#VU23618 Information disclosure in Huawei products - CVE-2019-5264

Cybersecurity Help s.r.o.

Published: 2019-12-16

Vulnerability identifier: #VU23618

Vulnerability risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-5264

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vendor: Huawei

Description

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected software does not properly handle certain information of application locked by applock in a rare condition. An attacker with physical access to the device can gain unauthorized access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Huawei Mate 10: before 9.0.0.159

Huawei Mate 10 Pro: before 9.0.0.159

Huawei Honor V10: before 9.0.0.156

Changxiang 7S: before 9.1.0.107

Huawei P-smart: before 9.1.0.119

Changxiang 8 Plus: before 9.1.0.111

Huawei Y9 2018: before 9.1.0.115

Huawei Honor 9 Lite: before 9.1.0.113

Huawei Honor 9i: before 9.1.0.106

Huawei Mate 9: before 9.0.1.158

External links
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191211-01-smartphone-en

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in several Huawei Smartphones