Severity: Unknown
Description: The call module of P10 and P10 Plus smartphones with software versions before VTR-AL00C00B167, versions before VTR-TL00C01B167, versions before VKY-AL00C00B167, versions before VKY-TL00C01B167 has a DoS vulnerability. An attacker may trick a user into installing a malicious application, and the application can send given parameter to call module to crash the call and data communication process.
CVSS Score: N/A
D
No data available.
No data available.
1. Risk Assessment
The vulnerability CVE-2017-8145 is a Denial of Service (DoS) vulnerability affecting the call module of Huawei P10 and P10 Plus smartphones. The nature of the vulnerability allows a malicious application, once installed on the device, to send a specific parameter to the call module, causing it to crash. This crash impacts both call functionality and data communication. The business impact can range from inconvenience to disruption of critical communication, depending on the user's reliance on the phone for business or personal use. The likelihood of exploitation is moderate, as it requires user interaction to install the malicious application, but the ease of exploitation is relatively high once the application is installed, as the vulnerability is triggered simply by sending a specific parameter. Impacts to confidentiality are low, as the vulnerability primarily affects availability. Integrity is also relatively low, as the crash doesn't necessarily corrupt data, but prevents further communication. Availability is the primary impact, with potential for complete disruption of call and data services. The EPSS score of 0.00077 indicates a relatively low, but not insignificant, risk.
2. Potential Attack Scenarios
An attacker could craft a seemingly benign application, perhaps advertised as a useful tool or game, and distribute it through a third-party app store or via a phishing email. A user, tricked into installing the application, unknowingly grants it access to the call module. Once active, the application sends the specific crashing parameter to the call module when a call is initiated or data communication is attempted. This results in the call dropping or data connection failing. The attacker's goal could be to simply disrupt the user’s communication, or it could be a diversion tactic while the application performs other malicious activities, like exfiltrating data. The attack vector is application-based, requiring user installation, but the impact is immediate once triggered.
3. Mitigation Recommendations
The primary mitigation is to update the affected Huawei P10 and P10 Plus smartphones to software versions VTR-AL00C00B167 or later, VTR-TL00C01B167 or later, VKY-AL00C00B167 or later, and VKY-TL00C01B167 or later. Users should ensure they are connected to a stable Wi-Fi network when performing the update to avoid data charges. Encourage users to only download applications from trusted sources, such as the official Huawei AppGallery or Google Play Store, and to review application permissions before installation. Regularly scan devices with a reputable mobile security application to identify potentially malicious apps. Further details on the vulnerability and updates can be found at the Huawei security advisory: http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170725-02-smartphone-en.
4. Executive Summary
Huawei P10 and P10 Plus smartphones are susceptible to a Denial of Service (DoS) vulnerability (CVE-2017-8145) that could disrupt voice calls and data communication. A malicious application, once installed, can crash the phone’s call module, impacting user connectivity. While the vulnerability requires a user to install a malicious app, the impact is significant, potentially causing communication breakdowns. We recommend all users of affected devices update their software to the latest version – VTR-AL00C00B167 or later, VTR-TL00C01B167 or later, VKY-AL00C00B167 or later, and VKY-TL00C01B167 or later – to mitigate the risk. Prompt patching and careful app selection are key to protecting communication services and minimizing business disruption. This vulnerability, while not critical, warrants attention to ensure reliable phone functionality.
Severity: Unknown
Description: The call module of P10 and P10 Plus smartphones with software versions before VTR-AL00C00B167, versions before VTR-TL00C01B167, versions before VKY-AL00C00B167, versions before VKY-TL00C01B167 has a DoS vulnerability. An attacker may trick a user into installing a malicious application, and the application can send given parameter to call module to crash the call and data communication process.
CVSS Score: N/A
D
No data available.
No data available.
1. Risk Assessment
The vulnerability CVE-2017-8146 is a Denial-of-Service (DoS) vulnerability within the call module of Huawei P10 and P10 Plus smartphones. The nature of the vulnerability allows a malicious application, once installed on the device, to send a specific parameter to the call module, causing it to crash. This crash disrupts call and data communication processes. The business impact can range from minor inconvenience to significant disruption, especially for users heavily reliant on their smartphones for communication. The likelihood of exploitation is moderate, as it requires user interaction to install the malicious application, but the ease of exploitation, once the application is installed, is relatively high. The primary impact is on availability; users may experience dropped calls or data connection interruptions. Confidentiality and integrity are less directly impacted, but a prolonged DoS could create opportunities for other attacks. The EPSS score of 0.00077 indicates a relatively low probability of exploitation in the wild, but the potential disruption warrants attention, particularly for business users.
2. Potential Attack Scenarios
An attacker could create a seemingly benign application, such as a simple game or utility, that requests necessary permissions to access the call module. The user, believing the application is legitimate, installs it. Once installed, the application sends a crafted parameter to the call module, triggering the DoS condition. The user may experience dropped calls while actively on a call, or intermittent data connection issues. In a more targeted attack, an attacker could distribute the malicious application via a phishing email or compromised app store, targeting specific individuals or departments within an organization. This could disrupt communication for key personnel, impacting productivity and potentially affecting time-sensitive operations. The outcome is a disruption of voice and data communication, potentially causing frustration and impacting business operations.
3. Mitigation Recommendations
The primary mitigation recommendation is to update the Huawei P10 or P10 Plus smartphone to a software version beyond VTR-AL00C00B167, VTR-TL00C01B167, VKY-AL00C00B167, or VKY-TL00C01B167. Users should check for updates in their phone’s settings, typically under “System” or “Software Update.” Organizations managing fleets of Huawei P10 or P10 Plus devices should deploy the update centrally via their Mobile Device Management (MDM) solution. Additionally, users should exercise caution when installing applications from untrusted sources. Verify the application developer and permissions requested before installing. Consider implementing application whitelisting to restrict which applications can be installed on company-owned devices. For further details on the vulnerability and the update, refer to the Huawei security advisory: http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170725-02-smartphone-en
4. Executive Summary
Huawei P10 and P10 Plus smartphones are vulnerable to a Denial-of-Service (DoS) attack through a flaw in the call module. This vulnerability allows a malicious application, once installed by a user, to crash the phone’s ability to handle calls and data connections. While the risk of widespread exploitation is currently considered moderate, the impact of dropped calls and data interruptions can disrupt business operations and user productivity. We recommend updating all affected devices to the latest software version as soon as possible. Users should also be mindful of the applications they install, sticking to trusted sources. Prompt action is important to minimize potential disruptions and maintain reliable communication for our users. The cost of patching is relatively low compared to the potential business impact of frequent call and data disruptions.