Vulnerability-Lookup

CNVD-2018-00341

Vulnerability from cnvd - Published: 2018-01-05

Title

华为钱包APP存在手势密码任意修改漏洞

Description

华为钱包APP是华为专门打造的一款手机购物平台华为钱包APP存在手势密码任意修改漏洞。在华为钱包APP修改手势密码的过程中，需要验证用户的华为账号。具有在root权限的攻击者可以通过特定步骤，绕过华为账号验证，利用该漏洞可修改华为钱包APP的手势密码。

Severity

中

Patch Name

华为钱包APP存在手势密码任意修改漏洞的补丁

Patch Description

华为钱包APP是华为专门打造的一款手机购物平台华为钱包APP存在手势密码任意修改漏洞。在华为钱包APP修改手势密码的过程中，需要验证用户的华为账号。具有在root权限的攻击者可以通过特定步骤，绕过华为账号验证，利用该漏洞可修改华为钱包APP的手势密码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20171220-01-hiwallet-cn

Reference

http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20171220-01-hiwallet-cn

Impacted products

Name
Huawei 华为钱包 <8.0.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-17149"
    }
  },
  "description": "\u534e\u4e3a\u94b1\u5305APP\u662f\u534e\u4e3a\u4e13\u95e8\u6253\u9020\u7684\u4e00\u6b3e\u624b\u673a\u8d2d\u7269\u5e73\u53f0\r\n\r\n\u534e\u4e3a\u94b1\u5305APP\u5b58\u5728\u624b\u52bf\u5bc6\u7801\u4efb\u610f\u4fee\u6539\u6f0f\u6d1e\u3002\u5728\u534e\u4e3a\u94b1\u5305APP\u4fee\u6539\u624b\u52bf\u5bc6\u7801\u7684\u8fc7\u7a0b\u4e2d\uff0c\u9700\u8981\u9a8c\u8bc1\u7528\u6237\u7684\u534e\u4e3a\u8d26\u53f7\u3002\u5177\u6709\u5728root\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u7279\u5b9a\u6b65\u9aa4\uff0c\u7ed5\u8fc7\u534e\u4e3a\u8d26\u53f7\u9a8c\u8bc1\uff0c\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4fee\u6539\u534e\u4e3a\u94b1\u5305APP\u7684\u624b\u52bf\u5bc6\u7801\u3002",
  "discovererName": "Huawei",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20171220-01-hiwallet-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-00341",
  "openTime": "2018-01-05",
  "patchDescription": "\u534e\u4e3a\u94b1\u5305APP\u662f\u534e\u4e3a\u4e13\u95e8\u6253\u9020\u7684\u4e00\u6b3e\u624b\u673a\u8d2d\u7269\u5e73\u53f0\r\n\r\n\u534e\u4e3a\u94b1\u5305APP\u5b58\u5728\u624b\u52bf\u5bc6\u7801\u4efb\u610f\u4fee\u6539\u6f0f\u6d1e\u3002\u5728\u534e\u4e3a\u94b1\u5305APP\u4fee\u6539\u624b\u52bf\u5bc6\u7801\u7684\u8fc7\u7a0b\u4e2d\uff0c\u9700\u8981\u9a8c\u8bc1\u7528\u6237\u7684\u534e\u4e3a\u8d26\u53f7\u3002\u5177\u6709\u5728root\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u7279\u5b9a\u6b65\u9aa4\uff0c\u7ed5\u8fc7\u534e\u4e3a\u8d26\u53f7\u9a8c\u8bc1\uff0c\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4fee\u6539\u534e\u4e3a\u94b1\u5305APP\u7684\u624b\u52bf\u5bc6\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u534e\u4e3a\u94b1\u5305APP\u5b58\u5728\u624b\u52bf\u5bc6\u7801\u4efb\u610f\u4fee\u6539\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Huawei \u534e\u4e3a\u94b1\u5305 \u003c8.0.4"
  },
  "referenceLink": "http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20171220-01-hiwallet-cn",
  "serverity": "\u4e2d",
  "submitTime": "2017-12-21",
  "title": "\u534e\u4e3a\u94b1\u5305APP\u5b58\u5728\u624b\u52bf\u5bc6\u7801\u4efb\u610f\u4fee\u6539\u6f0f\u6d1e"
}

CVE-2017-17149 (GCVE-0-2017-17149)

Vulnerability from cvelistv5 – Published: 2018-03-09 17:00 – Updated: 2024-08-05 20:43

Summary

Huawei HiWallet App with the versions before 8.0.4 has an arbitrary lock pattern change vulnerability. It needs to verify the user's Huawei ID during lock pattern change. An attacker with root privilege who gets a user's smart phone may bypass Huawei ID verification by special operation. Successful exploit of this vulnerability can allow an attacker to change the lock pattern of HiWallet.

Severity ?

No CVSS data available.

CWE

arbitrary lock pattern change

Assigner

huawei

References

URL

Tags

http://www.huawei.com/en/psirt/security-advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Huawei Technologies Co., Ltd.	Huawei HiWallet App	Affected: The versions before 8.0.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T20:43:59.838Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-01-hiwallet-en"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Huawei HiWallet App",
          "vendor": "Huawei Technologies Co., Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "The versions before 8.0.4"
            }
          ]
        }
      ],
      "datePublic": "2017-12-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Huawei HiWallet App with the versions before 8.0.4 has an arbitrary lock pattern change vulnerability. It needs to verify the user\u0027s Huawei ID during lock pattern change. An attacker with root privilege who gets a user\u0027s smart phone may bypass Huawei ID verification by special operation. Successful exploit of this vulnerability can allow an attacker to change the lock pattern of HiWallet."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "arbitrary lock pattern change",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-09T16:57:01",
        "orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
        "shortName": "huawei"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-01-hiwallet-en"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@huawei.com",
          "ID": "CVE-2017-17149",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Huawei HiWallet App",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "The versions before 8.0.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Huawei Technologies Co., Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Huawei HiWallet App with the versions before 8.0.4 has an arbitrary lock pattern change vulnerability. It needs to verify the user\u0027s Huawei ID during lock pattern change. An attacker with root privilege who gets a user\u0027s smart phone may bypass Huawei ID verification by special operation. Successful exploit of this vulnerability can allow an attacker to change the lock pattern of HiWallet."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "arbitrary lock pattern change"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-01-hiwallet-en",
              "refsource": "CONFIRM",
              "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-01-hiwallet-en"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
    "assignerShortName": "huawei",
    "cveId": "CVE-2017-17149",
    "datePublished": "2018-03-09T17:00:00",
    "dateReserved": "2017-12-04T00:00:00",
    "dateUpdated": "2024-08-05T20:43:59.838Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-00341

CVE-2017-17149 (GCVE-0-2017-17149)

Tags

Sightings

Nomenclature