CVE-2017-2721 — MEDIUM (4.6)

Vulnerability Description

Some Huawei smart phones with software Berlin-L21C10B130,Berlin-L21C185B133,Berlin-L21HNC10B131,Berlin-L21HNC185B140,Berlin-L21HNC432B151,Berlin-L22C636B160,Berlin-L22HNC636B130,Berlin-L22HNC675B150CUSTC675D001,Berlin-L23C605B131,Berlin-L24HNC567B110,FRD-L02C432B120,FRD-L02C635B130,FRD-L02C675B170CUSTC675D001,FRD-L04C567B162,FRD-L04C605B131,FRD-L09C10B130,FRD-L09C185B130,FRD-L09C432B131,FRD-L09C636B130,FRD-L14C567B162,FRD-L19C10B130,FRD-L19C432B131,FRD-L19C636B130 have a factory Reset Protection (FRP) bypass security vulnerability. When re-configuring the mobile phone using the factory reset protection (FRP) function, an attacker can login the configuration flow by Swype Keyboard and can perform some operations to update the Google account. As a result, the FRP function is bypassed.

CVSS Score

4.6

MEDIUM

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Huawei	Berlin-L21 Firmware	berlin-l21c10b130
Huawei	Berlin-L21	-
Huawei	Berlin-L21Hn Firmware	berlin-l21hnc10b131
Huawei	Berlin-L21Hn	-
Huawei	Berlin-L22 Firmware	berlin-l22c636b160
Huawei	Berlin-L22	-
Huawei	Berlin-L22Hn Firmware	berlin-l22hnc636b130
Huawei	Berlin-L22Hn	-
Huawei	Berlin-L23 Firmware	berlin-l23c605b131
Huawei	Berlin-L23	-
Huawei	Berlin-L24Hn Firmware	berlin-l24hnc567b110
Huawei	Berlin-L24Hn	-
Huawei	Frd-L02 Firmware	frd-l02c432b120
Huawei	Frd-L02	-
Huawei	Frd-L04 Firmware	frd-l04c567b162
Huawei	Frd-L04	-
Huawei	Frd-L09 Firmware	frd-l09c10b130
Huawei	Frd-L09	-
Huawei	Frd-L14 Firmware	frd-l14c567b162
Huawei	Frd-L14	-

Related Weaknesses (CWE)

CWE-287

References

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170920-01-frpbypaIssue TrackingVendor Advisory
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170920-01-frpbypaIssue TrackingVendor Advisory

FAQ

What is CVE-2017-2721?

CVE-2017-2721 is a vulnerability with a CVSS score of 4.6 (MEDIUM). Some Huawei smart phones with software Berlin-L21C10B130,Berlin-L21C185B133,Berlin-L21HNC10B131,Berlin-L21HNC185B140,Berlin-L21HNC432B151,Berlin-L22C636B160,Berlin-L22HNC636B130,Berlin-L22HNC675B150CU...

How severe is CVE-2017-2721?

CVE-2017-2721 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-2721?

Check the references section above for vendor advisories and patch information. Affected products include: Huawei Berlin-L21 Firmware, Huawei Berlin-L21, Huawei Berlin-L21Hn Firmware, Huawei Berlin-L21Hn, Huawei Berlin-L22 Firmware.