#VU22802 Integer overflow in P30 - CVE-2019-5288
Vulnerability identifier: #VU22802
Vulnerability risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-190
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
P30
Client/Desktop applications /
Multimedia software
Vendor: Huawei
Description
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists because of integer overflow due to insufficient check on specific parameters. A local user can trick the victim to install a malicious application, obtain the root permission, construct specific parameters to the camera program, trigger integer overflow and execute arbitrary code on the target system or break down the program.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
P30: before 9.1.0.193
External links
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190925-01-smartphone-en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
