CVE-2017-2735 - OpenCVE

TIT-AL00 smartphones with software versions earlier before TIT-AL00C583B214 have a exposed system interface vulnerability. The software provides a system interface for interaction with external applications, but calling the interface is not properly restricted. An attacker could trick the user into installing a malicious application to call the interface and modify the system properties.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Huawei	Y6 Pro Firmware Y6 Pro

Configuration 1 [-]

AND

cpe:2.3:o:huawei:y6_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:y6_pro:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-smartphone-en	Vendor Advisory
http://www.securityfocus.com/bid/97224	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: huawei

Published: 2017-11-15T00:00:00

Updated: 2017-11-23T10:57:01

Reserved: 2016-12-01T00:00:00

Link: CVE-2017-2735

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-11-22T19:29:01.927

Modified: 2017-12-11T17:37:43.713

Link: CVE-2017-2735

JSON object: View

Redhat Information

No data.

CWE

CWE-749

{"containers": {"cna": {"affected": [{"product": "TIT-AL00", "vendor": "Huawei Technologies Co., Ltd.", "versions": [{"status": "affected", "version": "Versions earlier before TIT-AL00C583B214"}]}], "datePublic": "2017-11-15T00:00:00", "descriptions": [{"lang": "en", "value": "TIT-AL00 smartphones with software versions earlier before TIT-AL00C583B214 have a exposed system interface vulnerability. The software provides a system interface for interaction with external applications, but calling the interface is not properly restricted. An attacker could trick the user into installing a malicious application to call the interface and modify the system properties."}], "problemTypes": [{"descriptions": [{"description": "Exposed System Interface", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-23T10:57:01", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-smartphone-en"}, {"name": "97224", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97224"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "DATE_PUBLIC": "2017-11-15T00:00:00", "ID": "CVE-2017-2735", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TIT-AL00", "version": {"version_data": [{"version_value": "Versions earlier before TIT-AL00C583B214"}]}}]}, "vendor_name": "Huawei Technologies Co., Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "TIT-AL00 smartphones with software versions earlier before TIT-AL00C583B214 have a exposed system interface vulnerability. The software provides a system interface for interaction with external applications, but calling the interface is not properly restricted. An attacker could trick the user into installing a malicious application to call the interface and modify the system properties."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Exposed System Interface"}]}]}, "references": {"reference_data": [{"name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-smartphone-en", "refsource": "CONFIRM", "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-smartphone-en"}, {"name": "97224", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97224"}]}}}}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2017-2735", "datePublished": "2017-11-15T00:00:00", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2017-11-23T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:y6_pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "12CA77C0-F399-4D12-91A3-023B9A8E7459", "versionEndExcluding": "tit-al00c583b214", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:y6_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "F6F54999-3926-438D-BF21-8417C6B7A175", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "TIT-AL00 smartphones with software versions earlier before TIT-AL00C583B214 have a exposed system interface vulnerability. The software provides a system interface for interaction with external applications, but calling the interface is not properly restricted. An attacker could trick the user into installing a malicious application to call the interface and modify the system properties."}, {"lang": "es", "value": "Los smartphones TIT-AL00 con versiones de software anteriores a la TIT-AL00C583B214 tienen una vulnerabilidad de exposici\u00f3n de la interfaz del sistema. El software proporciona una interfaz del sistema para interactuar con aplicaciones externas, pero las llamadas a la interfaz no est\u00e1n restringidas correctamente. Un atacante podr\u00eda enga\u00f1ar al usuario para que instale una aplicaci\u00f3n maliciosa para llamar a la interfaz y modificar las propiedades del sistema."}], "id": "CVE-2017-2735", "lastModified": "2017-12-11T17:37:43.713", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-22T19:29:01.927", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170329-01-smartphone-en"}, {"source": "psirt@huawei.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97224"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-749"}], "source": "nvd@nist.gov", "type": "Primary"}]}