CVE-2016-2406

Vulnerability

The permission control module in Huawei Document Security Management (DSM) before V100R002C05SPC670 incorrectly enforces permissions on the PrintScreen button, allowing remote authenticated users to capture the content of encrypted documents. Affected versions include V100R002C05SPC661 and all earlier releases. [1]

Exploitation

An attacker must have valid remote authentication credentials to the DSM system. With network access, the attacker can press the PrintScreen key while viewing an encrypted document, bypassing the intended permission controls to capture the screen content. No additional user interaction or special privileges are required beyond authenticated access. [1]

Impact

Successful exploitation results in the disclosure of sensitive information contained within encrypted documents. The attacker gains the ability to view and potentially exfiltrate document content that should be protected by DSM's permission controls. The compromise is limited to information disclosure; the attacker does not gain elevated privileges or system control. [1]

Mitigation

Huawei has released software update V100R002C05SPC670 to fix this vulnerability. Users should upgrade to this version or later. No workarounds are documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1]