CVE-2020-9247

moderate-risk

Published 2020-12-07

There is a buffer overflow vulnerability in several Huawei products. The system does not sufficiently validate certain configuration parameter which is passed from user that would cause buffer overflow. The attacker should trick the user into installing and running a malicious application with a high privilege, successful exploit may cause code execution. Affected product include Huawei HONOR 20 PRO, Mate 20, Mate 20 Pro, Mate 20 X, P30, P30 Pro, Hima-L29C, Laya-AL00EP, Princeton-AL10B, Tony-AL00B, Yale-L61A, Yale-TL00B and YaleP-AL10B.

Do I need to act?

0.35% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (14)

Honor 20 Pro Firmware

Mate 20 Firmware

Mate 20 Pro Firmware

Mate 20 X Firmware

P30 Firmware

P30 Pro Firmware

Hima-L29C Firmware

Laya-Al00Ep Firmware

Princeton-Al10B Firmware

Tony-Al00B Firmware

Yale-L61A Firmware

Yale-Tl00B Firmware

Yalep-Al10B Firmware

P30 Firmware

Affected Vendors

Huawei

References (2)

Vendor Advisory https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200729-03-smartp...

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 1/34 · Minimal

Exposure 18/34 · Moderate