A vulnerability was found in Huawei Warsaw (affected version not known). It has been declared as problematic. Affected by this vulnerability is some unknown functionality. The manipulation with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-264. As an impact it is known to affect confidentiality. The summary by CVE is:

Warsaw Huawei Smart phones with software of versions earlier than Warsaw-AL00C00B180, versions earlier than Warsaw-TL10C01B180 have a permission control vulnerability. Due to improper authorization on specific processes, an attacker with the root privilege of a mobile Android system can exploit this vulnerability to obtain some information of the user.

The bug was discovered 06/14/2017. The weakness was released 11/22/2017 (Website). It is possible to read the advisory at huawei.com. This vulnerability is known as CVE-2017-8216 since 04/25/2017. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 161 days. During that time the estimated underground price was around $0-$5k.

Upgrading eliminates this vulnerability.

Productinfo

Vendor

• Huawei

Name

• Warsaw

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion