Vulnerability-Lookup

CNVD-2017-33957

Vulnerability from cnvd - Published: 2017-11-15

Title

多款Huawei产品信息泄露漏洞

Description

华为智能家居、华为应用市场、学生模式、家长助手、华为众测、钱包、支付、天际通、华为云服务、查找我的手机、华为视频、华为手环手机客户端、、健康业务客户端都是华为产品。多款Huawei产品存在信息泄露漏洞，由于加密密钥是存储在受影响产品软件中，攻击者可通过逆向工程获取加密密钥，导致信息泄露。

Severity

中

Patch Name

多款Huawei产品信息泄露漏洞的补丁

Patch Description

华为智能家居、华为应用市场、学生模式、家长助手、华为众测、钱包、支付、天际通、华为云服务、查找我的手机、华为视频、华为手环手机客户端、、健康业务客户端都是华为产品。多款Huawei产品存在信息泄露漏洞，由于加密密钥是存储在受影响产品软件中，攻击者可通过逆向工程获取加密密钥，导致信息泄露。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170920-01-encryption-cn

Reference

http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170920-01-encryption-cn

Impacted products

Name
['Huawei 智能家居 <1.0.2.364', 'Huawei 华为应用市场 <7.3.0.303', 'Huawei 学生模式 <2.0.0', 'Huawei 家长助手 <5.1.0.12', 'Huawei 华为众测 <1.5.3', 'Huawei 钱包 <8.0.0.301', 'Huawei 支付 <8.0.0.300', 'Huawei 天际通 <8.1.2.300', 'Huawei 华为云服务 <8.0.0.307', 'Huawei 查找我的手机 <9.3.0.310', 'Huawei 查找我的手机 <9.2.2.303', 'Huawei 华为视频 <8.0.0.309', 'Huawei 华为手环手机客户端 <21.0.0.360', 'Huawei 健康业务客户端 <3.0.3.300']

Name

['Huawei 智能家居 <1.0.2.364', 'Huawei 华为应用市场 <7.3.0.303', 'Huawei 学生模式 <2.0.0', 'Huawei 家长助手 <5.1.0.12', 'Huawei 华为众测 <1.5.3', 'Huawei 钱包 <8.0.0.301', 'Huawei 支付 <8.0.0.300', 'Huawei 天际通 <8.1.2.300', 'Huawei 华为云服务 <8.0.0.307', 'Huawei 查找我的手机 <9.3.0.310', 'Huawei 查找我的手机 <9.2.2.303', 'Huawei 华为视频 <8.0.0.309', 'Huawei 华为手环手机客户端 <21.0.0.360', 'Huawei 健康业务客户端 <3.0.3.300']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-2704"
    }
  },
  "description": "\u534e\u4e3a\u667a\u80fd\u5bb6\u5c45\u3001\u534e\u4e3a\u5e94\u7528\u5e02\u573a\u3001\u5b66\u751f\u6a21\u5f0f\u3001\u5bb6\u957f\u52a9\u624b\u3001\u534e\u4e3a\u4f17\u6d4b\u3001\u94b1\u5305\u3001\u652f\u4ed8\u3001\u5929\u9645\u901a\u3001\u534e\u4e3a\u4e91\u670d\u52a1\u3001\u67e5\u627e\u6211\u7684\u624b\u673a\u3001\u534e\u4e3a\u89c6\u9891\u3001\u534e\u4e3a\u624b\u73af\u624b\u673a\u5ba2\u6237\u7aef\u3001\u3001\u5065\u5eb7\u4e1a\u52a1\u5ba2\u6237\u7aef\u90fd\u662f\u534e\u4e3a\u4ea7\u54c1\u3002\r\n\r\n\u591a\u6b3eHuawei\u4ea7\u54c1\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u7531\u4e8e\u52a0\u5bc6\u5bc6\u94a5\u662f\u5b58\u50a8\u5728\u53d7\u5f71\u54cd\u4ea7\u54c1\u8f6f\u4ef6\u4e2d\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u9006\u5411\u5de5\u7a0b\u83b7\u53d6\u52a0\u5bc6\u5bc6\u94a5\uff0c\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u3002",
  "discovererName": "Huawei",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170920-01-encryption-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-33957",
  "openTime": "2017-11-15",
  "patchDescription": "\u534e\u4e3a\u667a\u80fd\u5bb6\u5c45\u3001\u534e\u4e3a\u5e94\u7528\u5e02\u573a\u3001\u5b66\u751f\u6a21\u5f0f\u3001\u5bb6\u957f\u52a9\u624b\u3001\u534e\u4e3a\u4f17\u6d4b\u3001\u94b1\u5305\u3001\u652f\u4ed8\u3001\u5929\u9645\u901a\u3001\u534e\u4e3a\u4e91\u670d\u52a1\u3001\u67e5\u627e\u6211\u7684\u624b\u673a\u3001\u534e\u4e3a\u89c6\u9891\u3001\u534e\u4e3a\u624b\u73af\u624b\u673a\u5ba2\u6237\u7aef\u3001\u3001\u5065\u5eb7\u4e1a\u52a1\u5ba2\u6237\u7aef\u90fd\u662f\u534e\u4e3a\u4ea7\u54c1\u3002\r\n\r\n\u591a\u6b3eHuawei\u4ea7\u54c1\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u7531\u4e8e\u52a0\u5bc6\u5bc6\u94a5\u662f\u5b58\u50a8\u5728\u53d7\u5f71\u54cd\u4ea7\u54c1\u8f6f\u4ef6\u4e2d\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u9006\u5411\u5de5\u7a0b\u83b7\u53d6\u52a0\u5bc6\u5bc6\u94a5\uff0c\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eHuawei\u4ea7\u54c1\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Huawei \u667a\u80fd\u5bb6\u5c45 \u003c1.0.2.364",
      "Huawei \u534e\u4e3a\u5e94\u7528\u5e02\u573a \u003c7.3.0.303",
      "Huawei \u5b66\u751f\u6a21\u5f0f \u003c2.0.0",
      "Huawei \u5bb6\u957f\u52a9\u624b \u003c5.1.0.12",
      "Huawei \u534e\u4e3a\u4f17\u6d4b \u003c1.5.3",
      "Huawei \u94b1\u5305 \u003c8.0.0.301",
      "Huawei \u652f\u4ed8 \u003c8.0.0.300",
      "Huawei \u5929\u9645\u901a \u003c8.1.2.300",
      "Huawei \u534e\u4e3a\u4e91\u670d\u52a1 \u003c8.0.0.307",
      "Huawei \u67e5\u627e\u6211\u7684\u624b\u673a \u003c9.3.0.310",
      "Huawei \u67e5\u627e\u6211\u7684\u624b\u673a \u003c9.2.2.303",
      "Huawei \u534e\u4e3a\u89c6\u9891 \u003c8.0.0.309",
      "Huawei \u534e\u4e3a\u624b\u73af\u624b\u673a\u5ba2\u6237\u7aef \u003c21.0.0.360",
      "Huawei \u5065\u5eb7\u4e1a\u52a1\u5ba2\u6237\u7aef \u003c3.0.3.300"
    ]
  },
  "referenceLink": "http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170920-01-encryption-cn",
  "serverity": "\u4e2d",
  "submitTime": "2017-09-21",
  "title": "\u591a\u6b3eHuawei\u4ea7\u54c1\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2017-2704 (GCVE-0-2017-2704)

Vulnerability from cvelistv5 – Published: 2017-11-22 19:00 – Updated: 2024-09-16 18:39

Summary

Smarthome 1.0.2.364 and earlier versions,HiAPP 7.3.0.303 and earlier versions,HwParentControl 2.0.0 and earlier versions,HwParentControlParent 5.1.0.12 and earlier versions,Crowdtest 1.5.3 and earlier versions,HiWallet 8.0.0.301 and earlier versions,Huawei Pay 8.0.0.300 and earlier versions,Skytone 8.1.2.300 and earlier versions,HwCloudDrive(EMUI6.0) 8.0.0.307 and earlier versions,HwPhoneFinder(EMUI6.0) 9.3.0.310 and earlier versions,HwPhoneFinder(EMUI5.1) 9.2.2.303 and earlier versions,HiCinema 8.0.2.300 and earlier versions,HuaweiWear 21.0.0.360 and earlier versions,HiHealthApp 3.0.3.300 and earlier versions have an information exposure vulnerability. Encryption keys are stored in the system. The attacker can implement reverse engineering to obtain the encryption keys, causing information exposure.

Severity ?

No CVSS data available.

CWE

Information Exposure

Assigner

huawei

References

URL

Tags

http://www.huawei.com/en/psirt/security-advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Huawei Technologies Co., Ltd.	Smarthome,HiAPP,HwParentControl,HwParentControlParent,Crowdtest,HiWallet,Huawei Pay,Skytone,HwCloudDrive(EMUI6.0),HwPhoneFinder?¡§EMUI6.0??,HwPhoneFinder?¡§EMUI5.1??,HiCinema,HuaweiWear,HiHealthApp,	Affected: Smarthome 1.0.2.364 and earlier versions,HiAPP 7.3.0.303 and earlier versions,HwParentControl 2.0.0 and earlier versions,HwParentControlParent 5.1.0.12 and earlier versions,Crowdtest 1.5.3 and earlier versions,HiWallet 8.0.0.301 and earlier versions,Huawei Pay 8.0.0.300 and earlier versions,Skytone 8.1.2.300 and earlier versions,HwCloudDrive(EMUI6.0) 8.0.0.307 and earlier versions,HwPhoneFinder EMUI6.0 9.3.0.310 and earlier versions,HwPhoneFinder EMUI5.1 9.2.2.303 and earlier versions,HiCinema 8.0.2.300 and earlier versions,HuaweiWear 21.0.0.360 and earlier versions,HiHealthApp 3.0.3.300 and earlier versions,

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:02:07.575Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170920-01-encryption-en"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Smarthome,HiAPP,HwParentControl,HwParentControlParent,Crowdtest,HiWallet,Huawei Pay,Skytone,HwCloudDrive(EMUI6.0),HwPhoneFinder?\u0026#xa1;\u0026#xa7;EMUI6.0??,HwPhoneFinder?\u0026#xa1;\u0026#xa7;EMUI5.1??,HiCinema,HuaweiWear,HiHealthApp,",
          "vendor": "Huawei Technologies Co., Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Smarthome 1.0.2.364 and earlier versions,HiAPP 7.3.0.303 and earlier versions,HwParentControl 2.0.0 and earlier versions,HwParentControlParent 5.1.0.12 and earlier versions,Crowdtest 1.5.3 and earlier versions,HiWallet 8.0.0.301 and earlier versions,Huawei Pay 8.0.0.300 and earlier versions,Skytone 8.1.2.300 and earlier versions,HwCloudDrive(EMUI6.0) 8.0.0.307 and earlier versions,HwPhoneFinder EMUI6.0 9.3.0.310 and earlier versions,HwPhoneFinder EMUI5.1 9.2.2.303 and earlier versions,HiCinema 8.0.2.300 and earlier versions,HuaweiWear 21.0.0.360 and earlier versions,HiHealthApp 3.0.3.300 and earlier versions,"
            }
          ]
        }
      ],
      "datePublic": "2017-11-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Smarthome 1.0.2.364 and earlier versions,HiAPP 7.3.0.303 and earlier versions,HwParentControl 2.0.0 and earlier versions,HwParentControlParent 5.1.0.12 and earlier versions,Crowdtest 1.5.3 and earlier versions,HiWallet 8.0.0.301 and earlier versions,Huawei Pay 8.0.0.300 and earlier versions,Skytone 8.1.2.300 and earlier versions,HwCloudDrive(EMUI6.0) 8.0.0.307 and earlier versions,HwPhoneFinder(EMUI6.0) 9.3.0.310 and earlier versions,HwPhoneFinder(EMUI5.1) 9.2.2.303 and earlier versions,HiCinema 8.0.2.300 and earlier versions,HuaweiWear 21.0.0.360 and earlier versions,HiHealthApp 3.0.3.300 and earlier versions have an information exposure vulnerability. Encryption keys are stored in the system. The attacker can implement reverse engineering to obtain the encryption keys, causing information exposure."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Exposure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-11-22T18:57:01",
        "orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
        "shortName": "huawei"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170920-01-encryption-en"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@huawei.com",
          "DATE_PUBLIC": "2017-11-15T00:00:00",
          "ID": "CVE-2017-2704",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Smarthome,HiAPP,HwParentControl,HwParentControlParent,Crowdtest,HiWallet,Huawei Pay,Skytone,HwCloudDrive(EMUI6.0),HwPhoneFinder?\u0026#xa1;\u0026#xa7;EMUI6.0??,HwPhoneFinder?\u0026#xa1;\u0026#xa7;EMUI5.1??,HiCinema,HuaweiWear,HiHealthApp,",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Smarthome 1.0.2.364 and earlier versions,HiAPP 7.3.0.303 and earlier versions,HwParentControl 2.0.0 and earlier versions,HwParentControlParent 5.1.0.12 and earlier versions,Crowdtest 1.5.3 and earlier versions,HiWallet 8.0.0.301 and earlier versions,Huawei Pay 8.0.0.300 and earlier versions,Skytone 8.1.2.300 and earlier versions,HwCloudDrive(EMUI6.0) 8.0.0.307 and earlier versions,HwPhoneFinder EMUI6.0 9.3.0.310 and earlier versions,HwPhoneFinder EMUI5.1 9.2.2.303 and earlier versions,HiCinema 8.0.2.300 and earlier versions,HuaweiWear 21.0.0.360 and earlier versions,HiHealthApp 3.0.3.300 and earlier versions,"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Huawei Technologies Co., Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Smarthome 1.0.2.364 and earlier versions,HiAPP 7.3.0.303 and earlier versions,HwParentControl 2.0.0 and earlier versions,HwParentControlParent 5.1.0.12 and earlier versions,Crowdtest 1.5.3 and earlier versions,HiWallet 8.0.0.301 and earlier versions,Huawei Pay 8.0.0.300 and earlier versions,Skytone 8.1.2.300 and earlier versions,HwCloudDrive(EMUI6.0) 8.0.0.307 and earlier versions,HwPhoneFinder(EMUI6.0) 9.3.0.310 and earlier versions,HwPhoneFinder(EMUI5.1) 9.2.2.303 and earlier versions,HiCinema 8.0.2.300 and earlier versions,HuaweiWear 21.0.0.360 and earlier versions,HiHealthApp 3.0.3.300 and earlier versions have an information exposure vulnerability. Encryption keys are stored in the system. The attacker can implement reverse engineering to obtain the encryption keys, causing information exposure."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Exposure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170920-01-encryption-en",
              "refsource": "CONFIRM",
              "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170920-01-encryption-en"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
    "assignerShortName": "huawei",
    "cveId": "CVE-2017-2704",
    "datePublished": "2017-11-22T19:00:00Z",
    "dateReserved": "2016-12-01T00:00:00",
    "dateUpdated": "2024-09-16T18:39:09.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-33957

CVE-2017-2704 (GCVE-0-2017-2704)

Tags

Sightings

Nomenclature