CVE-2019-5299 - OpenCVE

Huawei mobile phones Hima-AL00Bhave with Versions earlier than HMA-AL00C00B175 have a signature verification bypass vulnerability. Attackers can induce users to install malicious applications. Due to a defect in the signature verification logic, the malicious applications can invoke specific interface to execute malicious code. A successful exploit may result in the execution of arbitrary code.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Huawei	Hima-al00b Hima-al00b Firmware

Configuration 1 [-]

AND

cpe:2.3:o:huawei:hima-al00b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:huawei:hima-al00b:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190320-01-phone-en

History

No history.

MITRE

Status: PUBLISHED

Assigner: huawei

Published: 2019-08-13T20:34:23

Updated: 2024-08-04T19:54:53.454Z

Reserved: 2019-01-04T00:00:00

Link: CVE-2019-5299

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-08-13T21:15:12.130

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-5299

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Hima-AL00B", "vendor": "Huawei", "versions": [{"status": "affected", "version": "Versions earlier than HMA-AL00C00B175"}]}], "descriptions": [{"lang": "en", "value": "Huawei mobile phones Hima-AL00Bhave with Versions earlier than HMA-AL00C00B175 have a signature verification bypass vulnerability. Attackers can induce users to install malicious applications. Due to a defect in the signature verification logic, the malicious applications can invoke specific interface to execute malicious code. A successful exploit may result in the execution of arbitrary code."}], "problemTypes": [{"descriptions": [{"description": "signature verification bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-13T20:34:23", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190320-01-phone-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "ID": "CVE-2019-5299", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Hima-AL00B", "version": {"version_data": [{"version_value": "Versions earlier than HMA-AL00C00B175"}]}}]}, "vendor_name": "Huawei"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Huawei mobile phones Hima-AL00Bhave with Versions earlier than HMA-AL00C00B175 have a signature verification bypass vulnerability. Attackers can induce users to install malicious applications. Due to a defect in the signature verification logic, the malicious applications can invoke specific interface to execute malicious code. A successful exploit may result in the execution of arbitrary code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "signature verification bypass"}]}]}, "references": {"reference_data": [{"name": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190320-01-phone-en", "refsource": "CONFIRM", "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190320-01-phone-en"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:54:53.454Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190320-01-phone-en"}]}]}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2019-5299", "datePublished": "2019-08-13T20:34:23", "dateReserved": "2019-01-04T00:00:00", "dateUpdated": "2024-08-04T19:54:53.454Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:hima-al00b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8FA8D7C7-DD2F-4244-8E83-F9A52C06E6F8", "versionEndExcluding": "hma-al00c00b175", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:hima-al00b:-:*:*:*:*:*:*:*", "matchCriteriaId": "8C0592A2-8087-4847-8586-04ED842960D4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Huawei mobile phones Hima-AL00Bhave with Versions earlier than HMA-AL00C00B175 have a signature verification bypass vulnerability. Attackers can induce users to install malicious applications. Due to a defect in the signature verification logic, the malicious applications can invoke specific interface to execute malicious code. A successful exploit may result in the execution of arbitrary code."}, {"lang": "es", "value": "Los tel\u00e9fonos m\u00f3viles Huawei Hima-AL00 en versiones anteriores a HMA-AL00C00B175 tienen una vulnerabilidad de omisi\u00f3n de verificaci\u00f3n de firma. Los atacantes pueden inducir a los usuarios a instalar aplicaciones maliciosas. Debido a un defecto en la l\u00f3gica de verificaci\u00f3n de firma, las aplicaciones maliciosas pueden invocar una interfaz espec\u00edfica para ejecutar c\u00f3digo malicioso. Una explotaci\u00f3n exitosa puede resultar en la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2019-5299", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-13T21:15:12.130", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190320-01-phone-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}