#VU24337 Security Features


Published: 2020-01-16

Vulnerability identifier: #VU24337

Vulnerability risk: Low

CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-19412

CWE-ID: CWE-254

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Huawei P-smart
Client/Desktop applications / Multimedia software
Huawei Honor V10
Client/Desktop applications / Multimedia software
Huawei ALP-AL00B
Client/Desktop applications / Multimedia software
Huawei ALP-L09
Client/Desktop applications / Multimedia software
Huawei ALP-L29
Client/Desktop applications / Multimedia software
Huawei Anne-AL00
Client/Desktop applications / Multimedia software
Huawei BLA-L09C
Client/Desktop applications / Multimedia software
Huawei BLA-L29C
Client/Desktop applications / Multimedia software
Huawei Berkeley-AL20
Client/Desktop applications / Multimedia software
Huawei Berkeley-L09
Client/Desktop applications / Multimedia software
Huawei Emily-L29C
Client/Desktop applications / Multimedia software
Huawei Figo-L03
Client/Desktop applications / Multimedia software
Huawei Figo-L21
Client/Desktop applications / Multimedia software
Huawei Figo-L23
Client/Desktop applications / Multimedia software
Huawei Figo-L31
Client/Desktop applications / Multimedia software
Huawei Florida-L03
Client/Desktop applications / Multimedia software
Huawei Florida-L21
Client/Desktop applications / Multimedia software
Huawei Florida-L22
Client/Desktop applications / Multimedia software
Huawei Florida-L23
Client/Desktop applications / Multimedia software
Huawei Y7s
Client/Desktop applications / Multimedia software
Huawei P20 lite
Client/Desktop applications / Multimedia software
Huawei nova 3e
Client/Desktop applications / Multimedia software
Huawei Leland-AL00A
Client/Desktop applications / Multimedia software
Huawei Leland-L21A
Client/Desktop applications / Multimedia software
Huawei Leland-L22A
Client/Desktop applications / Multimedia software
Huawei Leland-L22C
Client/Desktop applications / Multimedia software
Huawei Leland-L31A
Client/Desktop applications / Multimedia software

Vendor: Huawei

Description

The vulnerability allows a local attacker to bypass the FRP function.

The vulnerability exists due to a Factory Reset Protection (FRP) security bypass. When re-configuring the mobile phone using the FRP function, an attacker with physical access to the device can login the Talkback mode, perform some operations to install a third-Party application and bypass the FRP function.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Huawei P-smart: All versions

Huawei Honor V10: All versions

Huawei ALP-AL00B: All versions

Huawei ALP-L09: All versions

Huawei ALP-L29: All versions

Huawei Anne-AL00: All versions

Huawei BLA-L09C: All versions

Huawei BLA-L29C: All versions

Huawei Berkeley-AL20: All versions

Huawei Berkeley-L09: All versions

Huawei Emily-L29C: All versions

Huawei Figo-L03: All versions

Huawei Figo-L21: All versions

Huawei Figo-L23: All versions

Huawei Figo-L31: All versions

Huawei Florida-L03: All versions

Huawei Florida-L21: All versions

Huawei Florida-L22: All versions

Huawei Florida-L23: All versions

Huawei Y7s: All versions

Huawei P20 lite: All versions

Huawei nova 3e: All versions

Huawei Leland-AL00A: All versions

Huawei Leland-L21A: All versions

Huawei Leland-L22A: All versions

Huawei Leland-L22C: All versions

Huawei Leland-L31A: All versions


CPE

External links
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-frp-en


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability