CVE-2017-15351 - OpenCVE

The 'Find Phone' function in Huawei Honor V9 play smart phones with versions earlier than Jimmy-AL00AC00B135 has an authentication bypass vulnerability. Due to improper authentication realization in the 'Find Phone' function. An attacker may exploit the vulnerability to bypass the 'Find Phone' function in order to use the phone normally.

No CVSS v3.1

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Huawei	Honor V9 Play Honor V9 Play Firmware

Configuration 1 [-]

AND

cpe:2.3:o:huawei:honor_v9_play_firmware:jimmy-al00ac00b135:*:*:*:*:*:*:*

cpe:2.3:h:huawei:honor_v9_play:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171122-01-smartphone-en	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: huawei

Published: 2018-02-15T16:00:00

Updated: 2018-02-15T15:57:02

Reserved: 2017-10-14T00:00:00

Link: CVE-2017-15351

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-02-15T16:29:01.297

Modified: 2018-02-26T15:06:48.763

Link: CVE-2017-15351

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "Honor V9 play", "vendor": "Huawei Technologies Co., Ltd.", "versions": [{"status": "affected", "version": "Versions earlier than Jimmy-AL00AC00B135"}]}], "datePublic": "2017-11-22T00:00:00", "descriptions": [{"lang": "en", "value": "The 'Find Phone' function in Huawei Honor V9 play smart phones with versions earlier than Jimmy-AL00AC00B135 has an authentication bypass vulnerability. Due to improper authentication realization in the 'Find Phone' function. An attacker may exploit the vulnerability to bypass the 'Find Phone' function in order to use the phone normally."}], "problemTypes": [{"descriptions": [{"description": "authentication bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-15T15:57:02", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171122-01-smartphone-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "ID": "CVE-2017-15351", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Honor V9 play", "version": {"version_data": [{"version_value": "Versions earlier than Jimmy-AL00AC00B135"}]}}]}, "vendor_name": "Huawei Technologies Co., Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The 'Find Phone' function in Huawei Honor V9 play smart phones with versions earlier than Jimmy-AL00AC00B135 has an authentication bypass vulnerability. Due to improper authentication realization in the 'Find Phone' function. An attacker may exploit the vulnerability to bypass the 'Find Phone' function in order to use the phone normally."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "authentication bypass"}]}]}, "references": {"reference_data": [{"name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171122-01-smartphone-en", "refsource": "CONFIRM", "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171122-01-smartphone-en"}]}}}}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2017-15351", "datePublished": "2018-02-15T16:00:00", "dateReserved": "2017-10-14T00:00:00", "dateUpdated": "2018-02-15T15:57:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:honor_v9_play_firmware:jimmy-al00ac00b135:*:*:*:*:*:*:*", "matchCriteriaId": "EBD0A99C-F731-4477-AFCF-8B0D0B3AA380", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:honor_v9_play:-:*:*:*:*:*:*:*", "matchCriteriaId": "B543AF24-5D59-4A46-AC76-0EFF314E3D1A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The 'Find Phone' function in Huawei Honor V9 play smart phones with versions earlier than Jimmy-AL00AC00B135 has an authentication bypass vulnerability. Due to improper authentication realization in the 'Find Phone' function. An attacker may exploit the vulnerability to bypass the 'Find Phone' function in order to use the phone normally."}, {"lang": "es", "value": "La funci\u00f3n \"Find Phone\" en los smartphones Huawei Honor V9 play con versiones anteriores a la Jimmy-AL00AC00B135 tiene una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n. Esto se debe a la realizaci\u00f3n indebida de la autenticaci\u00f3n en la funci\u00f3n \"Find Phone\". Un atacante podr\u00eda explotar esta vulnerabilidad para omitir la funci\u00f3n \"Find Phone\" y emplear el tel\u00e9fono de forma normal."}], "id": "CVE-2017-15351", "lastModified": "2018-02-26T15:06:48.763", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-15T16:29:01.297", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171122-01-smartphone-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}