cnvd - cnvd-2018-20883

CNVD-2018-20883

Vulnerability from cnvd - Published: 2018-10-15

Title

多款Huawei手机任意内存读写漏洞

Description

Huawei Mate 9和Mate 9 Pro都是中国华为（Huawei）公司的智能手机产品。多款Huawei手机存在任意内存读写漏洞。该漏洞是由于Huawei部分手机的硬件安全模块中对输入校验不足。已经获取安卓系统root权限的攻击者可以利用这个漏洞在TrustZone中读写任意位置的内存数据或执行任意代码。

Severity

中

Patch Name

多款Huawei手机任意内存读写漏洞的补丁

Patch Description

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170306-01-smartphone-cn

Reference

https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170306-01-smartphone-cn

Impacted products

Name
['Huawei Mate 9 <MHA-AL00BC00B156', 'Huawei Mate 9 <MHA-CL00BC00B156', 'Huawei Mate 9 <MHA-DL00BC00B156', 'Huawei Mate 9 <MHA-TL00BC00B156', 'Huawei Mate 9 Pro <LON-AL00BC00B156', 'Huawei Mate 9 Pro <LON-CL00BC00B156', 'Huawei Mate 9 Pro <LON-DL00BC00B156', 'Huawei Mate 9 Pro <LON-TL00BC00B156']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-17176"
    }
  },
  "description": "Huawei Mate 9\u548cMate 9 Pro\u90fd\u662f\u4e2d\u56fd\u534e\u4e3a\uff08Huawei\uff09\u516c\u53f8\u7684\u667a\u80fd\u624b\u673a\u4ea7\u54c1\u3002\r\n\r\n\u591a\u6b3eHuawei\u624b\u673a\u5b58\u5728\u4efb\u610f\u5185\u5b58\u8bfb\u5199\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8eHuawei\u90e8\u5206\u624b\u673a\u7684\u786c\u4ef6\u5b89\u5168\u6a21\u5757\u4e2d\u5bf9\u8f93\u5165\u6821\u9a8c\u4e0d\u8db3\u3002\u5df2\u7ecf\u83b7\u53d6\u5b89\u5353\u7cfb\u7edfroot\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u5728TrustZone\u4e2d\u8bfb\u5199\u4efb\u610f\u4f4d\u7f6e\u7684\u5185\u5b58\u6570\u636e\u6216\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "Huawei",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170306-01-smartphone-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-20883",
  "openTime": "2018-10-15",
  "patchDescription": "Huawei Mate 9\u548cMate 9 Pro\u90fd\u662f\u4e2d\u56fd\u534e\u4e3a\uff08Huawei\uff09\u516c\u53f8\u7684\u667a\u80fd\u624b\u673a\u4ea7\u54c1\u3002\r\n\r\n\u591a\u6b3eHuawei\u624b\u673a\u5b58\u5728\u4efb\u610f\u5185\u5b58\u8bfb\u5199\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8eHuawei\u90e8\u5206\u624b\u673a\u7684\u786c\u4ef6\u5b89\u5168\u6a21\u5757\u4e2d\u5bf9\u8f93\u5165\u6821\u9a8c\u4e0d\u8db3\u3002\u5df2\u7ecf\u83b7\u53d6\u5b89\u5353\u7cfb\u7edfroot\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u5728TrustZone\u4e2d\u8bfb\u5199\u4efb\u610f\u4f4d\u7f6e\u7684\u5185\u5b58\u6570\u636e\u6216\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eHuawei\u624b\u673a\u4efb\u610f\u5185\u5b58\u8bfb\u5199\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Huawei Mate 9 \u003cMHA-AL00BC00B156",
      "Huawei Mate 9 \u003cMHA-CL00BC00B156",
      "Huawei Mate 9 \u003cMHA-DL00BC00B156",
      "Huawei Mate 9 \u003cMHA-TL00BC00B156",
      "Huawei Mate 9 Pro \u003cLON-AL00BC00B156",
      "Huawei Mate 9 Pro \u003cLON-CL00BC00B156",
      "Huawei Mate 9 Pro \u003cLON-DL00BC00B156",
      "Huawei Mate 9 Pro \u003cLON-TL00BC00B156"
    ]
  },
  "referenceLink": "https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170306-01-smartphone-cn",
  "serverity": "\u4e2d",
  "submitTime": "2018-10-15",
  "title": "\u591a\u6b3eHuawei\u624b\u673a\u4efb\u610f\u5185\u5b58\u8bfb\u5199\u6f0f\u6d1e"
}

CVE-2017-17176 (GCVE-0-2017-17176)

Vulnerability from cvelistv5 – Published: 2018-10-17 15:00 – Updated: 2024-08-05 20:44

Summary

The hardware security module of Mate 9 and Mate 9 Pro Huawei smart phones with the versions earlier before MHA-AL00BC00B156, versions earlier before MHA-CL00BC00B156, versions earlier before MHA-DL00BC00B156, versions earlier before MHA-TL00BC00B156, versions earlier before LON-AL00BC00B156, versions earlier before LON-CL00BC00B156, versions earlier before LON-DL00BC00B156, versions earlier before LON-TL00BC00B156 has a arbitrary memory read/write vulnerability due to the input parameters validation. An attacker with the root privilege of the Android system could exploit this vulnerability to read and write memory data anywhere or execute arbitrary code in the TrustZone.

Severity ?

No CVSS data available.

CWE

arbitrary memory read/write

Assigner

huawei

References

URL

Tags

https://www.huawei.com/en/psirt/security-advisori…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Huawei Technologies Co., Ltd.	Mate 9, Mate 9 Pro	Affected: Versions earlier before MHA-AL00BC00B156, Versions earlier before MHA-CL00BC00B156, Versions earlier before MHA-DL00BC00B156, Versions earlier before MHA-TL00BC00B156, Versions earlier before LON-AL00BC00B156, Versions earlier before LON-CL00BC00B156, Versions earlier before LON-DL00BC00B156, Versions earlier before LON-TL00BC00B156

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T20:44:00.186Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170306-01-smartphone-en"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Mate 9, Mate 9 Pro",
          "vendor": "Huawei Technologies Co., Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Versions earlier before MHA-AL00BC00B156, Versions earlier before MHA-CL00BC00B156, Versions earlier before MHA-DL00BC00B156, Versions earlier before MHA-TL00BC00B156, Versions earlier before LON-AL00BC00B156, Versions earlier before LON-CL00BC00B156, Versions earlier before LON-DL00BC00B156, Versions earlier before LON-TL00BC00B156"
            }
          ]
        }
      ],
      "datePublic": "2017-03-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The hardware security module of Mate 9 and Mate 9 Pro Huawei smart phones with the versions earlier before MHA-AL00BC00B156, versions earlier before MHA-CL00BC00B156, versions earlier before MHA-DL00BC00B156, versions earlier before MHA-TL00BC00B156, versions earlier before LON-AL00BC00B156, versions earlier before LON-CL00BC00B156, versions earlier before LON-DL00BC00B156, versions earlier before LON-TL00BC00B156 has a arbitrary memory read/write vulnerability due to the input parameters validation. An attacker with the root privilege of the Android system could exploit this vulnerability to read and write memory data anywhere or execute arbitrary code in the TrustZone."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "arbitrary memory read/write",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-17T14:57:01",
        "orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
        "shortName": "huawei"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170306-01-smartphone-en"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@huawei.com",
          "ID": "CVE-2017-17176",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Mate 9, Mate 9 Pro",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions earlier before MHA-AL00BC00B156, Versions earlier before MHA-CL00BC00B156, Versions earlier before MHA-DL00BC00B156, Versions earlier before MHA-TL00BC00B156, Versions earlier before LON-AL00BC00B156, Versions earlier before LON-CL00BC00B156, Versions earlier before LON-DL00BC00B156, Versions earlier before LON-TL00BC00B156"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Huawei Technologies Co., Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The hardware security module of Mate 9 and Mate 9 Pro Huawei smart phones with the versions earlier before MHA-AL00BC00B156, versions earlier before MHA-CL00BC00B156, versions earlier before MHA-DL00BC00B156, versions earlier before MHA-TL00BC00B156, versions earlier before LON-AL00BC00B156, versions earlier before LON-CL00BC00B156, versions earlier before LON-DL00BC00B156, versions earlier before LON-TL00BC00B156 has a arbitrary memory read/write vulnerability due to the input parameters validation. An attacker with the root privilege of the Android system could exploit this vulnerability to read and write memory data anywhere or execute arbitrary code in the TrustZone."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "arbitrary memory read/write"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170306-01-smartphone-en",
              "refsource": "CONFIRM",
              "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170306-01-smartphone-en"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
    "assignerShortName": "huawei",
    "cveId": "CVE-2017-17176",
    "datePublished": "2018-10-17T15:00:00",
    "dateReserved": "2017-12-04T00:00:00",
    "dateUpdated": "2024-08-05T20:44:00.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-20883

CVE-2017-17176 (GCVE-0-2017-17176)

Tags

Sightings

Nomenclature