A vulnerability classified as critical was found in Huawei Mate 9 and Mate 9 Pro (Smartphone Operating System) (the affected version unknown). This vulnerability affects an unknown part of the component Trusted Execution Environment. The manipulation as part of a Application leads to a use after free vulnerability. The CWE definition for the vulnerability is CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

The Trusted Execution Environment (TEE) module driver of Mate 9 and Mate 9 Pro smart phones with software versions earlier than MHA-AL00BC00B221 and versions earlier than LON-AL00BC00B221 has a use after free (UAF) vulnerability. An attacker tricks a user into installing a malicious application, and the application can start multiple threads and try to create and free specific memory, which could triggers access memory after free it and causes a system crash or arbitrary code execution.

The bug was discovered 06/15/2017. The weakness was disclosed 11/22/2017 (Website). The advisory is available at huawei.com. This vulnerability was named CVE-2017-8142 since 04/25/2017. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available.

The vulnerability was handled as a non-public zero-day exploit for at least 160 days. During that time the estimated underground price was around $5k-$25k.

Upgrading eliminates this vulnerability.

Productinfo

Type

• Smartphone Operating System

Vendor

• Huawei

Name

• Mate 9
• Mate 9 Pro

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion