#VU22779 Improper Authentication in Huawei Band 2 and Honor Band 3 - CVE-2019-5218
Vulnerability identifier: #VU22779
Vulnerability risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
Huawei Band 2
Client/Desktop applications /
Other client software
Honor Band 3
Client/Desktop applications /
Other client software
Vendor: Huawei
Description
The vulnerability allows a local attacker to bypass authentication process.
The vulnerability exists due to the band does not sufficiently authenticate the device try to connect to it in certain scenario. An attacker on adjacent network can fake certain credential, spoof the band, then connect to it and gain unauthorized access to the application.
Mitigation
Install updates from vendor's website.
|
Product Name |
Affected Version |
Resolved Product and Version |
|
Huawei Band 2 |
Versions earlier than Eris-B19/Eris-B29 1.2.53 |
Eris-B19/Eris-B29 1.2.53 |
|
Honor Band 3 |
Versions earlier than NYX-B10HN 1.5.53 |
NYX-B10HN 1.5.53 |
Vulnerable software versions
Huawei Band 2: before 1.2.53
Honor Band 3: before 1.5.53
External links
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191106-01-band-en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
