Improper validation of integrity check value in Huawei Mobile applications

#VU23415 Improper validation of integrity check value in Huawei Mobile applications

Published: 2019-12-05

Vulnerability identifier: #VU23415

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-5226

CWE-ID:

Exploitation vector: Local

Exploit availability:

Vulnerable software:
P30
Client/Desktop applications / Multimedia software
P30 Pro
Client/Desktop applications / Multimedia software
Huawei Mate 20
Client/Desktop applications / Multimedia software
Huawei HiSuite
Mobile applications / Apps for mobile phones

Vendor: Huawei

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the affected devices and software do not validate the upgrade package sufficiently. A local user can trick the user to install a malicious application and downgrade the system of smartphone to an older version.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

P30: All versions

P30 Pro: All versions

Huawei Mate 20: All versions

Huawei HiSuite: All versions

Fixed software versions

CPE

cpe:2.3:a:huawei:p30:*:*:*:*:*:*:*:*

External links
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190904-01-smartphone-en

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in several Huawei smartphones