CVE-2019-5252

Vulnerability

The vulnerability resides in the applock feature of several Huawei smartphones (including Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). Under a rare condition, the applock fails to properly authenticate, allowing unauthorized access. Affected versions include ALP-AL00B before 10.0.0.143, ALP-TL00B before 10.0.0.143, Anne-AL00 before 9.1.0.126, and many others as listed in the advisory [1].

Exploitation

An attacker would need physical access to the device and be able to trigger the rare condition that causes the authentication check to be bypassed. The exact sequence of steps is not detailed, but the attacker could then open an app protected by applock without providing the correct credentials [1].

Impact

Successful exploitation allows the attacker to use applications locked by applock, bypassing the intended authentication. This could lead to unauthorized access to sensitive information within locked apps, compromising confidentiality and potentially integrity if the app allows modifications [1].

Mitigation

Huawei has released software updates to fix the vulnerability. Users should update their devices to the resolved versions listed in the advisory, e.g., ALP-AL00B to 10.0.0.143, Anne-AL00 to 9.1.0.126, and so on. The advisory does not mention any workarounds for unpatched devices [1].