CVE-2017-8165

Vulnerability

The vulnerability resides in the CMA (Ciphertext Message Authentication) implementation of Huawei Mate 9 smartphones running versions earlier than MHA-AL00BC00B233. An attacker can trick a user into installing a malicious application, which then exploits this flaw to leak sensitive information from the device. No special configuration or additional privileges beyond the malicious app installation are required for the vulnerable code path to be reachable.

Exploitation

An attacker must craft a malicious application and convince the user to install it on the affected device. Once installed, the application interacts with the vulnerable CMA component, leading to the leakage of sensitive information. No further user interaction or network position is needed after installation.

Impact

Successful exploitation results in the disclosure of sensitive information stored on the device. The exact type of information (e.g., credentials, personal data) is not detailed in the advisory, but the leak compromises confidentiality. No code execution or privilege escalation is described.

Mitigation

Huawei has released software update MHA-AL00BC00B233 to fix this vulnerability. The update is available via the vendor's normal update channels. No workarounds are documented. The vulnerability is not listed on the CISA KEV as of the publication date. For more details, see Huawei's security advisory [1].