L09
Huawei Emily-L29C
Huawei Figo-L03
Huawei Figo-L21
Huawei Figo-L23
Huawei Figo-L31
Huawei Florida-L03
Huawei Florida-L21
Huawei Florida-L22
Huawei Florida-L23
Huawei Y7s
Huawei P20 lite
Huawei nova 3e
Huawei Leland-AL00A
Huawei Leland-L21A
Huawei Leland-L22A
Huawei Leland-L22C
Huawei Leland-L31A
Huawei P-smart
Huawei Honor V10
Huawei ALP-AL00B
Huawei ALP-L09
Huawei ALP-L29
Huawei Anne-AL00
Huawei BLA-L09C
Huawei BLA-L29C
Huawei Berkeley-AL20
Huawei Berkeley-L09
Huawei Emily-L29C
Huawei Figo-L03
Huawei Figo-L21
Huawei Figo-L23
Huawei Figo-L31
Huawei Florida-L03
Huawei Florida-L21
Huawei Florida-L22
Huawei Florida-L23
Huawei Y7s
Huawei P20 lite
Huawei nova 3e
Huawei Leland-AL00A
Huawei Leland-L21A
Huawei Leland-L22A
Huawei Leland-L22C
Huawei Leland-L31A
Software vendor:
Huawei
Huawei
Description
The vulnerability allows a local attacker to bypass the FRP function.
The vulnerability exists due to a Factory Reset Protection (FRP) security bypass. When re-configuring the mobile phone using the FRP function, an attacker with physical access to the device can login the Talkback mode, perform some operations to install a third-Party application and bypass the FRP function.
Remediation
Install updates from vendor's website.