Severity: Unknown
Description: Isub service in P10 Plus and P10 smart phones with earlier than VKY-AL00C00B157 versions and earlier than VTR-AL00C00B157 versions has a denial of service (DoS) vulnerability. An attacker tricks a user into installing a malicious application on the smart phone, and the application can send given parameter to specific interface, which make a out-of-bounds array access that results in smart phone restart.
CVSS Score: N/A
D
No data available.
No data available.
1. Risk Assessment
The vulnerability CVE-2017-8172 is a denial-of-service (DoS) flaw present in the Isub service of Huawei P10 and P10 Plus smartphones. The nature of the vulnerability is an out-of-bounds array access triggered by a maliciously crafted parameter sent to a specific interface by a malicious application. The business impact is moderate, primarily resulting in smartphone restarts and potential disruption of user activity. Likelihood of exploitation is moderate, as it requires the user to install a malicious application, but once installed, exploitation is relatively easy. The vulnerability primarily impacts availability, causing the smartphone to become unresponsive during a restart. Confidentiality and integrity impacts are low, as the vulnerability doesn’t directly lead to data theft or modification, although a malicious application could potentially leverage the restart for other attacks. The EPSS score of 0.000610000 indicates a relatively low, but non-negligible risk.
2. Potential Attack Scenarios
An attacker could craft a seemingly legitimate application, perhaps disguised as a game or utility, and distribute it through a third-party app store or via a phishing campaign. When a user installs and runs the application, it sends a specifically crafted parameter to the Isub service interface. This parameter causes an out-of-bounds array access, leading to a smartphone restart. The user experience is interrupted, and if the restart occurs during a critical operation (e.g., a phone call, data transfer), it could lead to data loss or inconvenience. Repeated attacks could cause frequent disruptions. The attacker doesn't necessarily need elevated privileges beyond what the application is granted by the user.
3. Mitigation Recommendations
The primary mitigation is to update the Huawei P10 or P10 Plus smartphone to a version later than VKY-AL00C00B157 or VTR-AL00C00B157. This can be done through the phone's settings, typically under "System Update". Users should be cautious about installing applications from untrusted sources. Encourage users to only install apps from the official Huawei AppGallery or Google Play Store. Regular security scans of installed applications can help identify potentially malicious software. Huawei provides a detailed security advisory with further information: http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170628-01-isub-en. Security Focus also has information on the vulnerability: http://www.securityfocus.com/bid/99370.
4. Executive Summary
Huawei P10 and P10 Plus smartphones are vulnerable to a denial-of-service (DoS) attack via the Isub service. A malicious application, once installed, can cause the phone to restart by exploiting an out-of-bounds array access. While the risk isn’t critical, frequent restarts can disrupt user activity and potentially lead to data loss during ongoing operations. The primary mitigation is to update the phone’s software to the latest version (VKY-AL00C00B157 or VTR-AL00C00B157 or later). Users should also exercise caution when installing applications, sticking to trusted sources like the Huawei AppGallery or Google Play Store. Promptly applying the update will minimize the impact of this vulnerability and ensure continued smooth operation of the devices.