Huawei P8 GRA-CL00/GRA-CL10/GRA-UL00/GRA-UL10 Graphics Driver access control

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.6 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, was found in Huawei P8 GRA-CL00/GRA-CL10/GRA-UL00/GRA-UL10. The affected element is an unknown function of the component Graphics Driver. Such manipulation leads to access control. This vulnerability is uniquely identified as CVE-2015-8680. Local access is required to approach this attack. No exploit exists. You should upgrade the affected component.
Details
A vulnerability was found in Huawei P8 GRA-CL00/GRA-CL10/GRA-UL00/GRA-UL10 (Smartphone Operating System). It has been rated as critical. Affected by this issue is some unknown functionality of the component Graphics Driver. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability. CVE summarizes:
The Graphics driver in Huawei P8 smartphones with software GRA-TL00 before GRA-TL00C01B230, GRA-CL00 before GRA-CL00C92B230, GRA-CL10 before GRA-CL10C92B230, GRA-UL00 before GRA-UL00C00B230, and GRA-UL10 before GRA-UL10C00B230, and Mate S smartphones with software CRR-TL00 before CRR-TL00C01B160SP01, CRR-UL00 before CRR-UL00C00B160, and CRR-CL00 before CRR-CL00C92B161 allows attackers to cause a denial of service (system crash) or gain privileges via a crafted application with the graphics permission, aka an "interface access control vulnerability," a different vulnerability than CVE-2015-8307.
The weakness was disclosed 04/07/2016 by Security Team with Alibaba Mobile Security Team (Website). The advisory is shared for download at huawei.com. This vulnerability is handled as CVE-2015-8680 since 12/25/2015. The attack needs to be approached locally. A simple authentication is required for exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1068.
Upgrading to version GRA-TL00C01B230, GRA-CL00C92B230, GRA-CL10C92B230, GRA-UL00C00B230 or GRA-UL10C00B230 eliminates this vulnerability.
The vulnerability is also documented in the databases at SecurityFocus (BID 80351†) and Vulnerability Center (SBV-58048†). The entries VDB-81688, VDB-81689, VDB-81690 and VDB-81693 are pretty similar. Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.huawei.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.8VulDB Meta Temp Score: 7.6
VulDB Base Score: 7.8
VulDB Temp Score: 7.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Upgrade: P8 GRA-TL00C01B230/GRA-CL00C92B230/GRA-CL10C92B230/GRA-UL00C00B230/GRA-UL10C00B230
Timeline
12/25/2015 🔍01/04/2016 🔍
01/04/2016 🔍
04/07/2016 🔍
04/07/2016 🔍
04/08/2016 🔍
04/12/2016 🔍
07/12/2022 🔍
Sources
Vendor: huawei.comAdvisory: sa-20160104-04
Researcher: Security Team
Organization: Alibaba Mobile Security Team
Status: Not defined
Confirmation: 🔍
CVE: CVE-2015-8680 (🔍)
GCVE (CVE): GCVE-0-2015-8680
GCVE (VulDB): GCVE-100-81692
SecurityFocus: 80351 - Huawei P8 Smart Phone Multiple Local Privilege Escalation Vulnerabilities
Vulnerability Center: 58048 - Huawei Smartphones Remote DoS and Privileges Escalation via a Crafted App with Graphics Permission - CVE-2015-8680, High
See also: 🔍
Entry
Created: 04/08/2016 10:41Updated: 07/12/2022 10:24
Changes: 04/08/2016 10:41 (58), 02/04/2019 10:49 (14), 07/12/2022 10:24 (4)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.