cnvd - cnvd-2018-22278

CNVD-2018-22278

Vulnerability from cnvd - Published: 2018-11-01

Title

Huawei手表权限控制漏洞

Description

Huawei手表2是华为第二代智能运动手表。 Huawei手表2存在权限控制漏洞。由于对特定操作的权限配置不当，已经获知手表绑定华为账号的攻击者可以通过在华为手表上一连串的操作绕过权限校验执行特定操作，修改手表中部分数据。

Severity

中

Patch Name

Huawei手表权限控制漏洞的补丁

Patch Description

Huawei手表2是华为第二代智能运动手表。 Huawei手表2存在权限控制漏洞。由于对特定操作的权限配置不当，已经获知手表绑定华为账号的攻击者可以通过在华为手表上一连串的操作绕过权限校验执行特定操作，修改手表中部分数据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

华为已发布版本修复该漏洞。安全预警链接： http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20181031-01-watch-cn

Reference

https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20181031-01-watch-cn

Impacted products

Name
Huawei 华为手表2 <=OWDD.180707.001.E1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-7926"
    }
  },
  "description": "Huawei\u624b\u88682\u662f\u534e\u4e3a\u7b2c\u4e8c\u4ee3\u667a\u80fd\u8fd0\u52a8\u624b\u8868\u3002\r\n\r\nHuawei\u624b\u88682\u5b58\u5728\u6743\u9650\u63a7\u5236\u6f0f\u6d1e\u3002\u7531\u4e8e\u5bf9\u7279\u5b9a\u64cd\u4f5c\u7684\u6743\u9650\u914d\u7f6e\u4e0d\u5f53\uff0c\u5df2\u7ecf\u83b7\u77e5\u624b\u8868\u7ed1\u5b9a\u534e\u4e3a\u8d26\u53f7\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5728\u534e\u4e3a\u624b\u8868\u4e0a\u4e00\u8fde\u4e32\u7684\u64cd\u4f5c\u7ed5\u8fc7\u6743\u9650\u6821\u9a8c\u6267\u884c\u7279\u5b9a\u64cd\u4f5c\uff0c\u4fee\u6539\u624b\u8868\u4e2d\u90e8\u5206\u6570\u636e\u3002",
  "discovererName": "\u4efb\u4e00\u591a",
  "formalWay": "\u534e\u4e3a\u5df2\u53d1\u5e03\u7248\u672c\u4fee\u590d\u8be5\u6f0f\u6d1e\u3002\u5b89\u5168\u9884\u8b66\u94fe\u63a5\uff1a\r\nhttp://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20181031-01-watch-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-22278",
  "openTime": "2018-11-01",
  "patchDescription": "Huawei\u624b\u88682\u662f\u534e\u4e3a\u7b2c\u4e8c\u4ee3\u667a\u80fd\u8fd0\u52a8\u624b\u8868\u3002\r\n\r\nHuawei\u624b\u88682\u5b58\u5728\u6743\u9650\u63a7\u5236\u6f0f\u6d1e\u3002\u7531\u4e8e\u5bf9\u7279\u5b9a\u64cd\u4f5c\u7684\u6743\u9650\u914d\u7f6e\u4e0d\u5f53\uff0c\u5df2\u7ecf\u83b7\u77e5\u624b\u8868\u7ed1\u5b9a\u534e\u4e3a\u8d26\u53f7\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5728\u534e\u4e3a\u624b\u8868\u4e0a\u4e00\u8fde\u4e32\u7684\u64cd\u4f5c\u7ed5\u8fc7\u6743\u9650\u6821\u9a8c\u6267\u884c\u7279\u5b9a\u64cd\u4f5c\uff0c\u4fee\u6539\u624b\u8868\u4e2d\u90e8\u5206\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Huawei\u624b\u8868\u6743\u9650\u63a7\u5236\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Huawei \u534e\u4e3a\u624b\u88682 \u003c=OWDD.180707.001.E1"
  },
  "referenceLink": "https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20181031-01-watch-cn",
  "serverity": "\u4e2d",
  "submitTime": "2018-11-01",
  "title": "Huawei\u624b\u8868\u6743\u9650\u63a7\u5236\u6f0f\u6d1e"
}

CVE-2018-7926 (GCVE-0-2018-7926)

Vulnerability from cvelistv5 – Published: 2018-11-13 19:00 – Updated: 2024-08-05 06:37

Summary

Huawei Watch 2 with versions and earlier than OWDD.180707.001.E1 have an improper authorization vulnerability. Due to improper permission configuration for specific operations, an attacker who obtained the Huawei ID bound to the watch can bypass permission verification to perform specific operations and modify some data on the watch.

Severity ?

No CVSS data available.

CWE

improper authorization

Assigner

huawei

References

URL

Tags

http://www.huawei.com/en/psirt/security-advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Huawei Technologies Co., Ltd.	Huawei Watch 2	Affected: Versions and earlier than OWDD.180707.001.E1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:37:59.641Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181031-01-watch-en"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Huawei Watch 2",
          "vendor": "Huawei Technologies Co., Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Versions and earlier than OWDD.180707.001.E1"
            }
          ]
        }
      ],
      "datePublic": "2018-10-31T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Huawei Watch 2 with versions and earlier than OWDD.180707.001.E1 have an improper authorization vulnerability. Due to improper permission configuration for specific operations, an attacker who obtained the Huawei ID bound to the watch can bypass permission verification to perform specific operations and modify some data on the watch."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "improper authorization",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-11-13T18:57:01",
        "orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
        "shortName": "huawei"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181031-01-watch-en"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@huawei.com",
          "ID": "CVE-2018-7926",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Huawei Watch 2",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions and earlier than OWDD.180707.001.E1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Huawei Technologies Co., Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Huawei Watch 2 with versions and earlier than OWDD.180707.001.E1 have an improper authorization vulnerability. Due to improper permission configuration for specific operations, an attacker who obtained the Huawei ID bound to the watch can bypass permission verification to perform specific operations and modify some data on the watch."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "improper authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181031-01-watch-en",
              "refsource": "CONFIRM",
              "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181031-01-watch-en"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
    "assignerShortName": "huawei",
    "cveId": "CVE-2018-7926",
    "datePublished": "2018-11-13T19:00:00",
    "dateReserved": "2018-03-09T00:00:00",
    "dateUpdated": "2024-08-05T06:37:59.641Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-22278

CVE-2018-7926 (GCVE-0-2018-7926)

Tags

Sightings

Nomenclature