A vulnerability was found in Huawei VIE-L09 (version now known). It has been declared as critical. This vulnerability affects some unknown processing. The manipulation as part of a Parameter leads to a memory corruption vulnerability. The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Huawei smart phones with software earlier than VIE-L09C40B360 versions have a buffer overflow vulnerability due to the lack of parameter validation. An attacker tricks a user into installing a malicious APP which has the root privilege; the APP can send a specific parameter to the smart phone, causing the smartphone restart or arbitrary code execution.

The bug was discovered 10/25/2017. The weakness was released 11/22/2017 (Website). The advisory is available at huawei.com. This vulnerability was named CVE-2017-8169 since 04/25/2017. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available.

The vulnerability was handled as a non-public zero-day exploit for at least 28 days. During that time the estimated underground price was around $5k-$25k.

Upgrading eliminates this vulnerability.

Entry connected to this vulnerability is available at 109907.

Productinfo

Vendor

• Huawei

Name

• VIE-L09

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion