Vulnerability-Lookup

CNVD-2017-28811

Vulnerability from cnvd - Published: 2017-09-30

Title

Huawei部分APP存在缺乏签名认证漏洞

Description

Huawei部分APP存在缺乏签名认证漏洞。由于Huawei一些APP不支持APK文件签名校验。攻击者可以利用这个漏洞劫持并替换APK文件。成功利用可以导致APP被劫持。

Severity

中

Patch Name

Huawei部分APP存在缺乏签名认证漏洞的补丁

Patch Description

Huawei部分APP存在缺乏签名认证漏洞。由于Huawei一些APP不支持APK文件签名校验。攻击者可以利用这个漏洞劫持并替换APK文件。成功利用可以导致APP被劫持。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

华为已发布版本修复该漏洞，安全预警链接： http://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170816-01-app-cn

Reference

http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170816-01-app-cn

Impacted products

Name
Huawei HiWallet <5.0.3.100

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-8177"
    }
  },
  "description": "Huawei\u90e8\u5206APP\u5b58\u5728\u7f3a\u4e4f\u7b7e\u540d\u8ba4\u8bc1\u6f0f\u6d1e\u3002\u7531\u4e8eHuawei\u4e00\u4e9bAPP\u4e0d\u652f\u6301APK\u6587\u4ef6\u7b7e\u540d\u6821\u9a8c\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u52ab\u6301\u5e76\u66ff\u6362APK\u6587\u4ef6\u3002\u6210\u529f\u5229\u7528\u53ef\u4ee5\u5bfc\u81f4APP\u88ab\u52ab\u6301\u3002",
  "discovererName": "\u5f20\u6e05",
  "formalWay": "\u534e\u4e3a\u5df2\u53d1\u5e03\u7248\u672c\u4fee\u590d\u8be5\u6f0f\u6d1e\uff0c\u5b89\u5168\u9884\u8b66\u94fe\u63a5\uff1a\r\nhttp://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20170816-01-app-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-28811",
  "openTime": "2017-09-30",
  "patchDescription": "Huawei\u90e8\u5206APP\u5b58\u5728\u7f3a\u4e4f\u7b7e\u540d\u8ba4\u8bc1\u6f0f\u6d1e\u3002\u7531\u4e8eHuawei\u4e00\u4e9bAPP\u4e0d\u652f\u6301APK\u6587\u4ef6\u7b7e\u540d\u6821\u9a8c\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u52ab\u6301\u5e76\u66ff\u6362APK\u6587\u4ef6\u3002\u6210\u529f\u5229\u7528\u53ef\u4ee5\u5bfc\u81f4APP\u88ab\u52ab\u6301\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Huawei\u90e8\u5206APP\u5b58\u5728\u7f3a\u4e4f\u7b7e\u540d\u8ba4\u8bc1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Huawei HiWallet \u003c5.0.3.100"
  },
  "referenceLink": "http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170816-01-app-cn",
  "serverity": "\u4e2d",
  "submitTime": "2017-08-17",
  "title": "Huawei\u90e8\u5206APP\u5b58\u5728\u7f3a\u4e4f\u7b7e\u540d\u8ba4\u8bc1\u6f0f\u6d1e"
}

CVE-2017-8177 (GCVE-0-2017-8177)

Vulnerability from cvelistv5 – Published: 2017-11-22 19:00 – Updated: 2024-09-17 01:40

Summary

Huawei APP HiWallet earlier than 5.0.3.100 versions do not support signature verification for APK file. An attacker could exploit this vulnerability to hijack the APK and upload modified APK file. Successful exploit could lead to the APP is hijacking.

Severity ?

No CVSS data available.

CWE

Lack of Signature Verification

Assigner

huawei

References

URL

Tags

http://www.huawei.com/en/psirt/security-advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Huawei Technologies Co., Ltd.	HiWallet	Affected: Earlier than 5.0.3.100 versions

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:27:22.917Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170816-01-app-en"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "HiWallet",
          "vendor": "Huawei Technologies Co., Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Earlier than 5.0.3.100 versions"
            }
          ]
        }
      ],
      "datePublic": "2017-11-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Huawei APP HiWallet earlier than 5.0.3.100 versions do not support signature verification for APK file. An attacker could exploit this vulnerability to hijack the APK and upload modified APK file. Successful exploit could lead to the APP is hijacking."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Lack of Signature Verification",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-11-22T18:57:01",
        "orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
        "shortName": "huawei"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170816-01-app-en"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@huawei.com",
          "DATE_PUBLIC": "2017-11-15T00:00:00",
          "ID": "CVE-2017-8177",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "HiWallet",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Earlier than 5.0.3.100 versions"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Huawei Technologies Co., Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Huawei APP HiWallet earlier than 5.0.3.100 versions do not support signature verification for APK file. An attacker could exploit this vulnerability to hijack the APK and upload modified APK file. Successful exploit could lead to the APP is hijacking."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Lack of Signature Verification"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170816-01-app-en",
              "refsource": "CONFIRM",
              "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170816-01-app-en"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
    "assignerShortName": "huawei",
    "cveId": "CVE-2017-8177",
    "datePublished": "2017-11-22T19:00:00Z",
    "dateReserved": "2017-04-25T00:00:00",
    "dateUpdated": "2024-09-17T01:40:41.137Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-28811

CVE-2017-8177 (GCVE-0-2017-8177)

Tags

Sightings

Nomenclature