CVE-2017-17149 : Huawei HiWallet App with the versions before 8.0.4 has an arbitrary lock pattern

Huawei HiWallet App with the versions before 8.0.4 has an arbitrary lock pattern change vulnerability. It needs to verify the user's Huawei ID during lock pattern change. An attacker with root privilege who gets a user's smart phone may bypass Huawei ID verification by special operation. Successful exploit of this vulnerability can allow an attacker to change the lock pattern of HiWallet.

Published 2018-03-09 17:29:01

Updated 2019-10-03 00:03:26

Source Huawei Technologies

View at NVD, CVE.org

Products affected by CVE-2017-17149

Huawei » Hiwallet
Versions before (<) 8.0.4
cpe:2.3:a:huawei:hiwallet:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-17149

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 4 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-17149

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:N/I:P/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
3.9	LOW	CVSS:3.0/AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N	0.3	3.6	NIST
Attack Vector: Physical Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

References for CVE-2017-17149

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171220-01-hiwallet-en

Security Advisory - Arbitrary Lock Pattern Change Vulnerability in Huawei HiWallet APP
Vendor Advisory

Jump to

Vulnerability Details : CVE-2017-17149

Products affected by CVE-2017-17149

Exploit prediction scoring system (EPSS) score for CVE-2017-17149

CVSS scores for CVE-2017-17149

References for CVE-2017-17149