A vulnerability, which was classified as critical, has been found in Huawei Files App up to 7.1.1.309. This issue affects some unknown processing. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The Files APP 7.1.1.309 and earlier versions in some Huawei mobile phones has a brute-force password cracking vulnerability due to the improper design of the Safe key database. An unauthorized attacker could access sensitive database information and may crack users' Safe passwords, leading to information leak.

The bug was discovered 04/25/2017. The weakness was shared 11/22/2017 (Website). The advisory is shared at huawei.com. The identification of this vulnerability is CVE-2017-2715 since 12/01/2016. The exploitation is known to be easy. An attack has to be approached locally. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

The vulnerability was handled as a non-public zero-day exploit for at least 211 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 7.1.1.310 eliminates this vulnerability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• Huawei

Name

• Files App

Version

• 7.1.1.309

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion