CVE-2017-2704

22.11.2017, 19:29

Smarthome 1.0.2.364 and earlier versions,HiAPP 7.3.0.303 and earlier versions,HwParentControl 2.0.0 and earlier versions,HwParentControlParent 5.1.0.12 and earlier versions,Crowdtest 1.5.3 and earlier versions,HiWallet 8.0.0.301 and earlier versions,Huawei Pay 8.0.0.300 and earlier versions,Skytone 8.1.2.300 and earlier versions,HwCloudDrive(EMUI6.0) 8.0.0.307 and earlier versions,HwPhoneFinder(EMUI6.0) 9.3.0.310 and earlier versions,HwPhoneFinder(EMUI5.1) 9.2.2.303 and earlier versions,HiCinema 8.0.2.300 and earlier versions,HuaweiWear 21.0.0.360 and earlier versions,HiHealthApp 3.0.3.300 and earlier versions have an information exposure vulnerability. Encryption keys are stored in the system. The attacker can implement reverse engineering to obtain the encryption keys, causing information exposure.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
huawei	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 24%

Vendor	Product	Version
huawei	smarthome	𝑥 ≤ 1.0.2.364
huawei	hiapp	𝑥 ≤ 7.3.0.303
huawei	hwparentcontrol	𝑥 ≤ 2.0.0
huawei	hwparentcontrolparent	𝑥 ≤ 5.1.0.12
huawei	crowdtest	𝑥 ≤ 1.5.3
huawei	hiwallet	𝑥 ≤ 8.0.0.301
huawei	huawei_pay	𝑥 ≤ 8.0.0.300
huawei	skytone	𝑥 ≤ 8.1.2.300
huawei	hwclouddrive\(emui6.0\)	𝑥 ≤ 8.0.0.307
huawei	hwphonefinder\(emui6.0\)	𝑥 ≤ 9.3.0.310
huawei	hwphonefinder\(emui5.1\)	𝑥 ≤ 9.2.2.303
huawei	hicinema	𝑥 ≤ 8.0.2.300
huawei	huaweiwear	𝑥 ≤ 21.0.0.360
huawei	hihealthapp	𝑥 ≤ 3.0.3.300

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170920-01-encryption-en