プラットフォーム
huawei
コンポーネント
huawei-mate-20-pro
修正版
10.1.1
CVE-2020-9250 describes an insufficient authentication vulnerability discovered in the Huawei Mate 20 Pro smartphone. Successful exploitation allows an unauthenticated, local attacker to craft a malicious software package, potentially impacting service availability. This vulnerability affects devices running versions prior to 10.1.0.160(C00E160R3P8), and a fix is available in version 10.1.0.160.
The primary impact of CVE-2020-9250 is the potential for a denial-of-service (DoS) condition. An attacker with local access to the device can craft a specially designed software package to trigger this vulnerability. This crafted package bypasses authentication checks, allowing the attacker to execute actions that could disrupt or halt the normal operation of the affected service. While the CVSS score is LOW, the local access requirement means that this vulnerability is most likely to be exploited in scenarios involving physical access or compromised devices within a local network. The impact is limited to the affected service on the device itself, preventing broader system compromise.
CVE-2020-9250 is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code for this vulnerability is not widely available, suggesting a low probability of active exploitation. The vulnerability was disclosed in December 2019 and assigned a CVE in 2020, indicating that it has been known for some time. Given the local access requirement, exploitation is likely to be targeted and opportunistic.
Users of Huawei Mate 20 Pro devices running versions prior to 10.1.0.160(C00E160R3P8) are at risk, particularly those who allow local software installation from untrusted sources or have weak physical security controls. Shared hosting environments where multiple users have access to the device are also at increased risk.
• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like '*malicious*'} | Get-ScheduledTask | Disable-ScheduledTask• linux / server:
journalctl -xe | grep -i 'authentication failure'• generic web:
curl -I http://<device_ip>/ | grep -i 'authentication'discovery
disclosure
public disclosure
エクスプロイト状況
EPSS
0.05% (14% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2020-9250 is to upgrade the Huawei Mate 20 Pro to version 10.1.0.160 or later. This update includes the necessary authentication checks to prevent the exploitation of this vulnerability. If an immediate upgrade is not possible due to compatibility concerns or device limitations, consider restricting local software installation and carefully scrutinizing any software packages installed on the device. While a WAF or proxy cannot directly mitigate this local vulnerability, ensuring the device's software sources are trusted can reduce the risk of malicious package installation. After upgrading, confirm the fix by attempting to install a known malicious package and verifying that the authentication check is enforced.
Actualice su dispositivo HUAWEI Mate 20 Pro a la versión 10.1.0.160 o posterior. La actualización se puede realizar a través de la configuración del sistema o utilizando la aplicación HiSuite en su computadora. Asegúrese de hacer una copia de seguridad de sus datos importantes antes de realizar la actualización.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2020-9250 is a LOW severity vulnerability allowing an unauthenticated local attacker to craft a malicious software package, potentially impacting service availability on Huawei Mate 20 Pro devices.
You are affected if you are using a Huawei Mate 20 Pro with a version earlier than 10.1.0.160(C00E160R3P8).
Upgrade your Huawei Mate 20 Pro to version 10.1.0.160 or later to mitigate this vulnerability.
There is no widespread evidence of active exploitation, but the vulnerability remains a potential risk.
Refer to the Huawei security vulnerability list for details: https://consumer.huawei.com/en/security/