Details of VAR-201802-0441

ID

VAR-201802-0441

CVE

CVE-2017-17161

TITLE

Huawei Vulnerabilities related to authorization, authority, and access control in smartphone software

Trust: 0.8

sources: JVNDB: JVNDB-2017-012677

DESCRIPTION

The 'Find Phone' function in some Huawei smart phones with software earlier than Duke-L09C10B186 versions, earlier than Duke-L09C432B187 versions, earlier than Duke-L09C636B186 versions has an authentication bypass vulnerability. Due to improper authentication realization in the 'Find Phone' function. An attacker may exploit the vulnerability to bypass the 'Find Phone' function in order to use the phone normally. Huawei Smartphone software contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. HuaweiDuke-L09 is a smartphone from China's Huawei company. The HuaweiDuke-L09 \"Mobile Retrieval\" feature has an authentication bypass vulnerability. The vulnerability is due to the device's failure to properly implement authentication

Trust: 2.16

sources: NVD: CVE-2017-17161 // JVNDB: JVNDB-2017-012677 // CNVD: CNVD-2017-37500

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-37500

AFFECTED PRODUCTS

vendor:	huawei	model:	duke-l09	scope:	lt	version:	duke-l09c10b186	Trust: 1.8
vendor:	huawei	model:	duke-l09	scope:	lt	version:	duke-l09c432b187	Trust: 1.8
vendor:	huawei	model:	duke-l09	scope:	lt	version:	duke-l09c636b186	Trust: 1.8
vendor:	huawei	model:	duke-l09 <duke-l09c10b186	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	duke-l09 <duke-l09c432b187	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	duke-l09 <duke-l09c636b186	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2017-37500 // JVNDB: JVNDB-2017-012677 // NVD: CVE-2017-17161

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-17161
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-17161
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-37500
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201712-312
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2017-17161
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-37500
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2017-17161
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-37500 // JVNDB: JVNDB-2017-012677 // CNNVD: CNNVD-201712-312 // NVD: CVE-2017-17161

PROBLEMTYPE DATA

problemtype:	CWE-287	Trust: 1.0
problemtype:	CWE-264	Trust: 0.8

sources: JVNDB: JVNDB-2017-012677 // NVD: CVE-2017-17161

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201712-312

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201712-312

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012677

PATCH

title:	huawei-sa-20171213-01-smartphone	url:	http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171213-01-smartphone-en	Trust: 0.8
title:	HuaweiDuke-L09 authentication bypass vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/111011	Trust: 0.6
title:	Huawei Duke-L09 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100240	Trust: 0.6

sources: CNVD: CNVD-2017-37500 // JVNDB: JVNDB-2017-012677 // CNNVD: CNNVD-201712-312

EXTERNAL IDS

db:	NVD	id:	CVE-2017-17161	Trust: 3.0
db:	JVNDB	id:	JVNDB-2017-012677	Trust: 0.8
db:	CNVD	id:	CNVD-2017-37500	Trust: 0.6
db:	CNNVD	id:	CNNVD-201712-312	Trust: 0.6

sources: CNVD: CNVD-2017-37500 // JVNDB: JVNDB-2017-012677 // CNNVD: CNNVD-201712-312 // NVD: CVE-2017-17161

REFERENCES

url:	http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171213-01-smartphone-en	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17161	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-17161	Trust: 0.8
url:	http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20171213-01-smartphone-cn	Trust: 0.6

sources: CNVD: CNVD-2017-37500 // JVNDB: JVNDB-2017-012677 // CNNVD: CNNVD-201712-312 // NVD: CVE-2017-17161

SOURCES

db:	CNVD	id:	CNVD-2017-37500
db:	JVNDB	id:	JVNDB-2017-012677
db:	CNNVD	id:	CNNVD-201712-312
db:	NVD	id:	CVE-2017-17161

LAST UPDATE DATE

2024-11-23T22:56:00.739000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-37500	date:	2017-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-012677	date:	2018-04-04T00:00:00
db:	CNNVD	id:	CNNVD-201712-312	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-17161	date:	2024-11-21T03:17:36.770

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-37500	date:	2017-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-012677	date:	2018-04-04T00:00:00
db:	CNNVD	id:	CNNVD-201712-312	date:	2017-12-08T00:00:00
db:	NVD	id:	CVE-2017-17161	date:	2018-02-15T16:29:02.063