Authors:Harry Sintonen Risk：High CVE：CVE-2018-7940 0day:Authentication Bypass 0day -id:0DAY-176156 Date：2018-05-09
HUAWEI Mate 10, a HUAWEI Mate 10 Pro phone has an authentication bypass vulnerability. An attacker with high authority gains a smartphone and bypasses the activation function through some specific operations. (Vulgate ID: HWPSIRT-2018-03001)
This vulnerability has been assigned Common Vulnerability and Exposure (CVE) ID: CVE-2018-7940.
|Product Name||Affected Version||Resolved Product and Version|
|HUAWEI Mate 10||earlier versions than 126.96.36.199(SP2C00)||ALP-AL00B 188.8.131.52(SP2C00)|
|HUAWEI Mate 10 Pro||earlier versions than 184.108.40.206(SP2C01)||BLA-TL00B 220.127.116.11(SP2C01)|
Successful exploit may bypass the activation function.
The vulnerability classification has been performed by using the CVSSv3 scoring system (http://www.first.org/cvss/specification-document).
Base Score: 3.9 (AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N)
Temporal Score: 3.6 (E:F/RL:O/RC:C)
This vulnerability can be exploited only when the following conditions are present:
1. The attacker obtains a user’s smart phone.
There is an authentication bypass vulnerability in some Huawei smart phones. An attacker with high privilege obtains the smart phone and bypass the activation function by some specific operations.
The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.