A vulnerability classified as critical has been found in Huawei Enjoy 5s and Y6 Pro. Affected is an unknown functionality. The manipulation as part of a Application leads to a information disclosure vulnerability (Kernel Memory). CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. CVE summarizes:

Huawei Enjoy 5s and Y6 Pro smartphones with software the versions before TAG-AL00C92B170; the versions before TIT-L01C576B121 have an information leak vulnerability due to the lack of parameter validation. An attacker tricks a user into installing a malicious application on the smart phone and the application can read some sensitive information in kernel memory which may cause sensitive information leak.

The bug was discovered 12/13/2017. The weakness was released 03/05/2018 (Website). The advisory is available at huawei.com. This vulnerability is traded as CVE-2017-17140 since 12/04/2017. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1592 by the MITRE ATT&CK project.

The vulnerability was handled as a non-public zero-day exploit for at least 82 days. During that time the estimated underground price was around $5k-$25k.

Upgrading to version TAG-AL00C92B170 or TIT-L01C576B121 eliminates this vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Vendor

• Huawei

Name

• Enjoy 5s
• Y6 Pro

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion