CVE-2020-9076 - OpenCVE

HUAWEI P30;HUAWEI P30 Pro;Tony-AL00B smartphones with versions earlier than 10.1.0.135(C00E135R2P11); versions earlier than 10.1.0.135(C00E135R2P8), versions earlier than 10.1.0.135 have an improper authentication vulnerability. Due to the identity of the message sender not being properly verified, an attacker can exploit this vulnerability through man-in-the-middle attack to induce user to access malicious URL.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Huawei	Tony-al00b Firmware P30 Pro Firmware Tony-al00b P30 Pro P30 P30 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:huawei:p30_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:p30:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:huawei:p30_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:p30_pro:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:huawei:p30_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:p30_pro:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:huawei:tony-al00b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:tony-al00b:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-02-phone-en	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: huawei

Published: 2020-06-15T15:07:13

Updated: 2020-06-15T15:07:13

Reserved: 2020-02-18T00:00:00

Link: CVE-2020-9076

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-06-15T16:15:23.270

Modified: 2020-06-20T18:48:51.287

Link: CVE-2020-9076

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "HUAWEI P30;HUAWEI P30 Pro;Tony-AL00B", "vendor": "n/a", "versions": [{"status": "affected", "version": "Versions earlier than 10.1.0.135(C00E135R2P11)"}, {"status": "affected", "version": "Versions earlier than 10.1.0.135(C00E135R2P8),Versions earlier than 10.1.0.135(C01E135R2P8)"}, {"status": "affected", "version": "Versions earlier than 10.1.0.137(C00E137R2P11)"}]}], "descriptions": [{"lang": "en", "value": "HUAWEI P30;HUAWEI P30 Pro;Tony-AL00B smartphones with versions earlier than 10.1.0.135(C00E135R2P11); versions earlier than 10.1.0.135(C00E135R2P8), versions earlier than 10.1.0.135 have an improper authentication vulnerability. Due to the identity of the message sender not being properly verified, an attacker can exploit this vulnerability through man-in-the-middle attack to induce user to access malicious URL."}], "problemTypes": [{"descriptions": [{"description": "Improper Authentication", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-15T15:07:13", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-02-phone-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "ID": "CVE-2020-9076", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HUAWEI P30;HUAWEI P30 Pro;Tony-AL00B", "version": {"version_data": [{"version_value": "Versions earlier than 10.1.0.135(C00E135R2P11)"}, {"version_value": "Versions earlier than 10.1.0.135(C00E135R2P8),Versions earlier than 10.1.0.135(C01E135R2P8)"}, {"version_value": "Versions earlier than 10.1.0.137(C00E137R2P11)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "HUAWEI P30;HUAWEI P30 Pro;Tony-AL00B smartphones with versions earlier than 10.1.0.135(C00E135R2P11); versions earlier than 10.1.0.135(C00E135R2P8), versions earlier than 10.1.0.135 have an improper authentication vulnerability. Due to the identity of the message sender not being properly verified, an attacker can exploit this vulnerability through man-in-the-middle attack to induce user to access malicious URL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-02-phone-en", "refsource": "MISC", "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-02-phone-en"}]}}}}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2020-9076", "datePublished": "2020-06-15T15:07:13", "dateReserved": "2020-02-18T00:00:00", "dateUpdated": "2020-06-15T15:07:13", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:p30_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E435BD0-2D12-4A15-BF67-4E83C1848884", "versionEndExcluding": "10.1.0.135\\(c00e135r2p11\\)", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:p30:-:*:*:*:*:*:*:*", "matchCriteriaId": "21EE286C-8111-4F59-8CF1-13C68EA76B21", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:p30_pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E5A64DE-1846-44E8-AA2D-E2EF15F308AA", "versionEndExcluding": "10.1.0.135\\(c00e135r2p8\\)", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:p30_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "6DB671DB-CB5B-46E0-B221-722D051184DE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:p30_pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B88F6982-D7F1-409D-A73C-4E439CA2CAD5", "versionEndExcluding": "10.1.0.135\\(c01e135r2p8\\)", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:p30_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "6DB671DB-CB5B-46E0-B221-722D051184DE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:tony-al00b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "63B310F0-9165-48E3-9609-6CA49D6E10C5", "versionEndExcluding": "10.1.0.137\\(c00e137r2p11\\)", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:tony-al00b:-:*:*:*:*:*:*:*", "matchCriteriaId": "0E14B978-2A3C-4F55-8E3A-BA41AB137C33", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "HUAWEI P30;HUAWEI P30 Pro;Tony-AL00B smartphones with versions earlier than 10.1.0.135(C00E135R2P11); versions earlier than 10.1.0.135(C00E135R2P8), versions earlier than 10.1.0.135 have an improper authentication vulnerability. Due to the identity of the message sender not being properly verified, an attacker can exploit this vulnerability through man-in-the-middle attack to induce user to access malicious URL."}, {"lang": "es", "value": "Los tel\u00e9fonos inteligentes HUAWEI P30; HUAWEI P30 Pro; Tony-AL00B con versiones anteriores a 10.1.0.135(C00E135R2P11); versiones anteriores a 10.1.0.135(C00E135R2P8),versiones anteriores a 10.1.0.135, presentan una vulnerabilidad de autenticaci\u00f3n inapropiada. Debido a que la identidad del remitente del mensaje no est\u00e1 siendo verificada apropiadamente, un atacante puede explotar esta vulnerabilidad por medio de un ataque de tipo man-in-the-middle para inducir a un usuario a acceder a una URL maliciosa"}], "id": "CVE-2020-9076", "lastModified": "2020-06-20T18:48:51.287", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-15T16:15:23.270", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-02-phone-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}