A vulnerability was found in Huawei Agassi-L09HN, Agassi-W09HN, Kobe-L09AHN and Kobe-W09CHN (unknown version). It has been rated as critical. Affected by this issue is an unknown code block. The manipulation as part of a Variable leads to a type conversion vulnerability. Using CWE to declare the problem leads to CWE-704. The product does not correctly convert an object, resource, or structure from one type to a different type. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Some Huawei smartphones with software AGS-L09C233B019,AGS-W09C233B019,KOB-L09C233B017,KOB-W09C233B012 have a type confusion vulnerability. The program initializes a variable using one type, but it later accesses that variable using a type that is different with the original type when do certain register operation. Successful exploit could result in buffer overflow then may cause malicious code execution.

The bug was discovered 10/18/2017. The weakness was presented 11/22/2017 (Website). The advisory is available at huawei.com. This vulnerability is handled as CVE-2017-8159 since 04/25/2017. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available.

The vulnerability was handled as a non-public zero-day exploit for at least 35 days. During that time the estimated underground price was around $5k-$25k.

Upgrading eliminates this vulnerability.

Productinfo

Vendor

• Huawei

Name

• Agassi-L09HN
• Agassi-W09HN
• Kobe-L09AHN
• Kobe-W09CHN

License

• commercial

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion