CVE-2017-17161 - OpenCVE

The 'Find Phone' function in some Huawei smart phones with software earlier than Duke-L09C10B186 versions, earlier than Duke-L09C432B187 versions, earlier than Duke-L09C636B186 versions has an authentication bypass vulnerability. Due to improper authentication realization in the 'Find Phone' function. An attacker may exploit the vulnerability to bypass the 'Find Phone' function in order to use the phone normally.

No CVSS v3.1

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Huawei	Duke-l09 Duke-l09 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:huawei:duke-l09_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:duke-l09:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:huawei:duke-l09_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:duke-l09:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:huawei:duke-l09_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:duke-l09:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171213-01-smartphone-en	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: huawei

Published: 2018-02-15T16:00:00

Updated: 2018-02-15T15:57:02

Reserved: 2017-12-04T00:00:00

Link: CVE-2017-17161

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-02-15T16:29:02.063

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-17161

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "Duke-L09", "vendor": "Huawei Technologies Co., Ltd.", "versions": [{"status": "affected", "version": "Earlier than Duke-L09C10B186 versions, Earlier than Duke-L09C432B187 versions, Earlier than Duke-L09C636B186 versions"}]}], "datePublic": "2017-12-13T00:00:00", "descriptions": [{"lang": "en", "value": "The 'Find Phone' function in some Huawei smart phones with software earlier than Duke-L09C10B186 versions, earlier than Duke-L09C432B187 versions, earlier than Duke-L09C636B186 versions has an authentication bypass vulnerability. Due to improper authentication realization in the 'Find Phone' function. An attacker may exploit the vulnerability to bypass the 'Find Phone' function in order to use the phone normally."}], "problemTypes": [{"descriptions": [{"description": "authentication bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-15T15:57:02", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171213-01-smartphone-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "ID": "CVE-2017-17161", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Duke-L09", "version": {"version_data": [{"version_value": "Earlier than Duke-L09C10B186 versions, Earlier than Duke-L09C432B187 versions, Earlier than Duke-L09C636B186 versions"}]}}]}, "vendor_name": "Huawei Technologies Co., Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The 'Find Phone' function in some Huawei smart phones with software earlier than Duke-L09C10B186 versions, earlier than Duke-L09C432B187 versions, earlier than Duke-L09C636B186 versions has an authentication bypass vulnerability. Due to improper authentication realization in the 'Find Phone' function. An attacker may exploit the vulnerability to bypass the 'Find Phone' function in order to use the phone normally."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "authentication bypass"}]}]}, "references": {"reference_data": [{"name": "http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171213-01-smartphone-en", "refsource": "CONFIRM", "url": "http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171213-01-smartphone-en"}]}}}}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2017-17161", "datePublished": "2018-02-15T16:00:00", "dateReserved": "2017-12-04T00:00:00", "dateUpdated": "2018-02-15T15:57:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:duke-l09_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "56BAE6F2-6A4C-4895-809B-7BC0C5AF81AD", "versionEndExcluding": "duke-l09c10b186", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:duke-l09:-:*:*:*:*:*:*:*", "matchCriteriaId": "EBF74374-C6A1-4D04-915B-B23E3C9AC2FD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:duke-l09_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D031688-BAB3-4D49-AC49-29B9218BC326", "versionEndExcluding": "duke-l09c432b187", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:duke-l09:-:*:*:*:*:*:*:*", "matchCriteriaId": "EBF74374-C6A1-4D04-915B-B23E3C9AC2FD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:duke-l09_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "997FF290-B213-4A51-8ACF-E0D254D337F6", "versionEndExcluding": "duke-l09c636b186", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:duke-l09:-:*:*:*:*:*:*:*", "matchCriteriaId": "EBF74374-C6A1-4D04-915B-B23E3C9AC2FD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The 'Find Phone' function in some Huawei smart phones with software earlier than Duke-L09C10B186 versions, earlier than Duke-L09C432B187 versions, earlier than Duke-L09C636B186 versions has an authentication bypass vulnerability. Due to improper authentication realization in the 'Find Phone' function. An attacker may exploit the vulnerability to bypass the 'Find Phone' function in order to use the phone normally."}, {"lang": "es", "value": "La funci\u00f3n \"Find Phone\" en algunos smartphones Huawei con software en versiones anteriores a Duke-L09C10B186, Duke-L09C432B187 y Duke-L09C636B186 tiene una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n. Esto se debe a la realizaci\u00f3n indebida de la autenticaci\u00f3n en la funci\u00f3n \"Find Phone\". Un atacante podr\u00eda explotar esta vulnerabilidad para omitir la funci\u00f3n \"Find Phone\" y emplear el tel\u00e9fono de forma normal."}], "id": "CVE-2017-17161", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-15T16:29:02.063", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171213-01-smartphone-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}