#VU24337 Security Features in Huawei Client/Desktop applications
Vulnerability identifier: #VU24337
Vulnerability risk: Low
CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-254
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Huawei P-smart
Client/Desktop applications /
Multimedia software
Huawei Honor V10
Client/Desktop applications /
Multimedia software
Huawei ALP-AL00B
Client/Desktop applications /
Multimedia software
Huawei ALP-L09
Client/Desktop applications /
Multimedia software
Huawei ALP-L29
Client/Desktop applications /
Multimedia software
Huawei Anne-AL00
Client/Desktop applications /
Multimedia software
Huawei BLA-L09C
Client/Desktop applications /
Multimedia software
Huawei BLA-L29C
Client/Desktop applications /
Multimedia software
Huawei Berkeley-AL20
Client/Desktop applications /
Multimedia software
Huawei Berkeley-L09
Client/Desktop applications /
Multimedia software
Huawei Emily-L29C
Client/Desktop applications /
Multimedia software
Huawei Figo-L03
Client/Desktop applications /
Multimedia software
Huawei Figo-L21
Client/Desktop applications /
Multimedia software
Huawei Figo-L23
Client/Desktop applications /
Multimedia software
Huawei Figo-L31
Client/Desktop applications /
Multimedia software
Huawei Florida-L03
Client/Desktop applications /
Multimedia software
Huawei Florida-L21
Client/Desktop applications /
Multimedia software
Huawei Florida-L22
Client/Desktop applications /
Multimedia software
Huawei Florida-L23
Client/Desktop applications /
Multimedia software
Huawei Y7s
Client/Desktop applications /
Multimedia software
Huawei P20 lite
Client/Desktop applications /
Multimedia software
Huawei nova 3e
Client/Desktop applications /
Multimedia software
Huawei Leland-AL00A
Client/Desktop applications /
Multimedia software
Huawei Leland-L21A
Client/Desktop applications /
Multimedia software
Huawei Leland-L22A
Client/Desktop applications /
Multimedia software
Huawei Leland-L22C
Client/Desktop applications /
Multimedia software
Huawei Leland-L31A
Client/Desktop applications /
Multimedia software
Vendor: Huawei
Description
The vulnerability allows a local attacker to bypass the FRP function.
The vulnerability exists due to a Factory Reset Protection (FRP) security bypass. When re-configuring the mobile phone using the FRP function, an attacker with physical access to the device can login the Talkback mode, perform some operations to install a third-Party application and bypass the FRP function.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Huawei P-smart: All versions
Huawei Honor V10: All versions
Huawei ALP-AL00B: All versions
Huawei ALP-L09: All versions
Huawei ALP-L29: All versions
Huawei Anne-AL00: All versions
Huawei BLA-L09C: All versions
Huawei BLA-L29C: All versions
Huawei Berkeley-AL20: All versions
Huawei Berkeley-L09: All versions
Huawei Emily-L29C: All versions
Huawei Figo-L03: All versions
Huawei Figo-L21: All versions
Huawei Figo-L23: All versions
Huawei Figo-L31: All versions
Huawei Florida-L03: All versions
Huawei Florida-L21: All versions
Huawei Florida-L22: All versions
Huawei Florida-L23: All versions
Huawei Y7s: All versions
Huawei P20 lite: All versions
Huawei nova 3e: All versions
Huawei Leland-AL00A: All versions
Huawei Leland-L21A: All versions
Huawei Leland-L22A: All versions
Huawei Leland-L22C: All versions
Huawei Leland-L31A: All versions
External links
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-frp-en
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
