Vulnerability CVE-2018-7907


Published: 2018-09-26

Description:
Some Huawei products Agassi-L09 AGS-L09C100B257CUSTC100D001, AGS-L09C170B253CUSTC170D001, AGS-L09C199B251CUSTC199D001, AGS-L09C229B003CUSTC229D001, Agassi-W09 AGS-W09C100B257CUSTC100D001, AGS-W09C128B252CUSTC128D001, AGS-W09C170B252CUSTC170D001, AGS-W09C229B251CUSTC229D001, AGS-W09C331B003CUSTC331D001, AGS-W09C794B001CUSTC794D001, Baggio2-U01A BG2-U01C100B160CUSTC100D001, BG2-U01C170B160CUSTC170D001, BG2-U01C199B162CUSTC199D001, BG2-U01C209B160CUSTC209D001, BG2-U01C333B160CUSTC333D001, Bond-AL00C Bond-AL00CC00B201, Bond-AL10B Bond-AL10BC00B201, Bond-TL10B Bond-TL10BC01B201, Bond-TL10C Bond-TL10CC01B131, Haydn-L1JB HDN-L1JC137B068, Kobe-L09A KOB-L09C100B252CUSTC100D001, KOB-L09C209B002CUSTC209D001, KOB-L09C362B001CUSTC362D001, Kobe-L09AHN KOB-L09C233B226, Kobe-W09C KOB-W09C128B251CUSTC128D001, LelandP-L22C 8.0.0.101(C675CUSTC675D2), LelandP-L22D 8.0.0.101(C675CUSTC675D2), Rhone-AL00 Rhone-AL00C00B186, Selina-L02 Selina-L02C432B153, Stanford-L09S Stanford-L09SC432B183, Toronto-AL00 Toronto-AL00C00B223, Toronto-AL00A Toronto-AL00AC00B223, Toronto-TL10 Toronto-TL10C01B223 have a sensitive information leak vulnerability. An attacker can trick a user to install a malicious application to exploit this vulnerability. Due to insufficient verification of the input, successful exploitation can cause sensitive information leak.

Type:

CWE-200

(Information Exposure)

Vendor: Huawei
Product: Toronto-tl10 firmware 
Version: toronto-tl10c01b223;
Product: Toronto-al00 firmware 
Version: toronto-al00c00b223;
Product: Toronto-al00a firmware 
Version: toronto-al00ac00b223;
Product: Stanford-l09s firmware 
Version: stanford-l09sc432b183;
Product: Selina-l02 firmware 
Version: selina-l02c432b153;
Product: Rhone-al00 firmware 
Version: rhone-al00c00b186;
Product: Kobe-w09c firmware 
Version: kob-w09c128b251custc128d001;
Product: Kobe-l09a firmware 
Version:
kob-l09c362b001custc362d001
kob-l09c209b002custc209d001
kob-l09c100b252custc100d001
Product: Kobe-l09ahn firmware 
Version: kob-l09c233b226;
Product: Haydn-l1jb firmware 
Version: hdn-l1jc137b068;
Product: Bond-tl10c firmware 
Version: bond-tl10cc01b131;
Product: Bond-tl10b firmware 
Version: bond-tl10bc01b201;
Product: Bond-al10b firmware 
Version: bond-al10bc00b201;
Product: Bond-al00c firmware 
Version: bond-al00cc00b201;
Product: Baggio2-u01a firmware 
Version:
bg2-u01c333b160custc333d001
bg2-u01c209b160custc209d001
bg2-u01c199b162custc199d001
bg2-u01c170b160custc170d001
bg2-u01c100b160custc100d001
Product: Agassi-w09 firmware 
Version:
ags-w09c794b001custc794d001
ags-w09c331b003custc331d001
ags-w09c229b251custc229d001
ags-w09c170b252custc170d001
ags-w09c128b252custc128d001
ags-w09c100b257custc100d001
Product: Agassi-l09 firmware 
Version:
ags-l09c229b003custc229d001
ags-l09c199b251custc199d001
ags-l09c170b253custc170d001
ags-l09c100b257custc100d001
Product: Lelandp-l22d firmware 
Version: 8.0.0.101_c675custc675d2;
Product: Lelandp-l22c firmware 
Version: 8.0.0.101_c675custc675d2;

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180919-02-smartphone-en

Related CVE
CVE-2019-5280
The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certificate, attackers can perform man-in-the-middle attack...
CVE-2019-5223
PCManager 9.1.3.1 has an improper authentication vulnerability. The certain driver interface of the software does not perform a validation of user-mode data properly, successful exploit could result in malicious code execution.
CVE-2019-5236
Huawei smart phones Emily-L29C with versions of 8.1.0.132a(C432), 8.1.0.135(C782), 8.1.0.154(C10), 8.1.0.154(C461), 8.1.0.154(C635), 8.1.0.156(C185), 8.1.0.156(C605), 8.1.0.159(C636) have a double free vulnerability. An attacker can trick a user to c...
CVE-2019-5222
There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user ...
CVE-2019-5245
HiSuite 9.1.0.300 versions and earlier contains a DLL hijacking vulnerability. This vulnerability exists due to some DLL file is loaded by HiSuite improperly. And it allows an attacker to load this DLL file of the attacker's choosing that could execu...
CVE-2019-5243
There is a Clickjacking vulnerability in Huawei HG255s product. An attacker may trick user to click a link and affect the integrity of a device by exploiting this vulnerability.
CVE-2019-5242
There is a code execution vulnerability in Huawei PCManager versions earlier than PCManager 9.0.1.50. The attacker can tricking a user to install and run a malicious application to exploit this vulnerability. Successful exploitation may cause the att...
CVE-2019-5241
There is a privilege escalation vulnerability in Huawei PCManager versions earlier than PCManager 9.0.1.50. The attacker can tricking a user to install and run a malicious application to exploit this vulnerability. Successful exploitation may cause t...

Copyright 2019, cxsecurity.com

 

Back to Top